Discovered attacks to compromise TOR Network and De-Anonymize users

On July 4 2014 Tor Team discovered a group of malicious relays that they assume were trying to deanonymize Tor Network users with confirmation attack technique.

Tor network is an excellent technology to ensure users’ online anonymity, thanks to the Tor network users can hide online activities, staying far from the prying eyes of governments and law enforcement. Recently, members of the Tor project warned their users about the presence of a critical vulnerability that was probably being used to de-anonymize the identity of users within Tor network. A few weeks ago, researchers from Carnegie Mellon University’s computer emergency response team (Cert), Alexander Volynkin and Michael McCord, revealed that they are able to de-anonymize Tor users using a cheap equipment. Initially they planned to reveal their discovery during the next Black Hat Conference in August, but later they have announced that they will not participate in the conference. On July 30th, the website of the Tor project published a security advisory to reveal that early this month, on July 4th 2014, a group of relays suffered a cyber attack that was conducted probably to deanonymize users. The experts at Tor project noticed that bad actors were targeting relays to track users accessing Tor networks or access Tor hidden services.

“They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.”

The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th 2014 and experts at Tor Project removed them from the network on July 4th 2014.

The members of Tor project team also advised hidden service operators to change the location of their hidden service.

“While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” Tor said.

When users access the Tor network with Tor software, their IP address is not visible and it appears to the Internet as the IP address of a Tor exit relay, which can be anywhere.

The members of the Tor project, explained that bad actors who conducted the confirmation attack were looking for users who fetched hidden service descriptors, this means that attackers were not able to see pages loaded by users neither whether users visited the hidden service they looked up.

“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.” states the security advisory.

In order to close the critical flaw Tor Project team is suggesting Tor Relay Operators to upgrade Tor software to a recent release, either 0.2.4.23 or 0.2.5.6-alpha. Tor project released a software update to prevent such attacks. It seems to be a bad period for Tor network, and more in general for anonymizing network, recently a serious flaw was discovered in Tails distribution, allowing attacker to reveal the users’ identity, while the Russian Government has recently announced a competition offering $111,000 to break Tor encryption.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

Security Affairs – (Tor networks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.