Researchers Unveiled a New, Serious Vulnerability In Tor

An attacker can passively monitor traffic to reveal the identity of users and servers on the Tor network.

Jul 29 2015, 6:14pm

Image: Flickr/Sharon Mollerus

Journalists and citizens living under repressive regimes alike depend on the encrypted Tor browser to surf the web anonymously. But in certain cases, an attacker can figure out which dark web site a user is trying to access by passively monitoring Tor traffic, and even reveal the identity of servers hosting sites on the Tor network.

For users, this means that an attacker can see that you're using Tor to visit WikiLeaks' hidden service—perhaps you want advice on leaking a sensitive government document—and match it up with your IP address. For hidden service providers, this means that the server hosting WikiLeaks' site would be revealed to the attacker.

Importantly, the attack doesn't require the decryption of any traffic—only that it be monitored —and the exploit only requires control of a node where users enter the Tor network. An attacker could even set one of these nodes up herself.

"In this case, the FBI, CIA, or other government organization could do a takedown on that site"

When you use Tor, your connection gets encrypted and routed through three hops which form a path called a "circuit." A circuit starts with an entry point called a "guard," before going back into the regular internet via what are called "exit nodes." The guard sees your IP address, and the exit node sees where the traffic's going.

Without controlling both the entry and exit points, however, an attacker should not be able to put two and two together to figure out who you are and where you're going.

But controlling both an entry and exit point is hard, which is whyresearchers from MIT's Computer Science and Artificial Intelligence Lab (CSAIL) and Qatar University have taken an alternate approach. The group demonstrated a new vulnerability in which an attacker controlling an entry guard can determine whether a user is accessing one of Tor's hidden services—the sites that make up the dark web—instead of a regular clearnet site with 99 percent accuracy, and without controlling an exit node. 88 percent of the time, the researchers were also able to identify which hidden service the user was trying to access.

Watch more from Motherboard: Buying Guns and Drugs on the Dark Net

The attack also goes both ways, too. Since computers hosting hidden services also access the Tor network through an entry guard, researchers could identify the real IP address of a server hosting a hidden service, also with with 88 percent accuracy.

"In this case, the FBI, CIA, or other government organization could do a takedown on that site," said Albert Kwon in an interview, one of the MIT researchers who devised the attack. "The next thing you know, if this continues, all the sensitive websites could be taken down by some nation-state adversary."

The attack, described in a paper the team will present at the 2015 Usenix Security Symposium this summer, does not require the attacker to actually decrypt any Tor traffic. Instead, it relies on passively monitoring network traffic. The researchers used a machine learning algorithm to analyze patterns in the traffic going through a computer, controlled by an attacker, that has been randomly selected by the Tor network to act as a guard in a particular connection.

"This does look to be a 'real-deal' attack"

The attack is known as a "circuit fingerprinting attack," since the traffic going through a circuit displays unique patterns that can be used to deanonymize a client or server. After briefly reviewing the researchers' paper, security researcher Nicholas Weaver said, "this does look to be a 'real-deal' attack capable of bulk deanonymization of those who use hidden services connected through a malicious entry node."

That computers in the Tor network shouldn't be trusted completely and present a risk to users surfing the anonymous network has been known for some time. Earlier this year, an independent security researcher known as "Chloe" found that attackers running exit nodes—computers that serve as exit points to the clearnet—can intercept traffic and communications.

Thankfully, the MIT and Qatar University researchers propose some fixes that will make it more difficult for attackers to deanonymize Tor traffic using their attack. Dummy packets could be sent by computers using the network, for example, making it more difficult to establish a pattern.

The Tor Project has not yet responded to Motherboard's request for comment. According to Kwon, a Tor Project developer told him that a fix would be worked into a future version of the Tor software.

In the end, the new vulnerability is a reminder that tools that promise security online, even powerful and well-respected ones like Tor, can't keep your traffic totally anonymous . For now, at least. Because as long as people keep breaking these tools and telling everyone about it, they'll keep getting better—hopefully.

UPDATE: The Tor Project has responded to Motherboard with the following comment via email:

"It's is [sic] a known issue that hidden service circuits are noticeable in certain situations, but this attack is very difficult to execute. The countermeasures described in the paper are interesting since the authors claim that deploying some of them would neutralize their attack and better defend against hidden service circuit fingerprinting attacks in general.

This has yet to be proven. We are interested to see this article get officially published at Usenix Security where some Tor developers and privacy researchers will be attending. We need more concrete proof that these measures actually fix the issue.

We encourage peer-reviewed research into both attacks against and defenses of the Tor network.