Tails Flaws Lead to Deanonymization

Wednesday, August 6, 2014 @ 06:08 AM gHale


Tor is not the only organization suffering from deanonymization issues after the news from vulnerability broker Exodus Intelligence about flawed components in Tails operating system that enabled de-anonymization of a client. Developers of the I2P networking tool fixed the glitches on their end.

They also disabled some of the advanced configuration options, such as the installation of new plugins. The measure will remain in affect until an additional assessment of the tool wraps up, in order to make sure that there are no loose ends that could compromise the identity of the user.

RELATED STORIES
Attack on Tor to Deanonymize Users
Malware Down, but Infrastructure Remains
Vulnerability Patched After 20 Years
Java to Android Ransomware Rescue

I2P provides a simple network layer for anonymous communication between applications. All traffic is encrypted end-to-end, relying on four layers of encryption upon sending a message.

The new release, 0.9.14, integrates critical repairs for cross-site-scripting (XSS) and remote execution vulnerabilities privately disclosed to the developers by researchers at Exodus Intelligence.

“The release also contains several bug fixes in i2ptunnel, i2psnark, and other areas, and updates to the latest Jetty, Tomcat, and Wrapper. We’ve also implemented a faster and more secure method for reseeding,” write the developers in the changelog.

The list of security fixes includes disabling the option to change the news feed link from the user interface, as well as the one that allowed setting unsigned update URL from UI.

Users also have to upgrade I2P-Bote to build 0.2.10 because the library changes in the network tool break compatibility with the new release. However, this action should end up initiated automatically as soon as the router component starts.

I2P sees use in several products, including Tails (The Amnesic Incognito Live System), which can access the web and communicate anonymously.

The updated release of the networking tool has not been added to the operating system, making it vulnerable to deanonymization of the users.

There are certain pre-requisites for an attacker to be able to learn the identity of a user, and one of them is to have the possibility to modify the content of the website visited by the victim with Tor Browser; this is not too difficult to achieve, according to the maintainers of Tails.

The second condition is to know the actual vulnerability and how to exploit it. The researchers at Exodus did not disclose any of this information to the public and said they would work with Tails developers to solve the issue.

As temporary solutions for mitigating the de-anonymization risk, they recommend not starting I2P in versions 1.1 and earlier of the operating system. If it is necessary to use the vulnerable I2P, the user should disable JavaScript completely in Tor Browser; NoScript add-on can help with this.



Leave a Reply

You must be logged in to post a comment.