This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

What the FBI probably knows about Tor Users

Vlad Tsyrklevich has posted an excellent analysis of the payload delivered by the Tor Browser Bundle exploit.

This payload was delivered to every Tor Browser Bundle user who visited a Freedom Hosting hosted Tor Hidden Service, including Tormail.

According to Vlad, the exploit sends the hostname and MAC address of the local system to 65.222.202.54 over HTTP, then crashes.

So, what can the FBI do with this information?

Well, they now have a record of what systems were visiting all sites on Freedom Hosting.
It is also safe to assume that the FBI now has all emails and logs stored by Tormail.

The Tormail emails can be an excellent datamine without any additional info. Many Tormail users could have possibly revealed sensitive information over Tormail, including their name and home address, especially if using Tor to order illicit goods or services.

However, the hostname and MAC address can also be useful.
For example, the FBI can use the MAC address to subpoena a computer manufacturer to find out who purchased the computer. They can then use the hostname to verify they have the right person.

For example, let's say the FBI got a hostname of "DOE-PC" and a MAC address matching a Dell laptop.

The FBI contacts Dell with a subpoena "Did you sell a computer to someone named Doe with MAC address XX:XX:XX:XX", Dell can send them the transaction information, including home address.

This is a big win for law enforcement worldwide, and should help to end some of the illegal activities occurring on Tor.


Just remember kiddies, there is no such thing as "private" on the Internet. Not even on Tor.


NOTE: You can review the deobfuscated JavaScript at my Malware Analysis Google Code site: https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/

No comments:

Post a Comment