Two Carnegie-Mellon-affiliated researchers, Alexander Volynkin and Michael McCord, had planned to give a talk at Black Hat USA 2014 about how to break Tor anonymity using a bargain basement kit that cost less than $3,000 (£1,780).
From the original description, before Carnegie-Mellon’s lawyers had the talk yanked from the lineup last week:
There is nothing to prevent you from using your resources to de-anonymize the network's users ... by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so.
Looking for the IP address of a Tor user? No problem. Trying to uncover the location of a hidden service? Done. We know because we tested it, in the wild...
On Wednesday, The Tor Project confirmed in a security advisory that somebody or somebodies has done just that.
For five months, attackers have assaulted the anonymising network and may have unmasked the people who run or visit hidden sites.
Tor developers don’t know how long the attack’s been under way, but they said that anybody who’s operated or accessed hidden services between early February and 4 July 2014 “should assume they were affected.”
What does “affected” mean? They’re not even sure.
They do know that the attack involved looking for users who fetched hidden service descriptors, but The Tor Project thinks it unlikely that the attackers were able to see application-level traffic.
In other words, the attackers probably couldn’t see what pages were loaded or even if users actually visited the sites they looked up.
The attackers also might have tried to figure out who was behind the hidden services and where they were located.
Tor developers don’t know how much data the attackers kept.
One thing they do know: given the way the attack was carried out – by modifying protocol headers – the attack’s repercussions include potentially helping other attackers, including cybercrooks or governments, to unmask users.
Were the Carnegie-Mellon researchers behind the attack?
They’re innocent until proved guilty, but that isn’t stopping Roger Dingledine, one of the network’s co-creators, from pointing the finger.
From his writing on the Tor Project’s blog:
We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how "relay early" cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to [the question of whether the researchers are behind the attack] is "yes".
Of course, there are plenty of other entities who’d love to crack Tor, including the governments of Russia – which on Monday offered a 3.9m roubles (£65,000, $110,000) bounty to anybody who breaks the service – and of the US, which, according to documents leaked by Edward Snowden, loathes Tor.
But suspicion rests squarely on the Carnegie-Mellon researchers.
CMU spokesman Ken Walters told news outlets that the university isn’t commenting on the scientists’ work when asked about it on Wednesday night.
In his blog post Dingledine remarked that any researchers who would attack real users in a live setting, rather than running ideas through a lab environment where they wouldn’t run the risk of damaging the service or the anonymity of users, could be in a risky legal position:
It's probably unwise from a legal perspective for researchers to attack real users by modifying their traffic on one end and wiretapping it on the other.
He suggested that there are tools, such as Shadow – an open-source, discrete-event network simulator that runs real applications like Tor – that are “great for testing Tor research ideas out in the lab.”
The Tor Project is advising those Tor volunteers who run relays – i.e., routers or nodes that receive and pass along traffic on the Tor network – to upgrade to a recent Tor release (0.2.4.23 or 0.2.5.6-alpha), in order to close the hole that the attackers exploited.
As far as end users go, Tor developers are working on a new release that should limit the damage from future, similar attacks.
In addition, hidden service operators should think about moving to a new location, they advised.
4 comments on “Tor attack may have unmasked anonymous users”
Lisa, sorry to bumble across this so late, but I have to ask: What are ‘hidden services’?
It’s kinda kinky… Or nazzty… Or icky…
Or all of the above…
Hidden services are the things you can ‘do’ on the Tor network. In much the same way that the internet is host to a variety of services; the web, email, IRC (and indeed Tor) the Tor network is host to a variety of services.
Unlike the public internet a user can connect to a hidden service without either part knowing the other’s network location.
So there is nothing implicitly wrong with, or nasty about, hidden services but since you can’t discover where they are on the network they are clearly of interest to people who want to go undetected. That could include everyone from child pornographers to advocates for women’s rights in Saudi Arabia. Tor was actually developed by the US Navy.
The CM researchers are criminals. That information should have been shared with the Tor developers directly and never made public. If that is exactly what they did, however, I retract my statement.
Tor’s mission is to provide nearly complete anonymity to it’s users, especially those under political censoship, and breaking that trust should be considered a crime against Internet freedom.
it’s hardly a [realistic] “vulnerability.” It only works in small settings, not the real world. They can’t replicate the results on a global-scale, let alone 80% of tor’s users.