Volume 9, Issue 8

Understanding the implications of Tor’s latest hack

13 August 2014
By Danny Bradbury
Share |
Many governments are interested in understanding Tor

Researchers at Carnegie Mellon University are believed to have knowledge on the anonymous Tor network

The security world got itself worked up in late July about an attack on the Tor network. The exploit, which ran from January to July, enabled the attackers to identify users looking for hidden services on Tor. Hidden services are typically web sites operated anonymously using Tor.

More interesting than the attack itself was the cancellation of a talk at the Black Hat security conference about Tor vulnerabilities. Tor’s organizers think that the researchers giving the talk were the same people that launched the assault on the network.

The attackers used a traffic confirmation attack, designed to overcome Tor’s anonymity measures. To understand that, we need to know how Tor works.

The network uses computers called relays to pass information along. Anyone can create a relay and join it to the network, and the more there are, the more efficient the network is. It’s possible for attackers to create their relays, but each relay only knows which relay it is receiving from and sending to. That keeps the identity of the user from the relay, which stops an attacker asking their own relay for a user’s identity.

Traffic confirmation is designed to circumvent that. It analyses different relays, using various techniques to correlate that traffic and prove that it’s part of the same communication session. At least one relay is on the edge of the network, talking to a user on the open Internet, which enables the attacker to link the communication session to that user. These techniques include looking at the timing of the packets, and tagging the information in some way.

This attacker used approximately 6 per cent of the nodes on the network, which gave it a significant opportunity to identify people accessing and using hidden services on the network. It used relays to tag specific parts of the information stream, which enables it to identify which hidden services that user may be accessing.

It’s a sophisticated attack, but the underlying concepts aren’t new, according to Roger Dingledine, one of the creators of Tor. In his description of the attack, he highlights theoretical attacks going back as far as 2009, and argues: “traffic confirmation attacks aren’t new or surprising, but the bad news is that they still work.”

But the talk by researchers at Carnegie Mellon University, likely to be the same researchers that discovered this attack, seemed pretty impressive. Scheduled for the Black Hat conference, it promised to show how to identify users without major using major financial resources. They promised the ability to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services”. And you could do it for under $3,000, they promised.

Is this truly possible? We may never know, as the talk was cancelled, in what looks increasingly like a gag order from the intelligence community. CMU officials denied that the DHS (a key CMU funder) gagged the researchers. However, National Security Letters expressly prohibit disclosure of the gag order in the first place. If CMU’s professors or attorneys had been served with a letter and wanted to talk about it, they couldn’t.

Government interest in cracking Tor is well known. There have been previous attempts by governments and government-sponsored researchers to crack Tor. The NSA documents released by Edward Snowden showed how it identified Tor users. It fingerprinted a software bundle commonly used to access the network. The bundle includes a specific version of Firefox, for which the NSA found a native exploit.

The agency delivered this malware using drive-by downloads (malware used by a web site to compromise users when they visit it), which then gave it access to the user’s machine, and thus to the Tor communication sessions that it was hiding. It has been used in the wild before.

The US government isn’t the only one interested in Tor. The Russian government has put out a tender offering to pay for the ability to identify Tor users.

The holy grail for intelligence agencies is to identify whichever users they like, whenever they like. Internal documents from the NSA show it admitting that this is pretty much impossible. But it doesn’t stop it - and other governments - from trying.

How far will it get? It’s difficult to know, without being allowed access to university research. However, the researchers now seem to be gagged. Dingledine and his colleagues have questions for them, but the researchers have stopped answering emails, and CMU isn’t talking either. “We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks,” wrote Dingledine. At least this time, he’ll be disappointed.

Share |
Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1605

"We visit Barcelona, one of the smartest cities in the world, to find out what makes it so special. What does it look like and what is the future?"

E&T jobs

  • Technical Architect

    BAE Systems
    • South Ayrshire, Scotland, Prestwick
    • Negotiable

    Technical Architect Would you like to help provide the Technical Authority and Leadership within the RA IM&T Department? We currently have a vacancy for a Technical Architect at our site in Prestwick. As a Technical Architect, you will be managing and

    • Recruiter: BAE Systems

    Apply for this job

  • Web and Database Developer

    Hercules Site Services Ltd
    • Swindon, Wiltshire
    • £36,000 - £40,000 p/a

    Web and Database Developer to join Engineering department to develop the company website and support the Existing infrastructure.

    • Recruiter: Hercules Site Services Ltd

    Apply for this job

  • Software Compliance Consultant

    BAE Systems
    • England, Lancashire, Preston
    • Negotiable

    Software Compliance Consultant Would you like to be a part of an exciting and growing team, responsible for the long-term strategic management of software for BAE Systems? We currently have a vacancy for a Software Compliance Consultant at our site in Pr

    • Recruiter: BAE Systems

    Apply for this job

  • Consultant Engineer - Information Assurance

    BAE Systems
    • Barrow-In-Furness, England, Cumbria
    • Negotiable

    Consultant Engineer - Information Assurance Would you like to have a strategic influence on the development of Information Assurance (IA) policies for a national nuclear deterrence programme? We currently have a vacancy for a Consultant Engineer - Informa

    • Recruiter: BAE Systems

    Apply for this job

  • Junior Business Analyst - IKM

    BAE Systems
    • Hampshire, England, Portsmouth
    • Negotiable

    Junior Business Analyst - IKM Would you like to forge a career in the defence industry? We currently have a vacancy for a Junior Business Analyst - IKM at our site at Portsmouth Naval Base. As a Junior Business Analyst - IKM, you will be supporting the I

    • Recruiter: BAE Systems

    Apply for this job

  • Control Engineer

    Bank of England
    • Debden
    • Competitive

    We’re looking for a qualified engineer with experience of computer programming for engineering systems and instrumentation.

    • Recruiter: Bank of England

    Apply for this job

  • Principal Engineer - Software Verification

    BAE Systems
    • England, Cumbria, Barrow-In-Furness
    • Negotiable

    Principal Engineer - Software Verification Would you like an opportunity to work with military based software tackling some of the greatest software complexities and associated risk levels? We currently have a vacancy for a Principal Engineer - Software V

    • Recruiter: BAE Systems

    Apply for this job

  • Systems Engineer

    National Air Traffic Services
    • England, Hampshire, Fareham
    • Negotiable

    NATS is a leading air navigation services specialist, handling 2.2 million flights in 2013/14, covering the UK and eastern North Atlantic. NATS provides air traffic control from centres at Swanwick, Hampshire and Prestwick, Ayrshire. NATS also provides a

    • Recruiter: National Air Traffic Services

    Apply for this job

  • Field Application Engineer

    Intel
    • Madrid

    Responsible for giving product presentations to the customer describing how Intel products provide the optimum solution to their application.

    • Recruiter: Intel

    Apply for this job

  • Rail Engineer

    Frazer-Nash Consultancy Ltd
    • Burton, Dorking, Glasgow
    • £ Competitive + Benefits

    Some of the most exciting infrastructure projects in the UK over the coming years are in rail.

    • Recruiter: Frazer-Nash Consultancy Ltd

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T