Feature #7072: Research potential for deanonymization by a compromised "amnesia" user

Feature #7072

Research potential for deanonymization by a compromised "amnesia" user

Added by intrigeri 2014-04-12 07:49:02 . Updated 2018-06-10 17:16:29 .

Status:

Confirmed

Priority:

Elevated

Assignee:

jvoisin

Category:

Target version:

Start date:

2018-06-04

Due date:

% Done:

Feature Branch:

Type of work:

Security Audit

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

We already deny access to the Tor control port from the “amnesia” user. Still, there are possibly other ways, for a compromised “amnesia” user, to deanonymize the Tails user, e.g.:

taking control of Vidalia (that is running as a dedicated user, but inside a X session controlled by the “amnesia” one), and using its access to the Tor control port; e.g. a selection of bridges picked by the attacker is probably enough to deanonymize the user.
using NetworkManager, e.g. to get a list of Wi-Fi access points around
more?

Subtasks

Bug #15635: The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction

Confirmed

Related issues

Related to Tails - Feature #6549: Prevent MAC address leak for non-root users	Confirmed	2013-12-29
Related to Tails - ~~Bug #9366~~: Is user separation enough to hide Tor state from Vidalia?	Resolved	2015-05-09
Has duplicate Tails - ~~Feature #5505~~: investigate deanonymization potential by the desktop user	Duplicate

History

#1 Updated by intrigeri 2014-04-17 10:30:13

Description updated
Priority changed from Normal to Elevated

#2 Updated by intrigeri 2014-04-17 10:30:30

has duplicate ~~Feature #5505~~: investigate deanonymization potential by the desktop user added

#3 Updated by intrigeri 2014-06-21 14:05:08

related to Feature #6549: Prevent MAC address leak for non-root users added

#4 Updated by sajolida 2014-11-05 11:28:39

Target version set to Hardening_M1

#5 Updated by intrigeri 2015-05-14 10:20:07

related to ~~Bug #9366~~: Is user separation enough to hide Tor state from Vidalia? added

#6 Updated by sajolida 2015-08-14 12:05:50

Assignee set to jvoisin

#7 Updated by sajolida 2015-09-10 11:59:24

Target version changed from Hardening_M1 to 2016

#8 Updated by flapflap 2015-12-29 14:55:09

A compromised amnesia user can execute /sbin/ifconfig or netstat -ie and gets the current IP and MAC addresses.

#9 Updated by Dr_Whax 2016-08-20 13:12:18

Target version changed from 2016 to 2017

#10 Updated by intrigeri 2016-08-27 10:50:52

jvoisin: during the roadmap discussion at the summit, we did not know what was your take on it. If you’re still up to working on it e.g. in 2017, we can keep it on our roadmap. Otherwise, just let me know and I’ll kick it out of the roadmap.

#11 Updated by BitingBird 2017-08-28 20:12:23

Target version deleted (~~2017~~)

#12 Updated by BitingBird 2017-08-28 20:13:04

Type of work changed from Research to Security Audit

#13 Updated by BitingBird 2017-08-28 20:13:47

Target version set to 2018

#14 Updated by intrigeri 2017-09-28 12:11:44

Target version deleted (~~2018~~)

(as per updated roadmap)

#15 Updated by cypherpunks 2018-06-04 04:14:06

I opened Bug #15635 with a PoC utilizing X11 and the Unsafe Browser. I also think there’s a rather big risk to allowing unrestricted access to RFC 1918 (local) addresses, since router vulnerabilities that require an attacker positioned on the LAN are absolutely ubiquitous and access to the router itself can fully deanonymize a Tails user.

#16 Updated by intrigeri 2018-06-10 17:05:32

related to Bug #15635: The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction added