In Part 2 of the Hacking IRL series, Jim Holcomb - Associate Security Consultant at Evolve Security Academy - clears up terms we've all heard but may not have completely understand, such as the Deep Web, Dark Web, and even The Internet. Minor Mr. Robot spoilers ahead!
Guest Author: Jim Holcomb, Evolve Security Academy
Continuing from last week with our journey to demystify some of the more elusive concepts embedded in our favorite show Mr. Robot, this week we’re laying out some needed ground work for understanding some of the tools and tactics Elliot and other nefarious characters in the show use to stay anonymous on the internet.
We’ll cover numerous episodes throughout season one and two so prepare for minor spoilers.
Throughout the series, we hear casual references to a protocol called “Tor” as well as allusions to the more suspicious sounding “Dark Web”. While by name alone they may either seem esoteric or simply made up, they are both very real and are actually quite robust environments that attract the well-intentioned as well as the malevolent alike. So what is the Dark Web and how does it relate to Tor? Moreover, how accurately is the use of said services portrayed in Mr. Robot? Well, first, we need to clarify some terminology.
The phrase Dark Web is often misunderstood to be synonymous with “Deep Web”. So before discussing Tor, let’s set some boundaries and determine what differentials the Clear Net (“Normal” Internet), The Deep Web, and The Dark Web. These terms vary from person to person (ie Dark Net vs Dark Web), and are generally considered to be unofficial.
- The Internet
The Internet basically describes the network that contains all publicly routable devices. That is not to say that you can view everything on The Internet. You may need a username and password or special routing protocol to view certain locations. The most common protocol used on the internet is HTTP/HTTPs which typically describes your normal web traffic. The Clear Net, Deep Web, and Dark Web are all technically on the internet. So what wouldn’t be considered part of the internet? A distributed system of directly connected nodes, often called a mesh network, operated on a local level (like a neighborhood) that isn’t routable through the Internet would not be considered part of The Internet.
- The Clear Net
The Clear Net refers to Internet traffic that is not part of the Dark Web. It would, however, include the Deep Web. The term Clear Net sometimes is restricted to only include unencrypted traffic. However, with the prevalence of SSL/TLS (the ‘s’ in HTTPs), it would also be suitable to describe general internet traffic.
- The Deep Web
The Deep Web is often the most misunderstood portion of the internet. In the news, its use is often portrayed as bad natured or malignant. But in fact, you use the Deep Web every day. The Deep Web can be loosely defined as any part of the internet that is not "indexed" or easily searchable. Think of anything that won't come up in a google search. While chase.com is searchable, your particular account page on chase.com is not. So any account you have that requires a login form to access is technically considered part of the deep web. Not so scary now, is it?
- The Dark Web
The Internet deserves to be prefixed with the article “The” because it is so large. In reality, it’s just a network like your home Wifi router. The same is true for the Dark Web. Your Wifi Network (called a LAN or Local Area Network), could technically be considered a Dark Web depending on the protocols required to access it. Any VPN (Virtual Private Network) that you connect to, could also function as a Dark Web. But what’s “The” Dark Web? "The" Dark Web is the network that is only accessible through Tor. To go even deeper, Dark Web sites, called Hidden Services, can have their own authentication and login forms and therefore add another layer to our internet cake.
So we’ve solidified some general terms about the Dark Web as well as cleared up some misconceptions surrounding what it actually refers to. However, there is one final question that requires an answer before we can check back with Elliot and the gang. What is Tor?
- Tor
Tor, or The Onion Router, is an anonymization protocol that allows users to communicate over encrypted networks where both the client (the browser) and the server (the website) have zero knowledge of who the other is. Typically, over a normal connection, both the client and server would need to know each other’s IPs. When you go to google, it knows your IP (the IP that Comcast/AT&T assign to your home). And you know google's IP. Your computer asks where "google.com" is located and then sends the actual URL request to that IP. While there are other services that hide a user’s IP from the server, such as proxy or VPN, these often require a trusted third party like a VPN provider. Tor provides a decentralized and trustless solution where a user would not have to trust a proxy provider or VPN provider and instead would just have to trust the integrity of the protocol’s implementation (the code/software).
How Does Tor Work
Tor is not like the encryption applications such as GPG, Signal, or WeChat where two people can communicate securely. It has a high level of anonymity. But to achieve this, it requires a network of users to run. These users run Tor nodes which other users can use to send their traffic through. To be specific, it requires at least three nodes to work (though it requires many more to actually achieve anonymity). However, simply proxying traffic through three nodes will not provide anonymity as an attacker could compromise any of the nodes and work their way back to the original user.
Finally, each node has no knowledge of any non-connected node. So the “Exit” node has no knowledge of the “Entry” node and is only aware of the “Middle” node and the destination.
Is Tor Secure? That is a good question.
Villains Beware! But what about Mr. Robot? In the very first scene of the series, we see Elliot confront “Ron”, a coffee shop owner. Unfortunately, for Ron, fortunately for the world, Elliot discloses that he discovered that Ron is running a Dark Web website that serves photos of abused children to 40,000 users who connect through the Tor network.
With our knowledge of Tor and the Dark Web, we can view this scene with a greater understanding of what Elliot is actually saying. So let’s dissect what Elliot actually did to take down Ron.
Elliot says “I started intercepting all the traffic on your network. That’s when I noticed something strange.” What exactly does Elliot mean? First, we know that Elliott was sniffing traffic on Ron’s local network. This can be done in many different ways. For this to work as Elliot described, the traffic from Ron’s Tor website would have to be sent through the local network where Elliot has positioned himself. But does this make sense? For now, let’s assume that Elliot could only view encrypted Tor traffic leaving the Coffee Shop. If this is the case, Elliot is not exactly saying he could read the traffic itself. He is just saying that based on the traffics general profile, he can tell that the traffic is Tor traffic. This is very close to reality as Tor traffic is insanely easy to recognize. A third party on the network such as an Internet Service Provider (Comcast, AT&T) or, in this case, Elliot, can instantly recognize the traffic as Tor traffic even though they can’t read the actually data being sent.
Elliot provides one final clue as to what approach he took to hack Ron by mentioning that he was “in control of the exit nodes”. Now Ron is running the website, therefore his coffee shop is the destination. From what we know about exit nodes, the data between the exit node and the destination is not encrypted. If Elliot was between the exit node and the destination, he would not even need to compromise the exit node.
Therefore, this scene unfortunately does not make much sense. There are many scenarios where this sort of situation could take place and Elliot would need to compromise an exit node in order to deanonymize Ron’s traffic; however, the show does not provide us with enough information for us to paint a clear picture of what actually happened.
- The Use Case
In Mr. Robot and in popular culture in general, Tor and the Darknet are often villainized as criminal tools that no upstanding citizen would associate themselves with. And while there certainly is a thriving dark market economy that deal in illicit activities and goods, there are also many good use cases for the average internet user to user Tor. For instance, in some areas of the world, Tor is a vital tool for resisting injustice. In countries whose governments require internet service providers to monitor and log traffic, Tor remains one of the few options for securing your privacy. And not just privacy against government. If an ISP were required by law to log and monitor traffic, wouldn’t it make it a juicy target for malicious actors who want to steal that data? And due to their cooperative nature with government institutions, if an ISP were ever compromised, would it be made public? Would you know that your entire internet history is available on the dark market or is sitting in the database of some nation state? Tor is just one tool that can help you stay safe from these sorts of situations.
- The Final Verdict
Mr. Robot doesn’t always get it 100% right. But they are truly unique in their ambitions to do so. And despite this ability the reconcile some inconsistencies with Elliot’s story at Ron’s coffee shop, if Ron had been a user of the Darknet site and not the server (destination), Elliot’s attack could have theoretically been possible as he is describing a real attack on the Tor network. Because Tor is decentralized, anyone could run a Tor exit node. It would actually be surprising if certain three letter agencies were not running exit nodes for the simple purpose of performing an exit node attack where the maintainer of the node can read the unencrypted traffic being sent through the network. In doing so, the attacker could potentially deanonymize the Tor user if the user sent any personal information through the network unencrypted. For instance, if they logged into an account and submitted their email. For this reason, it is necessary to use HTTPs or an additional layer of encryption when using the Tor network.
Miss Part One? Check out Hacking IRL: What Mr. Robot Teaches Us About Cybersecurity.
Interesting Links:
https://motherboard.vice.com/en_us/article/mgbdwv/badonion-honeypot-malicious-tor-exit-nodes
https://www.torproject.org/https://www.youtube.com/watch?v=QRYzre4bf7I
Jim Holcomb is an Associate Security Consultant at Evolve Security. When he isn't colluding with our reptilian overlords, Jim enjoys developing applications and pentesting tools with Python. Questions? Email info@evolvesecurity.io.