Tor Warns of Attack Attempting to Deanonymize Users

The Tor Project has disclosed details of an attack which appeared to be an attempt to deanonymize users of the popular anonymity network.

According to Tor Project Leader Roger Dingledine, the attack was detected on July 4 while the organization was trying to identify attacks leveraging a method discovered by researchers at Carnegie Mellon University’s CERT.

The researchers, Michael McCord and Alexander Volynkin, planned on detailing a way to break the anonymity network by exploiting fundamental flaws in its design and implementation at the upcoming Black Hat security conference, but their presentation was cancelled because their materials had not been approved for public release by the Software Engineering Institute at Carnegie Mellon University.

Dingledine believes that the attack they’ve detected could have been part of the experiments conducted by McCord and Volynkin. In fact, in the abstract of their presentation, which has been removed from the Black Hat website, the researchers claimed they had tested their method in the wild. Dingledine hopes that they were the ones conducting the attacks, but he’s not sure since the experts haven’t answered emails lately.

The Tor Project has been displeased with the fact that the researchers haven’t given them full access to the research. Dingledine says they’ve spent several months trying to get the information they needed to understand the flaws that expose Tor users.

The attack detected on July 4 was a combination of a traffic confirmation attack and a Sybil attack. The traffic confirmation attack involves controlling or monitoring relays (the nodes that receive traffic and then pass it along) in an effort to deanonymize users. The Sybil attack involved setting up roughly 115 new relays, which joined the network on January 30, but were only discovered on July 4. During the five-month period, these relays became entry guards for a large number of users, Dingledine said.

It’s uncertain when the attack started, but users who operated or accessed hidden services between early February and July 4 should assume they’re affected, Dingledine added.

“Unfortunately, it’s still unclear what ‘affected’ includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” the Tor Project leader wrote in a blog post.

“In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.”

The protocol vulnerability exploited in the attack was patched on Wednesday with the release of Tor 0.2.4.23 and 0.2.5.6-alpha. All relay operators are advised to update their installations.

“Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service,” Dingledine said.