Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows DRM-Protected Files Used To Decloak Tor Browser Users (bleepingcomputer.com)

Posted by BeauHD on from the coordinates-on-a-map dept.

An anonymous reader writes from a report via BleepingComputer: Downloading and trying to open Windows DRM-protected multimedia files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned. On Windows, multimedia files encoded with special Microsoft SDK will automatically open an IE window and access a URL to check the file's license. Since this request is sent outside of the Tor Browser and without user interaction, this can be used to ping law enforcement servers and detect the user's real IP address and other details. For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency. The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more. A video of the attack is available here.

30 of 150 comments (clear)

  1. Umm... just WMVs? by speedplane · · Score: 3, Interesting

    So opening an WMV in windows media and phone-home to a server... couldn't the same be done with Adobe reader and PDFs? Or with countless pieces of software out there?

    --
    Fast Federal Court and I.T.C. updates
    1. Re:Umm... just WMVs? by infolation · · Score: 2

      This is why the hapless Windows-using would-be criminal should be using something more idiot-resistant, not Windows and the Tor browser. Like Tails for example. That way the hapless offender's DRM-infested movie files, PDFs etc can be forced to phone-home through the Tor network. If the criminal is too hapless to evade law-enforcement, it's caveat emptor.

    2. Re:Umm... just WMVs? by Gadget_Guy · · Score: 4, Informative

      The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

    3. Re:Umm... just WMVs? by Gadget_Guy · · Score: 4, Informative

      And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.

      If you run "Windows Firewall with Advanced Security" it shows absolutely everything. I have yet to find anything that bypasses the firewall. Even Windows 10's agressive updates don't work if you block by default, although I have no evidence of the telemetry one way or the other.

      That said, if you have an application that runs with elevated security then it can add its own firewall rules. The way around that is to create a special user that just for editing the firewall entries, grant it access to the registry setting and revoke administrator rights. That's only required if you are paranoid though, or if you have a specific requirement. I did this to stop Steam from constantly creating firewall entries for itself and all games. I needed to lock it down to only work over my local connection to prevent it from downloading via my work when I set up a VPN to access the servers.

    4. Re:Umm... just WMVs? by Burz · · Score: 2, Informative

      Better still is Whonix (VM isolation for both Tor and Torbrowser). TAILS may have a fancy configuration to attempt leak prevention, but privilege escalation attacks are a dime a dozen on Linux.

    5. Re:Umm... just WMVs? by AmiMoJo · · Score: 2

      Whonix runs in a VM on top of a host OS. VM escape flaws are a thing, and if malicious code gets out of the VM then it's running on your host OS. I guess you could have a dedicated host OS with nothing on it. Anyway, running code in a VM is not without risk.

      Booting Tails directly on the machine has a few advantages. Nothing saved to disk, no evidence you even ran it.

      Neither system is perfect and both have their advantages.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Umm... just WMVs? by sudon't · · Score: 4, Insightful

      The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

      And avoid both DRM and Windows like the plague, even if you're not doing something that would get you in trouble with your government.

      --
      -- sudon't

      Air-ride Equipped

    7. Re: Umm... just WMVs? by allo · · Score: 2

      tails in a vm would have prevented this.

      tails is about disallowing non-tor connections for the primary user.

    8. Re: Umm... just WMVs? by pr0nbot · · Score: 3, Insightful

      Does it also prevent a user process from knowing the real IP address? (I genuinely don't know.) If it didn't, then I suppose the phone-home mechanism would just query the IP and transmit it as data.

  2. Any DRM that phones home will do that by Crashmarik · · Score: 2

    Of course that means the FBI has be able to host the files on the server, and has to have sufficient control to deliver a uniquely keyed file to the users they wish to target. Sort of implies you have hit a honeypot if they get you with that.

    1. Re:Any DRM that phones home will do that by Crashmarik · · Score: 2

      I don't know that I am comfortable with that. Should everyone who bought a copy of the Anarchist's cookbook expect a higher level of surveillance ?

