The critical zero-day security flaws, discovered in the privacy and security dedicated Linux-based Tails operating system by the researcher at Exodus Intelligence that could help attackers or law enforcements to de-anonymize anyone's identity, actually lie in the I2P software that's bundled with the Operating System.
Exodus Intelligence has released some details and a video evidence that demonstrate an exploit against the found vulnerability unmasking an anonymous user of the Tails operating system.
The researchers at Exodus claims they can use the vulnerability to upload malicious code to a system running Tails, execute the payload remotely, and de-anonymize the targeted users' public IP address as well.
Tails is a security-focused Debian-based Linux distribution and a suite of applications that can be carried on a USB stick, an SD card or a DVD. It keeps users' communications private by running all connectivity through Tor, the network that routes traffic through various layers of servers and encrypts data.
Meanwhile, Exodus claimed that the privacy-oriented operating system has a number of flaws for which there is no available patches. The company that itself sell zero-day exploits to its clients, including the US agencies and DARPA.
But in this case, Exodus alerted I2P as well as Tails to the problem and said it would not disclose the details to users until the problem has been fixed.
Providing the details about the flaw, the company says that the actual problem lies in the heavily encrypted networking program called the Invisible Internet Project (I2P). The network layer that Tails uses to hide the user's public IP address from other websites and servers in order to keep the user anonymous on the web.
The researchers claims to have found a zero-day vulnerability in the way I2P handles network traffic that can be exploited with the help of a specially configured server.
Even after a user has taken all the steps necessary to disassociate his or her public IP address from the outside world, the flaw could allow an attacker to track down user's identity. But the problem doesn't end here, the worst part is that the de-anonymising is achieved by transferring a payload of code to an I2P user and then executing it remotely to cause a massive damage.
"I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage," Exodus explained in a blog post revealing the flaw. "The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work."
The Exodus Intelligence security researchers will released more technical details on the hack once the bug get fixed. Exodus Intelligence is working with the Tails and I2P coders to get the patch soon and after that it won't charge any fees for disclosing the flaw with more bugs.
"We hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security," reads the blog post.
"It's not enough to have faith upon security, rather to have an understanding of it. If the public thinks Exodus is one of a few entities finding bugs in software, they are grossly misinformed."
So far, the number of affected Tails users is not known. The video demonstration of an attack on a Tails system by Exodus can be found here.
This news revelation must be of great concern to the Invisible.im, an anonymous Instant Messenger (IM) offers secure and anonymous service, which is still in its early stages of development and not yet available for download, is looking forward to use the same I2P anonymity network.