The recently discovered critical zero-day vulnerabilities found in the Tails operating system disclosed by Exodus Intelligence lies in the I2P software that is bundled with the operating system alongside the company has released further details and a video demonstrating an active exploit against the uncovered flaws.
I2P is an anonymity network, somewhat similar to the architecture of Tor, that encrypts all communications end to end that are run through I2P nodes, while enabling private and anonymous usage of the Internet and various resources including email, instant messaging, and web browsing. I2P is a packet switched network rather than a circuit switched network which Tor Network uses, and communications over the network are message-based. The I2P architecture is designed to treat each node with identical importance to all other nodes, meaning there is no central servers routing the traffic.
Exodus Intelligence researchers stated the vulnerabilities discovered were present in a number of Tails operating system versions, including Tails newest release Tails 1.1.
“The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work,” the Exodus team wrote in a blog post explaining the vulnerabilities.
Exodus researchers disclosed the vulnerabilities to the Tails developers on Wednesday, shortly before publishing their outline on the flaws. A number of security researchers criticized Exodus Intelligence for not disclosing the zero-day vulnerabilities to Tails developers earlier. Tails newest release 1.1 was released Tuesday, and Exodus tweeted Monday that the operating system was still vulnerable to remote code execution.
Exodus is known for selling vulnerabilities they uncover in a number of products to clients, which include United States agencies and DARPA. Aaron Portnoy, co-founder and vice president of Exodus Intelligence told Threatpost that the company was never selling the Tails vulnerabilities and was only interested in bringing attention to the fact that no software should be noted secure, even tools recommended by Edward Snowden, such as Tails.
“Disclosure of vulnerabilities takes many forms, particularly their shape is adapted to the landscape that the platform is used upon. In the past at Exodus Intelligence, we’ve felt that significant vulnerabilities have been disregarded and have not had the requisite exposure. Through appropriate airing of the issue, we feel that users of such security platforms may come to understand the risks in base-level trust,” Exodus Intelligence reported in its post.
“Even further we hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security. It’s not enough to have faith upon security, rather to have an understanding of it. If the public thinks Exodus is one of a few entities finding bugs in software, they are grossly misinformed. As is the case with all vulnerabilities we report to vendors, we do not ask for any remuneration. All flaws that we give to vendors are given free of charge. All accusations of extortion perpetuated by those unfamiliar with our business model are completely unfounded.”