  3. Quick Workaround by gavron · · Score: 4, Interesting

    1. Determine which TOR-nodes you're talking to. (Netstat or Ethereal)
    2. Remove default route through your ISPs router
    3. Add specific routes to the /32s the TOR-nodes are on through the ISP router

    Traffic routed through TOR will work fine.
    Traffic going outside of TOR will fail except for the local network (your home or office LAN).

    E

    1. Re:Quick Workaround by fluffernutter · · Score: 3, Funny

      You forgot

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  4. It's always the pedos by Anonymous Coward · · Score: 3, Insightful

    So tired of these stories making reference to pedos. Sure they exist, but every time the govt is caught spying, the media trots out the pedophiles to justify it. Not everyone who views "questionable" content is a crook. I've read plenty of articles, and watched plenty of videos, on how to make bombs and explosives, yet have never actually made one. Nor do I ever plan to do so. Forbidden knowledge and all that.....

  5. Re:Not Tor Problems! by jonwil · · Score: 3, Interesting

    They aren't using it to watch entertainment videos. They are going to underground web sites (child porn, drugs, weapons etc) and being tricked into viewing a video put there by law enforcement that is designed to phone home in this way.

  6. Re:Quicker workaround by Anonymous Coward · · Score: 2, Informative

    stop using IE (physically break it)
    stop using windows
    stop using .asf .wma .wmv files. seriously these formats should be erased from existence!!!
    deny all media players access to the web. seriously no video or music HAS to have access to the internet unless it has drm shit. and you should NEVEr buy drmed music or videos. if you want lyrics, open your browser.

  7. It's right there in the FAQ:Don't torrent over Tor by maggotbrain_777 · · Score: 3, Informative

    This is kind of no-brainer since it says, right in the Tor Browser FAQ [Section B], not to torrent while using the browser:

    "Don't torrent over Tor
    Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that's how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else."

    https://www.torproject.org/download/download.html.en#warning

  8. WMP Settings by Somebody+Is+Using+My · · Score: 2

    The Windows media player - at least through Windows 7 - had an option to "download usage rights automatically when I play or sync a file". I wonder if this "attack" still takes place if this feature is not enabled.

    1. Re:WMP Settings by The-Ixian · · Score: 3, Interesting

      I was thinking the same thing. I always uncheck all those boxes when I launch WMP for the first time.

      Though really, I don't think I have launched WMP in years... why bother when you have VLC?

      VLC is associated with all of the file media file types that Windows knows about so is the DRM laden WMV (or whatever) able to call WMP explicitly when you launch it? I don't think that is how it works. Even if it did, if you have never run WMP before, you will get the first run dialog which has the option you mention plain as day as a checkbox.

      Seems like this tracking mechanism is to catch total morons.

      --
      My eyes reflect the stars and a smile lights up my face.
  9. Missed something important by zugmeister · · Score: 3, Insightful

    For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography.

    Apparently it's no longer even worth noting that representatives of the US government will run a child porn site offering downloads!
    Again.
    Yes, "pretending". So a honeypot without honey. That'll get real far now won't it?

  10. Ask OS makers next? by AHuxley · · Score: 3, Insightful

    Why not just get a list of all this weeks files of interest found on the net. All the files of interest created and shared over a few days.
    Give the checksums to all the big US OS brands to add to their new OS AV efforts.
    Recored every IP that responds to a checksum as part of anti virus spread tracking if the user "allowed" such self reporting to the OS.
    Use the advanced and near instant indexing on most modern OS to report the file when it is opened and have the users OS report that file on the OS brand?
    Remove and replace the checksum list for next week so it will not slow any modern computer down.
    Any advance user could test the file in any way and find no issue.
    A new OS AV update of a few megabytes spread over a few days per week could hold how many new file checksums per week every week?
    The OS would do all the reporting on an average user who trusted the OS brand with AV.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Ask OS makers next? by Anonymous Coward · · Score: 4, Interesting

      Next? There's a high likelihood this is already happening in Windows 10. Every time you open a file, Windows 10 is sending unknown "telemetry" back to the mother ship. Those Windows Defender and Microsoft Security Essentials updates you get every day? They're hash lists. You can bet your ass those lists contain more than just virus signatures, and matches are being recorded somewhere.

