Tor warns users they may have been unmasked by a long-running campaign
The Tor service keeps users’ identity and location secret, but for the first five months of this year, it was infiltrated by servers which have been altering traffic in a bid to identify users, according to a blog post from project leader Roger Dingledine. From circumstantial evidence, the Tor Project says the effort is likely to have come from researchers at Carnegie-Mellon University, funded by the US government, whose paper on idenitifying Tor users was pulled from the Black Hat security conference earlier this month.
Tor is under attack from all sides: last week, the Russian government offered four million roubles for a way to eavesdrop on converasations on the secret network.
“On July 4 2014 we found a group of relays that we assume were trying to deanonymize users,” says Dingledine’s post. “They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.”
The Tor network is carried by thousands of relays, which are run on servers provided by volunteers. The suspect relays joined the network on 30 January, and became trusted enough to act as “entry guard” and “hidden service directory” duties, after which they could use a so-called “traffic confirmation” attack, injecting signals into traffic and picking them up later, to reveal information about the original sender.
The attackers provided 115 relays, which together provided 6.4 percent of the Tor network’s Guard capacity, and allowed them to make a “Sybil” attack, subverting the reputation system of Tor with a large number of pseudonymous identities.
The finger of suspicion points at Carnegie Mellon researchers Alexander Volynkin and Michael McCord who planned to give a talk at Black Hat, explaining how to track Tor users cheaply, claiming they could “de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months,” using equipment worth just $3,000.
The talk was cancelled suddenly, with University spokespeople saying that the researchers did not have permission to publish the research, which was developed at the Software Engineering Institute (SEI) based at the University. SEI gets funding from the US Department of Defense, and runs the Computer Emergency Response Team (CERT), which develops exercises, courses, and systems for the US Department of Homeland Security (DHS).
Before the talk was cancelled, Volynkin and McCord apparently dropped hints which set the Tor Project looking for suspicious relays – and eventually uncovered the scheme.
“We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how ‘relay early’ cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild,” said Dingledine.
But were the Carnegie-Mellon University researchers actually responsible? “They haven’t answered our emails lately, so we don’t know for sure, but it seems likely…” Dingledine said.
Can you look after your personal data online? Take our quiz!