Critical Vulnerability in TOR puts users Anonymity at Risk
Critical vulnerability could make Tor, the anonymous network, less anonymous say MIT and QCRI researchers
The Tor network—used by activists, journalists, and law enforcement officials is famous for cloaking web surfers’ identities and locations. And, apparently, it contains a vulnerability that poses a risk to all that protective anonymity, according to researchers at MIT and the Qatar Computing Research Institute (QCRI).
An estimated 2.5 million people—including journalists, political activists, terrorists and even consumers who don’t want to share their browsing histories with Facebook or other commercial entities—use Tor daily. And that is why the network is of keen interest not only to “repressive” regimes like Russia and Iran but to governments a lot closer to home, including our own. Not to put too fine a point on this, but one person’s activist could be another person’s terrorist, but I digress.
Journalists and citizens living under repressive regimes depend on the encrypted Tor browser to surf the web anonymously. But in certain cases, an attacker can figure out which dark web site a user is trying to access by passively monitoring Tor traffic, and even reveal the identity of servers hosting sites on the Tor network.
For users, this means that an attacker can see that you’re using Tor to visit WikiLeaks’ hidden service—perhaps you want advice on leaking a sensitive government document—and match it up with your IP address. For hidden service providers, this means that the server hosting WikiLeaks’ site would be revealed to the attacker.
Importantly, the attack doesn’t require the decryption of any traffic—only that it be monitored —and the exploit only requires control of a node where users enter the Tor network. An attacker could even set one of these nodes up herself.
When you use Tor, your connection gets encrypted and routed through three hops which form a path called a “circuit.” A circuit starts with an entry point called a “guard,” before going back into the regular internet via what are called “exit nodes.” The guard sees your IP address, and the exit node sees where the traffic’s going.
By using a Tor-configured browser, the user enters her request, and it is automatically swaddled in those encryption layers and is sent it to the next, randomly chosen machine that runs Tor. This machine, called “the guard,” peels off the first encryption layer and forwards the still-masked request on until it finally reaches a randomly chosen “exit” machine that strips off the final layer encryption to reveal the destination.
Only the guard machine knows the sender and only the exit machine knows the requested site; no single computer knows both.
The network also offers “hidden services” that enable an activist to aggregate sensitive news reports and make them available to select users, but not the world at large. That is, the archive is not searchable or available on the public Internet.
The creation of those collection points, which involves the building of what Tor calls a “circuit” of machines, offered the researchers a way to snoop on Tor. By connecting a ton of their own machines to the network and then analyzing traffic, they were able to identify likely guard machines.
Without controlling both the entry and exit points, however, an attacker should not be able to put two and two together to figure out who you are and where you’re going.
But controlling both an entry and exit point is hard, which is why researchers from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) and Qatar University have taken an alternate approach. The group demonstrated a new vulnerability in which an attacker controlling an entry guard can determine whether a user is accessing one of Tor’s hidden services—the sites that make up the dark web—instead of a regular clearnet site with 99 percent accuracy, and without controlling an exit node. 88 percent of the time, the researchers were also able to identify which hidden service the user was trying to access.
The attack also goes both ways, too. Since computers hosting hidden services also access the Tor network through an entry guard, researchers could identify the real IP address of a server hosting a hidden service, also with with 88 percent accuracy.
“In this case, the FBI, CIA, or other government organization could do a takedown on that site,” said Albert Kwon in an interview, one of the MIT researchers who devised the attack. “The next thing you know, if this continues, all the sensitive websites could be taken down by some nation-state adversary.”
The attack, described in a paper the team will present at the 2015 Usenix Security Symposium this summer, does not require the attacker to actually decrypt any Tor traffic. Instead, it relies on passively monitoring network traffic. The researchers used a machine learning algorithm to analyze patterns in the traffic going through a computer, controlled by an attacker, that has been randomly selected by the Tor network to act as a guard in a particular connection.
The attack is known as a “circuit fingerprinting attack,” since the traffic going through a circuit displays unique patterns that can be used to deanonymize a client or server. After briefly reviewing the researchers’ paper, security researcher Nicholas Weaversaid, “this does look to be a ‘real-deal’ attack capable of bulk deanonymization of those who use hidden services connected through a malicious entry node.”
That computers in the Tor network shouldn’t be trusted completely and present a risk to users surfing the anonymous network has been known for some time. Earlier this year, an independent security researcher known as “Chloe” found that attackers running exit nodes—computers that serve as exit points to the clearnet—can intercept traffic and communications.
Thankfully, the MIT and Qatar University researchers propose some fixes that will make it more difficult for attackers to deanonymize Tor traffic using their attack. Dummy packets could be sent by computers using the network, for example, making it more difficult to establish a pattern.
The Tor Project has not yet responded to Motherboard’s request for comment. According to Kwon, a Tor Project developer told him that a fix would be worked into a future version of the Tor software.
In the end, the new vulnerability is a reminder that tools that promise security online, even powerful and well-respected ones like Tor, can’t keep your traffic totally anonymous . For now, at least. Because as long as people keep breaking these tools and telling everyone about it, they’ll keep getting better—hopefully.
UPDATE: The Tor Project has responded to Motherboard with the following comment via email:
“It’s is [sic] a known issue that hidden service circuits are noticeable in certain situations, but this attack is very difficult to execute. The countermeasures described in the paper are interesting since the authors claim that deploying some of them would neutralize their attack and better defend against hidden service circuit fingerprinting attacks in general.
This has yet to be proven. We are interested to see this article get officially published at Usenix Security where some Tor developers and privacy researchers will be attending. We need more concrete proof that these measures actually fix the issue.
The researchers, including Albert Kwon, an MIT graduate student in electrical engineering and computer science, and Mashael AlSabah, assistant professor of computer science at Qatar University, and a QCRI researcher, said the fix lies in obscuring data traffic patterns to and from the guard machines in a way that renders such “traffic fingerprinting” ineffective.
We encourage peer-reviewed research into both attacks against and defenses of the Tor network.”
If the network sends around enough dummy packets so that all the data sequences look the same to prying eyes, problem solved, and anonymity remains safe.