Vulnerability Management

US DoD funds Carnegie Mellon project to hack Tor

Researchers at Carnegie Mellon University (CMU)  were behind an attack on Tor that was used to identify cyber-criminals, according to claims by the Tor project.

According to Gizmodo, researchers from CMU's Software Engineering Institute (SEI) used a vulnerability in Tor software to find the true IP addresses of some users. A project funded by the US Department of Defence (DoD) was carried out in 2014 in the form of a month-long attack to collect information.

The FBI subpoenaed the university to hand over any information in connection with the criminal case after discovering that CMU carried out the attack. Tor director Roger Dingledine wrote a post that said CMU was paid $1 million (£717K) by the FBI to perform the hack, although this claim was never substantiated.

The hack did lead to the prosecution of Silk Road staff member, Brian Farrell. The court filing explained that CMU was in fact hired by the DoD to conduct the research later subpoenaed by the FBI and that the information can legally be used in court.

CMU stands by a statement made in November that said: “One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected. In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.