Tor Project unearths attack that identifies users

News by Doug Drinkwater

Users of The Onion Router (TOR) network have been warned of an attack that could deanonymise them if they used the service from February to July this year.

Writing in a security advisory published on its website on Wednesday, the Tor Project said that unknown sources had carried out a combination of an “active traffic confirmation attack and a Sybil attack” since February in an attempt to identify those who operated and accessed hidden Tor services, which are often used by activists and criminals alike.

Describing the active traffic confirmation attack, the group said that attackers would look to control or observe the relays - used to bounce internet traffic from place to place thus anonymising it - at both ends of a Tor circuit and then compare traffic volume, timing and other characteristics to conclude that two relays were on the same circuit.

They would interject signals into Tor protocol headers to help them to identify the user – which could be done by finding their IP address in the first relay and the destination in the last.

The Tor Project says that the attack relays joined on January 30 but were only removed from the network on July 4. It is now urging people who used the service during this time to ‘assume they were affected' and that they should upgrade to a more recent version of Tor to close the vulnerability of that particular protocol vulnerability.

Hidden service operators are also advised to change the location of their hidden service.

Some users will be reassured to learn that while attackers looked for users who fetched hidden service descriptors, it was ‘unlikely' that they would be able to see any-app level traffic, what pages were loaded and whether visitors actually visited the hidden service they looked up.

Intriguingly, the group believes that researchers at the Carnegie Mellon's Computer Emergency Response Team are behind the attack, as they were due to give a presentation on Tor's “fundamental flaws” at the Black Hat conference in Vegas prior to it being cancelled because of legal issues.

Lance Cottrell, founder and chief scientist of – an anonymising service preceding Tor, told in an email that ‘everyone hopes' that it was the researchers, as concerns will be raised on what hackers are doing with the data otherwise.

“Everyone hopes the folks running this were the researchers who just dropped out of BlackHat. If not them, then who knows why the attackers were doing it and what they might be doing with the data.”

But Tim Keanini, CTO at security vendor Lancope, suggested that the researcher route was unlikely.

“The talk from BlackHat that was pulled is operationally insignificant because all the folks actively working on ‘breaking' TOR are hard at work on their objective and conferences are not their thing,” Keanini said in an email to SC.

Cottrell continued: “This is just another vulnerability that allows hostile Tor node operators to compromise user anonymity. It's inevitable given the architecture - Tor attempts to improve user privacy by having a large number of volunteers running their servers, and sending traffic through chains of three servers so no one person need be trusted.

“Unfortunately anyone can set up servers, and well-funded attackers could set up large numbers of them. Using vulnerabilities in the Tor protocol and modified servers these attackers have and will continue to be able to unmask Tor users and hidden Tor services.

Cottrell said that the attack was a reasonable approach given attackers with a ‘large number of servers' are likely to control the first and last server, and believes that other vulnerabilities will be exploited.

“The attackers have been active since January, so any activity with hidden services since that time could have been captured. There are other kinds of attacks that can be launched as well. As with all systems, it is almost certain that there are other vulnerabilities out there. Attackers can be using ones we don't know about right now.”

Noting the Russian government offering a £60k bounty to any local companies or individuals who can help compromise Tor, Cottrell continued that they wouldn't be the only country looking at the anonymised internet network.

“One assumes that many national intelligence organisations around the world are working on this as well.”

Constanze Kurz, anti surveillence activist and member of the Chaos Computer Club (CCC), which is a Tor server operator,  told delegates at the EuroPython 2014 conference in Germany last week, that Tor is being targetted by the NSA, GCHQ and the German authorities, noting that triggers being used to search for every Tor user had been released. Kurz said that so far, Tor is the only affordable and reliable means for the public  in say China and Iran to use anonymised communications. 

She added, "Data traffic to and from the Tor directory services is being taken into the respositories of the NSA. That is why we filed a criminal complaint against Angela Merkel, the heads of German and foreign secret services and others who could be responsible, because, as well as using political and technical help, we should also use existing laws."

Alan Woodward, a visiting professor at the department of computing at the University of Surrey and academic adviser to the European Cybercrime Centre, told SC that there was some ‘inevitability' in this attack; such is the governmental interest in discovering online criminal operations like Silk Road.

As such, there would be a ‘lot of candidates' of who could be behind the attack. He noted that I2P is emerging as a new peer-to-peer protocol for private browsing.

In the meantime, Jaime Blasco, director of AlienVault Labs, says that Tor users should ‘assume' that it is compromised and use other methods within the network to obscure their identity.

“Tor provides anonymity, if you want to have privacy you still have to use something like a VPN in order to connect to the TOR network. You are still facing other problems like tracking and profiling or unauthorised access to your system using exploitation of the browser or any other software you are using over the TOR network. As an example, the FBI used an exploit affecting Firefox to deanonymise Tor users accessing illegal content.

“If you want to be secure you should assume Tor is compromised and use other methods to maintain your anonymity and privacy within Tor.”

Malwarebytes malware intelligence analyst Josh Cannell continued with this theme and said that Tor doesn't protect users from everything.

“While the Tor network is resilient and very successful at providing online privacy to users, it isn't a perfect solution to online privacy,” Connell told SC.

“It's important to remember that Tor protects against traffic analysis, but does not protect against traffic confirmation attacks, or endpoint correlation; the folks at Tor have even stated that traffic confirmation remains an "open research problem." Tor first released a blog about traffic confirmation attacks in 2009, and it is has been a reoccurring problem since then.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews