Quantcast
A Researcher Used a Honeypot to Identify Malicious Tor Exit Nodes

A few exit nodes intercepted passwords and tried to reuse them.

Do you know who handles your internet traffic when you use Tor? And do you trust them?

The Tor network, used everyday by thousands of people around the world to surf the web anonymously and to circumvent internet censorship, depends on its volunteer "operators," the people who run and maintain the network's final set of servers, also called "exit nodes."

Whoever controls these exit nodes can potentially see the traffic coming out of the Tor network, and, if they want, spy on it. In an experiment dubbed BADONION, an independent security researcher that only goes by the pseudonym "Chloe" devised a clever way to find out who, among these operators, is maliciously sniffing and intercepting traffic.

"I always knew that you can't trust the exit nodes but I wanted to test how malicious they actually were," Chloe told Motherboard.

"I always knew that you can't trust the exit nodes but I wanted to test how malicious they actually were."

With her experiment, she found that, out of the 1,400 nodes she tested, seven intercepted traffic and stole passwords. Chloe said she wasn't surprised by the low number, "because Tor is mostly ran by good people," but she also said that this should serve as a cautionary tale to Tor users.

"You should never trust the exit node and use HTTPS," Chloe said in an email.

For her experiment, Chloe created a fake and tempting honeypot website, not protected by HTTPS web encryption, called Bitcoinbuy.

bitcoinbuy.png

She then wrote a script that automatically logged into the site using every Tor exit node she could reach during a month, assigning a unique password for every different exit node. The site was also designed to register every login attempt. If a unique password was used more than once, it meant the exit node operator stole it and used it to log into the site. (It's worth noting that it's possible that other nodes intercepted the traffic but didn't reuse the password.)

Her experiment proves once again that some Tor exit nodes are used to sniff traffic to steal data and credentials.

There have been famous cases of this, such as in 2007 when a Swedish researcher intercepted thousands of private email messages and dozens of passwords and usernames by monitoring traffic on his exit nodes. Even WikiLeaks started out by intercepting documents sent over Tor.

"An exit node can see traffic between itself and the destination. This is by design; it is unavoidable."

"An exit node can see traffic between itself and the destination. This is by design; it is unavoidable," Kijin Sung, a web developer, wrote in a Hacker News thread commenting the research. "The experiment shows that some exit nodes actually are recording that traffic and extracting login credentials from it. There's nothing surprising about it. It's what we've all been suspecting for a long time."

This research is a reminder that Tor is tool that makes you anonymous, not a tool that secures your connection. Also, this type of attack only works on websites that are not protected by HTTPS, the more secure TLS web protocol, which encrypts the connection between a user and a site.

A Tor Project spokesperson declined to comment specifically on this research, simply saying: "We strongly support ethical Tor research."

The Tor Project encourages researchers to flag and report bad relays, whether they are malicious, misconfigured or simply broken. The nonprofit also scans the network itself looking for bad relays.

"My overall goal is to make Tor a safer place for everyone."

Chloe said she's now working on new tools to scan for sniffing exit nodes, improving upon BADONION. One downside of the BADONION experiment, she said, is that it only detected malicious nodes that reused the password, not those that simply intercepted it and stored it away.

"My overall goal is to make Tor a safer place for everyone and this first published results shows that there are bad people in the network and more people need to be aware of this," Chloe said. "This issue can be fixed on both sides, the site owner should offer HTTPS for its users and Tor should work even harder to find these bad nodes."