FYI.

This story is over 5 years old.

Tech

Tracking People on The Dark Web Can Be 'Trivial,' Researchers Claim

Researchers have found a new way to deanonymize users of the dark web.

Spies and hackers could bust dark web visitors with what a researcher calls a "trivial" attack—given the right circumstances.

In some cases, spy agencies, internet providers, or malicious hackers on a cafe's Wi-Fi connection might be able to easily unmask users connecting to websites hosted on the Tor network, such as illegal drug markets a la Silk Road, but also journalists' whistleblowing platforms and even Facebook, according to researchers Filippo Valsorda and George Tankersley.

Advertisement

These sites are also known as hidden services (or .onion sites), and their advantage is that both the user and the website remain anonymous—meaning the website doesn't know who's visiting it. This is supposed to give extra protection to visitors of sensitive, or sometimes criminal, websites.

To solve the challenge of connecting a user and a server while keeping them both anonymous, Tor uses "hidden service directories" or "HSDir." These are nodes in the Tor network that are, essentially, the "point of first contact" for the site and its users, Valsorda explained. Every day, an .onion site is assigned six HSDir nodes.

And therein lies the problem. As Valsorda and Tankersley found out, the formula that assigns HSDirs is predictable, and an attacker could exploit that to become the HSDir node for a website that it wants to target.

tl;dr of our talk: there's an easy attack that allows (e.g.) your ISP to detect if you are visiting a certain .onion Filippo ValsordaMay 31, 2015

"It's really easy to become the .onion HSDir," Valsorda told Motherboard over chat on Monday.

At that point, an attacker who has visibility into the whole network and has become the HSDir for a certain target site can correlate the time a user connects to it and the time he or she connects to the .onion site, effectively deanonymizing the user, the researchers explained in a talk at the Hack in The Box hacking conference in Amsterdam on Sunday.

Advertisement

An "attacker will have an easier life deanonymizing [Tor users] when connecting to a Hidden Service than when connecting to a regular site via Tor."

This means that an "attacker will have an easier life deanonymizing [Tor users] when connecting to a Hidden Service than when connecting to a regular site via Tor," Valsorda said.

So onion sites that also have regular (.com) domains such as Facebook "are exposing their users to an increased risk of deanonymization by directing them to .onion instead of .com," Valsorda added.

The good news is that the two researcher said they weren't able to find any instance of this attack being carried out in real life, though they said they couldn't be certain it never happened. Either way, Valsorda said that this is an attack that could, in theory, be performed by spy agencies such as the NSA.

Tor is working on a fix to the issue, which will likely roll out in 2016, according to Valsorda, who claims to have talked to Tor engineers.

Kate Krauss, a spokeswoman for the Tor Project, said that this kind of attack "is hard to do without getting caught," and regardless, in the future, it won't be feasible.

"With next-generation hidden services, this attack will become nearly impossible," she told Motherboard in an email, adding that those new hidden services "have been designed but not yet built."

Valsorda and Tankersley also released a series of tools to detect suspicious HSDir nodes.

Their research proves, once again, that using Tor is not a guarantee of bullet-proof anonymity, and there always ways for attackers to get around it.

This story has been updated to include comments from Kate Krauss.