The Tor Project and security experts are concerned about the implications of the recent global law enforcement operation in which hundreds of hidden services running on the Tor anonymity network have been shut down.
Last week, law enforcement authorities in the United States and Europe announced the arrests of 17 individuals suspected of being vendors and administrators on illegal online marketplaces that rely on the Tor network to keep the identity of their users and operators hidden. One of the arrested people is Blake Benthall, believed to be the operator of Silk Road 2.0, a black market bazaar for money laundering and drugs.
According to Europol, 410 Tor hidden services were taken down. In addition, $1 million in Bitcoins, and €180,000 ($224,000) in cash, dugs, silver and gold were seized as part of the campaign dubbed Operation Onymous.
The operator of Doxbin, a site hosting personally identifiable information that was shut down as part of the Onymous campaign, reached out to the Tor Project in hopes that they can help him figure out what happened. Doxbin had been using German company Hetzner for hosting, but 129 of the seized hidden services had been hosted by a Bulgarian company, according to a statement from the Bulgarian State Agency for National Security.
Locating Tor hidden services
In a blog post published on Sunday, the Tor Project said it had not been contacted either directly or indirectly by Europol or the other law enforcement agency involved in the operation.
“Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targeting hidden services. Were these two events related?,” the Tor Project said.
For the time being, Tor says it doesn’t know how the hidden services were located by investigators, but hopes to get an answer when the 17 arrested suspects are prosecuted. One plausible scenario, according to representatives of the anonymity network, is that the operators of the hidden services shut down by authorities “failed to use adequate operational security.”
Another explanation could be that the targeted websites were plagued by vulnerabilities, such as SQL Injection. The Tor Project says this is a plausible scenario because many of the sites are “quickly-coded e-shops with a big attack surface.”
Researchers have demonstrated recently that it’s possible to deanonymize Bitcoin clients even if they use Tor. It’s possible that the seized services used Bitcoin clients and were located through such deanonymization attacks.
There is always the possibility that law enforcement attacked Tor itself. Researchers at Carnegie Mellon University’s CERT recently conducted some test attacks to demonstrate that they could deanonymize Tor users. While the flaw they uncovered was quickly fixed, the Tor Project believes researchers could have deanonymized some hidden services during their experiments.
“Another possible Tor attack vector could be the Guard Discovery attack. This attack doesn’t reveal the identity of the hidden service, but allows an attacker to discover the guard node of a specific hidden service,” the Tor Project explained. “The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service.”
Denial-of-service (DoS) attacks and the exploitation of remote code execution vulnerabilities in the Tor software are also a possibility.
The Tor Project has provided some advice to hidden service operators who are concerned, but the organization says it cannot make concrete recommendations without knowing exactly what happened.