To hear the FBI tell it, tracking down the secret server behind the billion-dollar drug market known as the Silk Road was as easy as knocking on a door. The bureau’s latest court filing in the case describes how the hidden site accidentally revealed its location to anyone who visited its login page, thanks to a software misconfiguration.
But the technical side of the security community, who have long tracked the dark web’s experiments in evading law enforcement, don’t buy that simple story. They read the FBI’s statement differently: as a carefully worded admission that it didn’t knock on the Silk Road’s door so much as hack its way in.
As the trial of alleged Silk Road creator Ross Ulbricht approaches, his defense hasfocused on how the government initially discovered the Silk Road’s server in Iceland, in spite of the site using the anonymity software Tor to hide its physical location. In a motion filed last month, the defense argued that discovery may have represented a search without a warrant and an illegal violation of Ulbricht’s privacy. Then on Friday, the prosecution fired back with a memo claiming that the FBI’s investigation had been entirely legal, accompanied by an FBI statement explaining how the server was found.
As bureau agent Christopher Tarbell describes it, he and another agent discovered the Silk Road’s IP address in June of 2013. According to Tarbell’s somewhat cryptic account, the two agents entered “miscellaneous” data into its login page and found that its CAPTCHA—the garbled collection of letters and numbers used to filter out spam bots—was loading from an address not connected to any Tor “node,” the computers that bounce data through the anonymity software’s network to hide its source. Instead, they say that a software misconfiguration meant the CAPTCHA data was coming directly from a data center in Iceland, the true location of the server hosting the Silk Road.
But that account of the discovery alone doesn’t add up, says Runa Sandvik, a privacy researcher who has closely followed the Silk Road and worked for the Tor project at the time of the FBI’s discovery. She says the Silk Road’s CAPTCHA was hosted on the same server as the rest of the Silk Road. And that would mean all of it was accessible only through Tor’s network of obfuscating bounced connections. If some element of the site were accessible through a direct connection, that would represent a significant flaw in Tor itself—a well-funded and frequently audited piece of open source software—not a mere misconfiguration in the Silk Road. “The way [the FBI] describe how they found the real IP address doesn’t make sense to anyone who knows a lot about Tor and how web application security works,” Sandvik says. “There’s definitely something missing here.”
If the IP address of the Silk Road was in fact leaking on its login page, there’s little doubt the flaw would have been quickly spotted by others, says Nik Cubrilovic, an Australian security consultant who has made a hobby of analyzing the Silk Road’s security since just after it launched in 2011. The bitcoin-based market, after all, received millions of visits, fascinated the security community, and represented a tempting target for hackers seeking to steal its cryptocurrency. “The idea that the CAPTCHA was being served from a live IP is unreasonable,” Cubrilovic writes in a blog post. “Were this the case, it would have been noticed not only by me, but the many other people who were also scrutinizing the Silk Road website.”
Moreover, Cubrilovic agrees with Sandvik that a simple leak in a Tor hidden service site isn’t a plausible explanation. “There’s no way you can be connected to a Tor site and see the address of a server that’s not a Tor node,” Cubrilovic said in a followup interview with WIRED. “The way they’re trying to make a jury or a judge believe it happened just doesn’t make sense technically.”
Instead, Cubrilovic and Sandvik both posit that the FBI took a more aggressive step: Actively attacking the Silk Road’s login page to reveal its IP. They speculate that the FBI used a hacker trick that involves entering programming commands into an entry field on a website that’s intended to instead receive data like a username, password, or CAPTCHA response. When that carefully crafted input is interpreted by the site, it can trick the site’s server into running that code as actual commands, forcing it to cough up data that could include the computer’s IP address.
Just a month earlier, Cubrilovic points out, a Reddit user had posted that he or she had found a vulnerability that would allow a similar attack in the Silk Road’s login page. And that early May date matches up with a footnote in the FBI’s statement that mentions an earlier “leak” of the Silk Road’s IP address.
If that were the sort of security vulnerability that the FBI considered “fair game,” Cubrilovic says it could easily have found another such hackable flaw in the site’s login page in June. “If two FBI agents were tasked with investigating this server, it would be simple to find this bug,” he says. “Someone with resources and persistence would discover this in a matter of hours.”
To be clear, all such theories of an FBI hack targeting the Silk Road are still just speculation. And neither Cubrilovic and Sandvik is accusing the FBI of lying. They argue only that its account of entering “miscellaneous” characters into the site is a carefully cloaked description of injecting commands into the Silk Road’s login fields.
In a statement to WIRED, an FBI spokesperson writes only that “as a U.S. law enforcement agency, the FBI is bound by the U.S. Constitution, relevant laws and U.S. Attorney General guidelines to carry out our investigations. We obtain proper court authority for law enforcement actions through every step of our investigations, the case against Mr. Ulbricht is no different.” The bureau declined to comment further, citing the ongoing judicial process in the case.
But the ambiguities and unanswered questions in the FBI’s account will no doubt serve as ammunition for Ulbricht’s defense as it further presses its case that the Silk Road investigation involved illegal searches. Ulbricht’s defense team, meanwhile, declined to comment.
If the FBI did use a remote code execution technique against the Silk Road without a warrant, it could raise more hairy legal questions for the prosecution. The Computer Fraud and Abuse Act has an exception for valid law enforcement investigations. But whether an active attack of the Silk Road’s login page without a warrant constitutes an illegal search might hinge on exactly what data the FBI gathered from that theoretical hack, says Hanni Fakhoury, an attorney with the Electronic Frontier Foundation. It could also depend on exactly who owned or hosted the server—the FBI’s statement claims that it belonged to a web hosting firm, not Ulbricht himself. “If the government did some intrusive injection of code, the issue will be whether Ulbricht can complain about it,” says Fakhoury. “There are some very interesting Fourth Amendment questions, but it will depend on what exactly he did and the terms of his agreement with the web hosting company.”
If, on the other hand, the FBI did find the Silk Road IP without any hacker tricks, it should produce the evidence to prove it, argues hacker Andrew Auernheimer in ablog post that circulated widely through the security community over the weekend. “It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor,” Auernheimer writes. “I think the FBI needs to release these in a timely fashion to corroborate their claims here…If the federal government fails to produce them, it is absolutely a matter of evidence destruction.”
In its filing, the prosecution already argued that it shouldn’t be forced to answer a series of questions about the server discovery included in a motion from Ulbricht’s defense, including what agencies and contractors were involved in the investigation and what software tools were used.
“There is…no basis—especially at this late juncture, six months after discovery was originally produced—for Ulbricht to go on a ‘blind and broad fishing expedition’ for proof of some darker, alternative storyline, somehow involving violations of his Fourth Amendment rights, when there isn’t a shred of evidence that any such violations actually happened,” the prosecution’s statement reads.
Given the controversy now swirling around the FBI’s story, don’t expect Ulbricht’s defense to give in so easily.