Silk Road site’s CAPTCHA led FBI to main servers

The un-doing of the dark-web drugs bazaar, Silk Road, was a misconfigured security feature on the site that was meant to prevent bots from signing up, according to the FBI.

Prosecutors handling the case against Ross Ulbricht — who the FBI alleges is Dread Pirate Roberts (DPR) and the mastermind of dark-web drug bazaar, Silk Road — have poured water on theories the NSA helped the FBI uncover the location of Silk Road’s main server in Iceland.

As first reported on Saturday, a filing by Ulbricht’s prosecutors on Friday claims the FBI discovered the location of the site’s main servers due to a weakness in the Silk Road’s encrypted armour. That weakness, according to the FBI, was a misconfigured CAPTCHA service — the blurry text challenge presented during sign-up, which is designed to weed out bots from real people.

Individuals can use The Onion Router (Tor) network to anonymise their activity on the web, which can be done by using a Tor browser. Website admins can also use Tor network “hidden services” to conceal a website’s real IP address. Site visitors with the Tor browser can access the site through its Tor “.onion” address, which can maintain anonymity for both parties. But that’s only on the assumption that the site is configured correctly.

The FBI shut Silk Road down in October 2013 and arrested Ulbricht shortly afterwards in San Francisco. At the time, the FBI detailed the errors Ulbricht had made which it claimed allowed it to link his identity to DPR, but a question that remained unanswered was exactly how the FBI accessed the site’s main servers.

Prosecutors on Friday answered how it located the site’s main server in a declaration from Christopher Tarbell, the computer forensics expert and agent of the FBI’s CY-2 unit who led the investigation into Silk Road. According to the declaration, the weak link was Silk Road’s login page, which contained a CAPTCHA feature that pulled an image from the open web that leaked the Silk Road’s real IP address. The address turned out to be from a server located in Iceland.

“The IP address leak we discovered came from the Silk Road user login interface. As noted in the Complaint, any Internet user could access the Silk Road website using free, publicly available “Tor browser” software,” Tarbell said.

“Upon typing in the address of the site (known as a “.onion” address) into the browser, the user would be directed to Silk Road’s user login interface, which consisted of a black screen containing a prompt for a username and password, as well as a “CAPTCHA” prompt, requiring the user to type in certain letters and numbers displayed in a distorted manner on the screen, in order to prove that the user was a human and not an automated computer script.”

Ulbricht previously attempted to dismiss the charges and evidence on the basis that the FBI was tipped off by the NSA in a way that violated his Fourth Amendment rights. Tarbell denied he had a backdoor to the Silk Road site.

“In or about early June 2013, another member of CY-2 and I closely examined the traffic data being sent from the Silk Road website when we entered responses to the prompts contained in the Silk Road login interface,” said Tarbell in the declaration.

Rather than using a “back door” to the site, Tarbell and co “simply were interacting with the website’s user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface.”

“When we did so, the website sent back data to the computer we were using – specifically, the Silk Road homepage, when we used valid login credentials for undercover accounts we had on the site, or an error message, when we used any username, password, or CAPTCHA entry that was invalid,” said Tarbell.

Tarbell said he noticed that some data was being sent to an IP address outside of the Tor network, explaining that when he typed that IP address into an ordinary browser, Silk Road’s CAPTCHA prompt appeared.

“Based on my training and experience, this indicated that the [server’s] IP Address was the IP address of the [Silk Road] Server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor,” according to Tarbell.

Anyone closely following the case may notice the dates given by Tarbell jar with those reported in Icelandic media last October, which quoted Reykjavik Metropolitan Police stating that they had, since May 2013, provided assistance to the FBI in its investigation of Silk Road.

According to Tarbell, the “official request” for assistance from Iceland happened on June 12 to obtain subscriber information associated with the Silk Road server, collect routing information, covertly image its contents.

In a footnote, the prosecution offers an explanation for the discrepancy on dates: “the FBI had developed a lead on a different server at the same Data Center in Iceland (“Server-1”), which resulted in an official request for similar assistance with respect to that server on February 28, 2013. See Ex. B. Due to delays in processing the request, Icelandic authorities did not produce traffic data for Server-1 to the FBI until May 2013.”

Ars Technica reported on Friday that Ulbricht’s prosecutors also outlined why the investigation didn’t violate his Fourth Amendment rights, which require that warrants permitting search and seizure are supported by probable cause — and importantly, are executed within US territory.

The Fourth Amendment didn't apply to the Silk Road investigation in Iceland, according to the prosecutor, because the search was conducted by Iceland’s police.

“The Silk Road Server was searched by Icelandic authorities, to whom the Fourth Amendment and its exclusionary rule do not apply in the first instance. While Icelandic authorities conducted the search at the request of U.S. law enforcement authorities, that is not enough to render the search subject to Fourth Amendment requirements. And even if it were, a warrant still would not have been required for the search, since the Fourth Amendment’s warrant requirement does not apply extraterritorially. Instead, an extraterritorial search by U.S. law enforcement need only be reasonable, which the search of the SR Server clearly was, given that there was probable cause to believe it was hosting an enormous black market for illegal drugs and other illicit goods and services.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags misconfigured securityChristopher TarbellCSOcaptchadirectors for CSOsilk roadfbiCSO AustraliaEnex TestLabDread Pirate RobertslSan Franciscokrebson security

More about CSOEnex TestLabFBINSARoberts

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts