The very network nodes that relay anonymous Tor traffic for you, free of charge, may be sniffing or reading your data as it passes through. That's the conclusion of an investigation by a security researcher known as Chloe.
The Onion Router (Tor) network is based on free software which enables anonymous communication by hiding the originating IP address from the destination server. It achieves this by directing internet traffic through a network of volunteer relays which makes it difficult to trace activity back to the user.
It is, according to reports by the US National Security Agency and UK's Parliamentary Office of Science and Technology, the most popular and effective anonymous internet communication system, used by an estimated 2.5 million people each day.
At the entry node, Tor encrypts the original data including the destination IP address multiple times and sends it through a virtual circuit of randomly selected Tor relays. Each relay decrypts a layer to reveal only the next relay in the circuit. The final relay, called the exit node, decrypts the innermost layer and sends the original data to its destination without revealing or even knowing the source IP address, making for anonymous communications.
Tor onion network - artwork by Electronic Frontier Foundation
That's the theory at least, but Chloe conducted an experiment called Badonions to test how often the exit nodes were sniffing the data after it had been decrypted.
The test involved setting up a dummy website with an admin sub-domain and a login page. Chloe then logged into the site through the Tor network many times – in fact, 137,319 times. Due to timeouts and other issues, only 99,271 attempts resulted in a successful connection to the dummy admin account.
Chloe was looking for instances where the unique password chosen for each login attempt was used a second time, which would indicate that the exit node, in that instance, had sniffed the credentials and someone had then decided to have a go at using the credentials to log into Chloe's dummy site.
Chloe found 16 instances of multiple uses of a unique password. While it may appear a small number, this number should be zero. In addition, there were 650 unique page visits which points to additional sniffing activity.
Chloe estimates that the number of exit nodes tested was 1400, with each used around 95 times.
The conclusion: “We can see that there's passive MITM [man in the middle spying] going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing.”
In an email to SCMagazineUK.com, Chloe says it would be wrong to conclude that the Tor network was unusable: “It just shows that there's bad guys out there that will try to take advantage of Tor-users. This is a problem that affects VPN and proxies too, but the problem is that anyone can anonymously set up a node and start sniffing.”
As a consequence, it's more important than ever for site owners to use HTTPS, and it would help if more users were to join the hunt for bad nodes.
Chloe has been critical in the past of how Tor is organised, citing the problem of the 10 or so authority nodes that exert some control over the network and have the ability to blacklist exit nodes.
According to Chloe, an email notifying the Tor project about a bad exit node was initially greeted with a positive response. “But nothing happened. Still today the same node is actively sniffing traffic and making the Tor network unsafe for everyone,” Chloe said.
Roger Dingledine, co-founder and interim executive director of the Tor Project, replying to an email from SC, said that the Project had been in communication with Chloe for about a week.
He disputed the number of suspect exit nodes discovered, saying it was seven rather than 15 or 16, a figure which is based on the number of unique Tor fingerprints, but even so he wasn't surprised or overly concerned about it.
He also wasn't surprised or concerned about the fact that a couple of “guard” nodes, which have gained trusted status by dint of being “around for a while”, were among the sniffers.
He accepted that Tor still has scope for development. “Tor is the best option out there in terms of privacy and anonymity, but there are still many open research questions in the area, and there's always room for improvement. We rely in large part on community members, just like in this situation, to identify, understand, and help resolve problems,” he said.
Sarb Sembhi, director of Storm Guidance, told SC that Tor was subject to constant attack because of its status as the most secure means of anonymous communication. “If you understand that it's a very effective tool for communications, it's most likely being looked at by almost every spy organisation because they want to see how they can use it and exploit its vulnerabilities,” he said. “And you have to accept that there are probably far more vulnerabilities in the Tor network than we know about.”
Dingledine refuted this claim. “There are few-to-no known code security vulnerabilities in Tor, so in that respect I think we're doing pretty well,” he said.
However, he added, “Tor Browser is based on Firefox, and people do in fact find vulnerabilities in Firefox periodically.”
Mike Loginov, vice chairman of the National MBA Cyber Security Global Advisory Board, told SC that Tor had to withstand constant assault. “The Tor, like any other part of the internet, is under constant challenge by individuals and groups seeking to corral and compromise data,” he said. “The problem of attribution and tagging of Tor data sources is one that governments as well as opportunists around the world seek to resolve. If one can start to build connections between nodes as well as implementing compromised nodes to attract tale signs and common denominators, you start to move towards a position where the Tor itself as a platform can potentially be compromised.”
Dingledine echoed this statement, saying the field of anonymity was still young: “There remain many unsolved research questions in terms of how to provide great security against, for example, a global pervasive observer. But first, it's important to remember that we are still the state of the art in privacy systems. And second, there aren't very many organisations in the world that are in a position to launch these internet-scale attacks.”
Rick Falkvinge, founder of the Pirate Party, said this study underscored the importance of information hygiene. “The TOR network was never made for encrypting your data, but for hiding your location and identity. You still need to encrypt end-to-end if you want to protect the data transmitted,” he said.
“If you're sending login credentials to anything at all in cleartext today, you might as well publish those credentials on YouTube and sing them to melodies. Rogue nodes are to be expected, on and off the TOR network, and everywhere else too. This is basic information hygiene today,” Falkvinge said.
“The TOR network is constructed to withstand rogue nodes that try to subvert the network (relay nodes as well as exit nodes); that was anticipated in the design. The only attack it can't withstand is a systemic attack from an adversary with the capability to subvert the entire Internet around it. Even then, it will continue to operate, but with reduced ability to hide locations and identities,” he said.
Chloe has no plans to stop using the Tor network: “I love Tor and I run a few relays by myself actually... My recommendations are better URL for onions, like foobar.onion, better cryptography, more decentralised, more power to the users and more focus on keeping the network safe.
“What I mean about the last thing is that these attacks that are made by the exit nodes are not so prioritised, Tor tries to focus on the big attacks on AS-level and so on.
“Also, there needs to be better communication with Tor because I had some problems contacting the right people and even when I did, I did not get the response I was hoping for.”