Two Carnegie-Mellon-affiliated researchers, Alexander Volynkin and Michael McCord, had planned to give a talk at Black Hat USA 2014 about how to break Tor anonymity using a bargain basement kit that cost less than $3,000 (£1,780).
From the original description, before Carnegie-Mellon’s lawyers had the talk yanked from the lineup last week:
There is nothing to prevent you from using your resources to de-anonymize the network's users ... by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so.
Looking for the IP address of a Tor user? No problem. Trying to uncover the location of a hidden service? Done. We know because we tested it, in the wild...
For five months, attackers have assaulted the anonymising network and may have unmasked the people who run or visit hidden sites.
Tor developers don’t know how long the attack’s been under way, but they said that anybody who’s operated or accessed hidden services between early February and 4 July 2014 “should assume they were affected.”
What does “affected” mean? They’re not even sure.
They do know that the attack involved looking for users who fetched hidden service descriptors, but The Tor Project thinks it unlikely that the attackers were able to see application-level traffic.
In other words, the attackers probably couldn’t see what pages were loaded or even if users actually visited the sites they looked up.
The attackers also might have tried to figure out who was behind the hidden services and where they were located.
Tor developers don’t know how much data the attackers kept.
One thing they do know: given the way the attack was carried out – by modifying protocol headers – the attack’s repercussions include potentially helping other attackers, including cybercrooks or governments, to unmask users.
Were the Carnegie-Mellon researchers behind the attack?
They’re innocent until proved guilty, but that isn’t stopping Roger Dingledine, one of the network’s co-creators, from pointing the finger.
From his writing on the Tor Project’s blog:
We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how "relay early" cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to [the question of whether the researchers are behind the attack] is "yes".
Of course, there are plenty of other entities who’d love to crack Tor, including the governments of Russia – which on Monday offered a 3.9m roubles (£65,000, $110,000) bounty to anybody who breaks the service – and of the US, which, according to documents leaked by Edward Snowden, loathes Tor.
But suspicion rests squarely on the Carnegie-Mellon researchers.
CMU spokesman Ken Walters told news outlets that the university isn’t commenting on the scientists’ work when asked about it on Wednesday night.
In his blog post Dingledine remarked that any researchers who would attack real users in a live setting, rather than running ideas through a lab environment where they wouldn’t run the risk of damaging the service or the anonymity of users, could be in a risky legal position:
It's probably unwise from a legal perspective for researchers to attack real users by modifying their traffic on one end and wiretapping it on the other.
He suggested that there are tools, such as Shadow – an open-source, discrete-event network simulator that runs real applications like Tor – that are “great for testing Tor research ideas out in the lab.”
The Tor Project is advising those Tor volunteers who run relays – i.e., routers or nodes that receive and pass along traffic on the Tor network – to upgrade to a recent Tor release (0.2.4.23 or 0.2.5.6-alpha), in order to close the hole that the attackers exploited.
As far as end users go, Tor developers are working on a new release that should limit the damage from future, similar attacks.
In addition, hidden service operators should think about moving to a new location, they advised.Follow @NakedSecurity