Exodus Intelligence has revealed what it claims is video evidence of researchers unmasking an anonymous user of the Tails operating system.
The security bods claim they can upload malicious code to a system running Tails, execute the payload remotely, and ultimately discover the victim's public IP address.
Tails is a fork of Debian Linux that tries to protect your privacy online, and is recommended by NSA leaker Edward Snowden and his pals. Exodus, meanwhile, flogs details of software vulnerabilities for which no patches exist, typically selling the info to the feds.
Footage of what's described as an attack on a Tails system by Exodus can be found here.
The problem lies in the I2P network layer that Tails uses to hide the user's public IP address from websites and other servers in an attempt to keep him or her anonymous on the web. The Exodus team has found a zero-day flaw in the way I2P handles network traffic, a flaw that's exploited using a specially configured server.
This hole could allow someone to be tracked down and ultimately identified, unless the user has taken all steps necessary to disassociate their public network address from their real-world identity.
That in itself is a headache enough, but the problem is worse than that, it seems: the unmasking, we're told, is achieved by transferring a payload of code to an I2P user, and then executing it to cause merry hell.
"I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage," Exodus explained in a blog post revealing the vid.
"The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work."
The security biz has promised more technical details on the hack once it has finished working with the Tails and I2P coders to get the bug fixed – and won't be charging any fees for disclosing the flaw. The vulnerability exploited in the video is present in the latest Tails 1.1 build, dated July 22, we're told. More bugs will also be disclosed at a later date.
"We hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security," Exodus added on its website.
"It’s not enough to have faith upon security, rather to have an understanding of it. If the public thinks Exodus is one of a few entities finding bugs in software, they are grossly misinformed."
The news will be of concern to the invisible.im project, which is trying to build a secure and anonymous messaging system. Invisible.im, which is still in early stages of development and not yet available for download, is set to use I2P.
And today's video comes just days after a Black Hat presentation on how to de-anonymize Tor users with just $3,000 of kit was pulled by lawyers. ®