  11. Re:I'm ok with this behavior in those use cases by amiga3D · · Score: 3, Informative

    Well if you're up to no good you certainly should learn linux and also get some good info on computer security. Use one computer for fun, youtube, surfing, contacting family and friends, playing games. For anything where security is paramount you should use a hardened system. The more dire the ramifications of a breach the more hardened. Perhaps a CD based OS that is impossible to overwrite the system files. A custom built router with a good open source router OS. Keep all files encrypted on a removable micro-SD card. I'm sure if I was involved in anything like this I'd think of other things to do and avoid. Mostly I'm astounded by how careless people engaged in seriously illegal activity often are.

  12. Re:Not Tor Problems! by amiga3D · · Score: 2

    I have to wonder at the ethics of law enforcement hosting illegal content.

  13. Not so fast... Re:Not Tor Problems! by theshowmecanuck · · Score: 3, Informative

    Vice has an article titled "Countries that Use Tor Most Are Either Highly Repressive or Highly Liberal," that you might want to read.

    "The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network," Jardine writes.

    Bridges had the strongest association with political repression. "Moving from a country like Burkina Faso (political repression equals 8) to a country like Uzbekistan (political repression equals 14) results in an increase of around 212.58 Tor bridge users per 100,000 Internet users per year," the paper reads.

    If that were the only reason to use Tor you would be absolutely right. But my understanding is that Tor is also used (used more in fact) in countries where the governments will throw you in jail or kill you for the only reason of trying to exercise free speech. Those governments can employ the same tactics to find and jail political dissenters. And that would be a shame. It would be nice to be able to figure out the wheat from the chaff. But there are many governments that I wouldn't want making that determination, including the one being lead by the latest POTUS. In fact Tor might become a necessity for free speech in the USA soon.

    --
    -- I ignore anonymous replies to my comments and postings.
  14. Re:I'm ok with this behavior in those use cases by Anonymous Coward · · Score: 5, Interesting

    "First they came for the kiddy fiddlers, and no one objected..." Then a month from now, the FBI is ordered to embed these bugs in videos of services at mosques, and videos of anti-Trump protests, and videos of CNN interviews, and seed them all around the internet to build The Bigly List of Brown People and Dissenters.

    In the Bush era, I would have laughed this off as a slippery slope argument. In present times, knowing what Snowden has taught us and watching the current political climate, I don't see it as a laughing matter.

  15. Opsec by Orgasmatron · · Score: 3, Insightful

    If you require perfect opsec all the time, you are doomed eventually.

    Also, who the hell does this? The only sane way to use TOR for something dangerous is on a machine that has never and will never be connected to the internet directly or through NAT. And that computer's only network jack should be plugged into a disposable router running a bootable live system that does all-TOR all-day.

    In other words, even if the client computer is trying to turn you in, which it is, it shouldn't know anything other than the reserved/private IP that your router gives it and the IP or onion address your browser is visiting.

    --
    See that "Preview" button?
  16. Hosting Illegal Child Pornography is ILLEGAL by The_Dougster · · Score: 3

    Law enforcement should be not allowed to host child porn, even if it is trapped. It is clearly entrapment. IMO this is clearly a serious breach of the laws. If the material is illegal, then law enforcement should not be allowed to present it to the public. It presents a danger to the casual web surfer that is artificially implanted. The material is illegal. Period. No honeypots should be allowed.

    --
    Clickety Click ...
  17. Re:Quicker workaround by Burz · · Score: 2

    install Linux. Heck, in a VM if you're lazy.

    In a VM if you're smart.... https://www.qubes-os.org/

  18. Re:Quicker workaround by cdrudge · · Score: 2

    If all else fails you could try obeying the law.

    From the summary:
    "target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos"

    Last I checked, merely viewing propaganda videos, product demos, or news videos is not illegal. At least not yet.