Secure Linux Distribution Found To Contain A Privacy-Busting Flaw

The Amnesic Incognito Live System (TAILS), a free Linux distribution with advanced anonymisation features favoured by Edward Snowden, has been found to contain a critical flaw that could compromise the identity of its users.

According to security researchers from Exodus Intelligence, the flaw is present in the Invisible Internet Project (I2P) – an encrypted, distributed network overlay developed by the open source community to keep communications private. They claim that it is possible to trick the software into revealing the IP address of the user.

The I2P software is included in the latest, fully patched version of TAILS, but needs to be switched on to work.

“By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible,” said Exodus on its blog.

Tales of grime and grit

TAILS can be run from a DVD, USB stick or SD card, and was designed to leave no digital footprint on the local machine, which means its users are almost impossible to track.

The current iteration is based around Debian with added OpenPGP encryption and Tor network support. In addition to a preconfigured Firefox browser, Pidgin instant messaging client and Claws Mail client, TAILS includes open source productivity and multimedia applications like OpenOffice, GIMP and Audacity. It also comes with a virtual keyboard as a measure against hardware keyloggers.

The OS has been in development for five years, with version 1.0 released in May. Version 1.1 was released on Tuesday and contained a number of security and stability improvements, however according to Exodus, the I2P implementation remained vulnerable.

The company claims the vulnerability can be used to send a malicious payload to an I2P address and retrieve the de-anonymised IP address. Interested parties can then attempt to wrestle additional user information from the target’s Internet Service Provider.

“Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security,” said Exodus.

A spokesperson for the I2P project told Reuters that the flaw will be fixed in the nearest future, but TAILS users should temporarily disable JavaScript to avoid identification.

Exodus has been known to sell information about exploits and zero-days to the highest bidder, and the vulnerability in I2P or TAILS would surely interest dozens of paying customers. The company was criticised after revealing the existence of the flaw on Twitter on Monday, without notifying the affected parties. In the end, it promised not to describe the specifics of the exploit until it has been fixed.

“We’re told they won’t disclose these vulnerabilities publicly before we have corrected it, and Tails users have had a chance to upgrade. We think that this is the right process to responsibly disclose vulnerabilities, and we’re really looking forward to read this report,” said a spokesman for TAILS.

“We are happy about every contribution which protects our users further from de-anonymization and helps them to protect their private data, investigations, and their lives.”

Earlier this week, organisers of the Black Hat security conference cancelled a keynote which was apparently due to reveal how to identify users of the Tor network, which is supposed to keep people anonymous, after receiving a complaint from Carnegie Mellon University.

A spokeswoman for the University said the researchers did not receive permission to publish the materials developed at the government-funded Software Engineering Institute (SEI).

Tor Project leader Roger Dingledine said the organisation had “a handle on what they did, and how to fix it.”

“It sure would have been smoother if they’d opted to tell us everything,” he added.

Can you look after your personal data online? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

EU Deepens Investigation Into Elon Musk’s X

European Commission adds “additional investigatory measures to X” as part of its ongoing DSA investigation

1 day ago

Supreme Court Rules TikTok Can Be Banned in US

Ruling from Supreme Court upholds nationwide ban on TikTok unless ByteDance sells, but official says…

1 day ago

Apple Suspends AI-Generated News Notifications After Errors

After complaint from BBC, Apple opts to suspending artificial intelligence feature after inaccurate summaries of…

1 day ago

TikTok Prepares To Shutdown App In US On Sunday – Report

As an advisor says Trump is exploring options to 'preserve' TikTok, reports suggest app is…

2 days ago

BT Abandons Plan To Turn Roadside Cabinets Into EV Chargers

BT throws in the towel to install 60,000 EV chargers utilising roadside cabinets, after installing…

2 days ago

Biden Signs Executive Order To Bolster US Cyber Defences

In its final few days, Biden Administration delivers another executive order focused on bolstering cybersecurity…

2 days ago