Tor Project unearths attack that identifies users
Tor Project unearths attack that identifies users

Writing in a security advisory published on its website on Wednesday, the Tor Project said that unknown sources had carried out a combination of an “active traffic confirmation attack and a Sybil attack” since February in an attempt to identify those who operated and accessed hidden Tor services, which are often used by activists and criminals alike.

Describing the active traffic confirmation attack, the group said that attackers would look to control or observe the relays - used to bounce internet traffic from place to place thus anonymising it - at both ends of a Tor circuit and then compare traffic volume, timing and other characteristics to conclude that two relays were on the same circuit.

They would interject signals into Tor protocol headers to help them to identify the user – which could be done by finding their IP address in the first relay and the destination in the last.

The Tor Project says that the attack relays joined on January 30 but were only removed from the network on July 4. It is now urging people who used the service during this time to ‘assume they were affected' and that they should upgrade to a more recent version of Tor to close the vulnerability of that particular protocol vulnerability.

Hidden service operators are also advised to change the location of their hidden service.

Some users will be reassured to learn that while attackers looked for users who fetched hidden service descriptors, it was ‘unlikely' that they would be able to see any-app level traffic, what pages were loaded and whether visitors actually visited the hidden service they looked up.

Intriguingly, the group believes that researchers at the Carnegie Mellon's Computer Emergency Response Team are behind the attack, as they were due to give a presentation on Tor's “fundamental flaws” at the Black Hat conference in Vegas prior to it being cancelled because of legal issues.

Lance Cottrell, founder and chief scientist of – an anonymising service preceding Tor, told in an email that ‘everyone hopes' that it was the researchers, as concerns will be raised on what hackers are doing with the data otherwise.

“Everyone hopes the folks running this were the researchers who just dropped out of BlackHat. If not them, then who knows why the attackers were doing it and what they might be doing with the data.”

But Tim Keanini, CTO at security vendor Lancope, suggested that the researcher route was unlikely.

“The talk from BlackHat that was pulled is operationally insignificant because all the folks actively working on ‘breaking' TOR are hard at work on their objective and conferences are not their thing,” Keanini said in an email to SC.

Cottrell continued: “This is just another vulnerability that allows hostile Tor node operators to compromise user anonymity. It's inevitable given the architecture - Tor attempts to improve user privacy by having a large number of volunteers running their servers, and sending traffic through chains of three servers so no one person need be trusted.

“Unfortunately anyone can set up servers, and well-funded attackers could set up large numbers of them. Using vulnerabilities in the Tor protocol and modified servers these attackers have and will continue to be able to unmask Tor users and hidden Tor services.

Cottrell said that the attack was a reasonable approach given attackers with a ‘large number of servers' are likely to control the first and last server, and believes that other vulnerabilities will be exploited.