2

It's known that Flash can give away your real IP address to web services if you use it in Tor Browser directly run by your computers OS. But what if you use flash inside a Whonix workstation (either in Tor Browser or in a "normal" browser like Firefox, Chromium, Google Chrome)?

The Whonix VMs are designed in such a way that all internet traffic of the Whonix workstation has to go through Tor. Is it possible to figure out the real IP address of someone if they're using Adobe Flash inside a Whonix workstation? Does using Adobe Flash have any other major implications for privacy such as making fingerprinting much easier?

UTF-8
  • 2,300
  • 1
  • 9
  • 24

1 Answers1

2

TL;DR: generally no, it is not possible to figure out your IP assuming the Whonix VM is congigured correctly as you describe, and ALL traffic tunnels through Tor.

Long story, there are several ways for Flash applets to find your real IP. As stated above, none of this applies to Whonix which protects against all of them. Those are listed here for the education purpose, and to explain why other Tor configurations (such as Tor Browser Bundle or Tails) still could be vulnerable to those.

  1. The most obvious way is to request a specific URL from Flash itself, and see the IP in the server logs. If the Flash traffic is routed through Tor, this will return the IP of Tor exit node. Tails protects against this, but Tor Browser Bundle, as far as I know, does not (and this is why Flash is disabled in TBB).

  2. It is possible (in Adobe Air 2.5) to enumerate local interfaces and find out the IP there. In your configuration this would probably be a nondescript IP such as 10.x.x.x which will give out no information. Same as above.

  3. It is possible to use a browser exploit, and then run some code in your VM. This code will not be restricted by Flash policies, and could leak your IP depending on how tight the configuration is.

    For example, Tails enforces routing of traffic through Tor via the firewall rules. If an exploit gains root privileges, it can flush the firewall rules table, effectively disabling this rules enforcement. Then every request (such as wget to whatismyip.com) would return the IP address.

    However if the rules are enforced at the workstation itself (i.e. the VM can only talk to workstation no matter what the VM firewall/NAT configuration is), this will not work. Still, there are other possible ways. For example, if VM only firewalls TCP traffic, but passes ICMP traffic (Tor cannot really tunnel ICMP or UDP, only TCP), it is possible to send the information via ICMP. Also if DNS requests are not filtered by Whonix, it is possible to set up your own DNS server for a domain, perform DNS lookup for domains such as 192.168.0.1.yourdomain.com and log the requests on your DNS server. However with proper filtering - which I believe Whoenix is doing - this should not be possible.

George Y.
  • 3,504
  • 2
  • 10
  • 15
  • Wait, what? I think it's highly unlikely that Whonix just lets ICMP, UDP, and/or DNS through without passing it through Tor. Why would that be? Shouldn't it just block those connections if routing them through Tor isn't possible? I don't know anything about ICMP. I heard, caring about resoling DNS isn't necessary as with Tor you can just ask the Tor network to connect to a certain URL rather than resolving the domain, the sub domain, the sub-sub domain, etc., and once you got the IP asking that server for the document you want to have. – UTF-8 Sep 29 '16 at 02:42
  • Neither ICMP nor UDP can be "routed" through Tor network because it doesn't have support for that (only for TCP), so it should be blocked completely. With DNS it is a bit different - if Whonix resolves non-Onion DNS requests by itself, it is possible to find your IP by executing code (via exploits) which attempts to resolve subdomains such as .myserver.com - this request will be handled by the DNS server running at myserver.com, which will record the IP. – George Y. Sep 29 '16 at 02:52
  • Can you explain me a few details regarding this [in chat](http://chat.stackexchange.com/rooms/46062/tor-dns-privacy)? – UTF-8 Sep 29 '16 at 09:16
  • The DNS works as hierarchy. Simplifying this a lot, if your computer does DNS resolving by itself, then to find out the IP address of update.microsoft.com your computer first queries which DNS server serves the microsoft.com domain. Then it sends the request to this DNS server (which runs by Microsoft). Thus if I run a DNS server at mydomain.org, and your computer tries to resolve abc.mydomain.org (for example if you type it in your browser), my DNS server will receive this request, and can log the IP address of a computer which sent it. – George Y. Sep 30 '16 at 02:04
  • So by querying a non-existent subdomain (for example, your username on a website is qwe123, so I write an exploit which queries qwe123.mydomain.org - for example by embedding an image as ), I can force your browser to resolve this domain and log it on my server. To avoid this, your computer should not resolve the domains yourself, and should use a large public DNS (such as Google 8.8.4.4) – George Y. Sep 30 '16 at 02:07
  • But if an application running on the Whonix workstation requested the resource `http://qwe123.mydomain.org/img.jpg` inside any Tor environment (Tor browser, Whonix workstation, or even just running the application `tor` and telling other applications to use it as a proxy) just tell the Tor exit node to get the above-mentioned resource and send it to the one who requested it? Why would it be the job of an application running on the user's computer to resolve DNS when using Tor? – UTF-8 Sep 30 '16 at 13:26
  • What you described would in any case tell TLD DNS servers which servers the user communicated with (as long as the user uses DNS at all). Tor is (among other things) supposed to hide which services the user communicates with from governments. Governments can easily force TLD DNS operators to give them a log of where (IP address) requests to which domains came from. – UTF-8 Sep 30 '16 at 13:29
  • Please note that the long description in the answer explains how the Tor user IP could be revealed in general. I already said this will not work in Whonix. However if other Tor applications/platforms are used, such as Tor Browser Bundle or Tails, this is possible. – George Y. Oct 01 '16 at 00:23
  • The answer to [this question](http://security.stackexchange.com/questions/138454/does-the-tor-browser-leak-a-list-of-visited-websites-to-tld-dns-services) says that attack doesn't work. – UTF-8 Oct 02 '16 at 19:19
  • It does not work through Tor. But if you are able to exploit a vulnerability and run the code on the machine (see #3 in the answer), this is possible. I'll edit the answer. – George Y. Oct 03 '16 at 01:26