Silk Road site’s CAPTCHA led FBI to main servers
- 08 September, 2014 11:44
The un-doing of the dark-web drugs bazaar, Silk Road, was a misconfigured security feature on the site that was meant to prevent bots from signing up, according to the FBI.
Prosecutors handling the case against Ross Ulbricht — who the FBI alleges is Dread Pirate Roberts (DPR) and the mastermind of dark-web drug bazaar, Silk Road — have poured water on theories the NSA helped the FBI uncover the location of Silk Road’s main server in Iceland.
As Krebsonsecurity.com first reported on Saturday, a filing by Ulbricht’s prosecutors on Friday claims the FBI discovered the location of the site’s main servers due to a weakness in the Silk Road’s encrypted armour. That weakness, according to the FBI, was a misconfigured CAPTCHA service — the blurry text challenge presented during sign-up, which is designed to weed out bots from real people.
Individuals can use The Onion Router (Tor) network to anonymise their activity on the web, which can be done by using a Tor browser. Website admins can also use Tor network “hidden services” to conceal a website’s real IP address. Site visitors with the Tor browser can access the site through its Tor “.onion” address, which can maintain anonymity for both parties. But that’s only on the assumption that the site is configured correctly.
The FBI shut Silk Road down in October 2013 and arrested Ulbricht shortly afterwards in San Francisco. At the time, the FBI detailed the errors Ulbricht had made which it claimed allowed it to link his identity to DPR, but a question that remained unanswered was exactly how the FBI accessed the site’s main servers.
Prosecutors on Friday answered how it located the site’s main server in a declaration from Christopher Tarbell, the computer forensics expert and agent of the FBI’s CY-2 unit who led the investigation into Silk Road. According to the declaration, the weak link was Silk Road’s login page, which contained a CAPTCHA feature that pulled an image from the open web that leaked the Silk Road’s real IP address. The address turned out to be from a server located in Iceland.
“The IP address leak we discovered came from the Silk Road user login interface. As noted in the Complaint, any Internet user could access the Silk Road website using free, publicly available “Tor browser” software,” Tarbell said.
“Upon typing in the address of the site (known as a “.onion” address) into the browser, the user would be directed to Silk Road’s user login interface, which consisted of a black screen containing a prompt for a username and password, as well as a “CAPTCHA” prompt, requiring the user to type in certain letters and numbers displayed in a distorted manner on the screen, in order to prove that the user was a human and not an automated computer script.”
Ulbricht previously attempted to dismiss the charges and evidence on the basis that the FBI was tipped off by the NSA in a way that violated his Fourth Amendment rights. Tarbell denied he had a backdoor to the Silk Road site.
“In or about early June 2013, another member of CY-2 and I closely examined the traffic data being sent from the Silk Road website when we entered responses to the prompts contained in the Silk Road login interface,” said Tarbell in the declaration.
Rather than using a “back door” to the site, Tarbell and co “simply were interacting with the website’s user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface.”
“When we did so, the website sent back data to the computer we were using – specifically, the Silk Road homepage, when we used valid login credentials for undercover accounts we had on the site, or an error message, when we used any username, password, or CAPTCHA entry that was invalid,” said Tarbell.
Tarbell said he noticed that some data was being sent to an IP address outside of the Tor network, explaining that when he typed that IP address into an ordinary browser, Silk Road’s CAPTCHA prompt appeared.
“Based on my training and experience, this indicated that the [server’s] IP Address was the IP address of the [Silk Road] Server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor,” according to Tarbell.
Anyone closely following the case may notice the dates given by Tarbell jar with those reported in Icelandic media last October, which quoted Reykjavik Metropolitan Police stating that they had, since May 2013, provided assistance to the FBI in its investigation of Silk Road.
According to Tarbell, the “official request” for assistance from Iceland happened on June 12 to obtain subscriber information associated with the Silk Road server, collect routing information, covertly image its contents.
In a footnote, the prosecution offers an explanation for the discrepancy on dates: “the FBI had developed a lead on a different server at the same Data Center in Iceland (“Server-1”), which resulted in an official request for similar assistance with respect to that server on February 28, 2013. See Ex. B. Due to delays in processing the request, Icelandic authorities did not produce traffic data for Server-1 to the FBI until May 2013.”
Ars Technica reported on Friday that Ulbricht’s prosecutors also outlined why the investigation didn’t violate his Fourth Amendment rights, which require that warrants permitting search and seizure are supported by probable cause — and importantly, are executed within US territory.
The Fourth Amendment didn't apply to the Silk Road investigation in Iceland, according to the prosecutor, because the search was conducted by Iceland’s police.
“The Silk Road Server was searched by Icelandic authorities, to whom the Fourth Amendment and its exclusionary rule do not apply in the first instance. While Icelandic authorities conducted the search at the request of U.S. law enforcement authorities, that is not enough to render the search subject to Fourth Amendment requirements. And even if it were, a warrant still would not have been required for the search, since the Fourth Amendment’s warrant requirement does not apply extraterritorially. Instead, an extraterritorial search by U.S. law enforcement need only be reasonable, which the search of the SR Server clearly was, given that there was probable cause to believe it was hosting an enormous black market for illegal drugs and other illicit goods and services.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.