For anyone wanting to keep their identities hidden from snoops and crooks alike, the Tor network is often the first port of call. Yet fresh weaknesses have been identified in The Onion Router system that will likely make those users think twice.
Organizers of the Tor Project, which oversees the management of the network, issued a warning today about attacks that likely de-anonymized users of Hidden Services, websites only accessible over Tor. Anyone who “operated or accessed hidden services from early February through July 4 should assume they were affected” and may have had their IP address grabbed by the perpetrators. They may have spied on users of standard sites too.
To understand the attacks, a quick refresh on the basics of Tor is required. The network is made up of relays - systems volunteered to handle encrypted traffic. When a Tor user selects a website to visit, their traffic is directed through a number of these relays in sequential hops. There are entry relays and exit ones, some of which are believed to be under the ownership of the US government, amongst many others.
Whoever carried out these fresh attacks had control over a large number of relays. The Tor Project suspects the team behind a recently cancelled presentation on de-anonymizing users on a budget of $3,000, which was due to be given at BlackHat 2014 next week, were responsible. Yet the Carnegie Mellon researchers who were supposed to speak at the famous hacking conference have not responded to a request for comment.
As for what the hackers did with the relays, the Tor Project said it believed they used two methods in their attempts to unmask people. One was a "traffic confirmation" attack, in which the snoop monitors the two ends of a Tor circuit - the first and final hops on the journey to a deepweb site. By correlating the data at these relays, an attacker could determine the IP address of a user and the site they were visiting. In this particular attack, they used one of the relays to inject a “signal” into Tor protocol headers, which would be read at the end of the circuit. When the user landed at that final point and initiated a Hidden Service directory check, this information would be sent back down the chain as encoded data and the attacker knew where the user was going and what IP address they had used at that first relay.
As if that wasn’t worrying enough for Tor users, the Project post noted “this signal would be easy to read and interpret by anybody who runs a relay and receives the encoded traffic”. That means any of the relays owned by the US government could be used to easily de-anonymize people. “If the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future,” the Tor post read.
Traffic confirmation attacks have been public knowledge since at least 2009, but this latest exploit involved previously unknown techniques. For instance, they used commands known as “relay” and “relay early”, which are normally used to convey information between nodes, but in this case were subverted to create patterns that would form the encoded messages being sent back and forth along the chain.
As for the other method, it’s been known for some time too. It’s called a Sybil attack and simply involves the creation of a substantial number of nodes to hold an excessive degree of control over a peer-to-peer network. The attackers in this case set up 115 relays, which eventually became entry nodes for “a significant chunk of users over their five months of operation”, partly because relays are regularly rotated to take on different roles.
Though the Tor Project noticed this spike in new sign-ons, it determined the number of freshly-registered nodes “wasn't that large a fraction of the network”. The team noted there was “room for improvement in terms of how to let the Tor network grow”.
Added to the first technique, this is highly sophisticated stuff. That's why the Tor Project suspects the Carnegie Mellon researchers were behind it all. “In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was,” the team added.
This leads us to the big question: can people trust Tor to keep their anonymity safe? This is a really sticky issue. The Tor Project has issued fixes and updated some of its procedures, so most should be protected from this specific attack. Even for those who haven’t issued a patch, attackers won’t be able to see what users actually did, only that they looked up a certain hidden site. Full de-anonymization is still incredibly difficult.
Whether users can completely trust Tor anymore comes down to what they’re using it for. “For everyday web browsing it is still a great way to preserve your anonymity,” says Diarmaid McManus, who runs Tor nodes as well as the Security Ninja blog. “For example, I know of one person who uses it to log into Facebook to hide their country of origin, and it will continue to work splendidly for this.”
But for those using The Onion Router to hide from the government, Tor should not be relied on for 100 percent protection. “Tor isn’t a silver bullet, it’s only one layer to help you remain anonymous online,” McManus adds. “I wouldn’t trust Tor to protect someone from the NSA. It all depends on your threat model.”
There's another problem here: there aren't many alternatives to Tor. One of the best-known is I2P, which is used in the privacy-focused operating system Tails, but a serious flaw was recently disclosed by security firm Exodus Intelligence that could have been exploited to de-anonymize users. It's becoming increasingly hard to find an offering that will protect the user IP address.
One also wonders what might come of the researchers, if they really were the ones behind this. Not only was their talk cancelled because their university stepped in, saying they hadn’t received permission to share their findings, but certain onlookers have suggested they needlessly degraded the security of Tor. Might there be a legal wrangle on the way too? As the Tor Project noted: “It's probably unwise from a legal perspective for researchers to attack real users by modifying their traffic on one end and wiretapping it on the other.”
