MIT cracks Tor anonymity network and recognises hidden servers

MIT and the Qatar Computing Research Institute (QCRI) have discovered a security vulnerability affecting the Tor anonymity network.

Daily Tor users upset over discovery of security vulnerability in Tor network
Daily Tor users upset over discovery of security vulnerability in Tor network

Computer scientists from Massachusetts Institute of Technology (MIT) and the Qatar Computing Research Institute (QCRI) have displayed a security vulnerability affecting the Tor anonymity network. This makes it possible to identify hidden servers with up to 88 percent accuracy — bad news for daily Tor users that rely on the service.

The Tor network is comprised of 2.5 million daily users that include journalists, political activists, terrorists and others who don't want to share their browser histories with Google, Facebook and other commercial entities.

Tor enables the hosting of websites that are not found via a Google search or by directly typing in a website URL. These hidden services that protect a site's IP address and other identifying information are what scientists at MIT have unveiled.

The researchers showed that by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms determine whether the circuit was an ordinary web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit, being 99 percent accurate.

The attack works by collecting a large amount of network data from a pre-determined list of Tor hidden services in advance of assigning a digital fingerprint to all services in question — all done without breaking Tor's encryption.

“Our goal is to show that it is possible for a local passive adversary to deanonymise users with hidden services actives without the need to perform end-to-end traffic analysis,” wrote MIT researchers in a new paper with the Qatar Computing Research Institute.

"For a while, we've been aware that circuit fingerprinting is a big issue for hidden services," said David Goulet, project developer at The Tor Project Inc. "This paper showed that it's possible to do it passively, but it still requires an attacker to have a foot in the network and to gather data for a certain period of time."

Tor project leader Roger Dingledine said in an email that the requirements of the attack greatly confined its effectiveness in real-world settings. He also argued that researchers routinely exaggerate the risk of website fingerprinting on anonymity.

The group also offered defence strategies. "We recommend that they mask the sequences so that all the sequences look the same," Mashael AlSabah, researcher at Qatar Computing Research Institute, said. "You send dummy packets to make all five types of circuits look similar."

According to the MIT News article, the fix was suggested to Tor project representatives. They may add it to a future version of Tor.

It has previously been reported in SC that the Tor Project was aware of unknown sources carrying out a combination of an “active traffic confirmation attack and a Sybil attack” since February this year in an attempt to identify those who operated and accessed hidden Tor services. It is not known if the MIT research is connected.