Secure Linux Distribution Found To Contain A Privacy-Busting Flaw

The Amnesic Incognito Live System (TAILS), a free Linux distribution with advanced anonymisation features favoured by Edward Snowden, has been found to contain a critical flaw that could compromise the identity of its users.

According to security researchers from Exodus Intelligence, the flaw is present in the Invisible Internet Project (I2P) – an encrypted, distributed network overlay developed by the open source community to keep communications private. They claim that it is possible to trick the software into revealing the IP address of the user.

The I2P software is included in the latest, fully patched version of TAILS, but needs to be switched on to work.

“By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible,” said Exodus on its blog.

Tales of grime and grit

TAILS can be run from a DVD, USB stick or SD card, and was designed to leave no digital footprint on the local machine, which means its users are almost impossible to track.

The current iteration is based around Debian with added OpenPGP encryption and Tor network support. In addition to a preconfigured Firefox browser, Pidgin instant messaging client and Claws Mail client, TAILS includes open source productivity and multimedia applications like OpenOffice, GIMP and Audacity. It also comes with a virtual keyboard as a measure against hardware keyloggers.

The OS has been in development for five years, with version 1.0 released in May. Version 1.1 was released on Tuesday and contained a number of security and stability improvements, however according to Exodus, the I2P implementation remained vulnerable.

The company claims the vulnerability can be used to send a malicious payload to an I2P address and retrieve the de-anonymised IP address. Interested parties can then attempt to wrestle additional user information from the target’s Internet Service Provider.

“Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security,” said Exodus.

A spokesperson for the I2P project told Reuters that the flaw will be fixed in the nearest future, but TAILS users should temporarily disable JavaScript to avoid identification.

Exodus has been known to sell information about exploits and zero-days to the highest bidder, and the vulnerability in I2P or TAILS would surely interest dozens of paying customers. The company was criticised after revealing the existence of the flaw on Twitter on Monday, without notifying the affected parties. In the end, it promised not to describe the specifics of the exploit until it has been fixed.

“We’re told they won’t disclose these vulnerabilities publicly before we have corrected it, and Tails users have had a chance to upgrade. We think that this is the right process to responsibly disclose vulnerabilities, and we’re really looking forward to read this report,” said a spokesman for TAILS.

“We are happy about every contribution which protects our users further from de-anonymization and helps them to protect their private data, investigations, and their lives.”

Earlier this week, organisers of the Black Hat security conference cancelled a keynote which was apparently due to reveal how to identify users of the Tor network, which is supposed to keep people anonymous, after receiving a complaint from Carnegie Mellon University.

A spokeswoman for the University said the researchers did not receive permission to publish the materials developed at the government-funded Software Engineering Institute (SEI).

Tor Project leader Roger Dingledine said the organisation had “a handle on what they did, and how to fix it.”

“It sure would have been smoother if they’d opted to tell us everything,” he added.

Can you look after your personal data online? Take our quiz!