Tor attack may have unmasked dark net users By Leo Kelion

Technology desk editor Published duration 30 July 2014

image copyright Thinkstock image caption The ability to unmask Tor's users would undermine the reason people use the service

Developers of software used to access Tor - an otherwise hard-to-reach part of the internet - have disclosed that an attack on the network may have unmasked users for five months.

The Tor Project said that it believed the assault was designed to de-anonymise the net addresses of people operating or visiting hidden sites.

However, it said it was not sure exactly how users had been "affected".

The project added that it believed it had halted the attack on 4 July.

Tor allows people to visit webpages without being tracked and to publish sites whose contents does not show up in search engines.

The Tor Project said it believed that the infiltration had been carried out by two university researchers, who claimed at the start of July to have exploited "fundamental flaws" in Tor's design that allowed them to unmask the so-called dark net's users.

The two security experts, Alexander Volynkin and Michael McCord, had been due to give a talk at the Black Hat conference in Las Vegas next week. However, the presentation was cancelled at the insistence of lawyers working for their employer, Carnegie Mellon University.

image copyright Tor Project image caption The Tor Project offers web browser software that can access the hidden sites on the Tor network

"We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them... which is how we started looking for the attacks in the wild," wrote Roger Dingledine, one of the network's co-creators, on the Tor Project's blog

"They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to [whether they were responsible] is yes.

"In fact, we hope they were the ones doing the attacks, since otherwise it means somebody else was."

A spokesman from Carnegie Mellon University declined to comment.

Illegal activity

Tor attempts to hide a person's location and identity by sending data across the internet via a very circuitous route involving several "nodes" - which, in this context, means using volunteers' PCs and computer servers as connection points.

Encryption applied at each hop along this route makes it very hard to connect a person to any particular activity.

To the website that ultimately receives the request, it appears as if the data traffic comes from the last computer in the chain - known as an "exit relay" - rather than the person responsible.

image copyright EFF image caption Tor hides a user's identity by routing their traffic through a series of other computers

Tor's users include the military, law enforcement officers and journalists - who use it as a way of communicating with whistle-blowers - as well as members of the public who wish to keep their browser activity secret.

But it has also been associated with illegal activity, allowing people to visit sites offering illegal drugs for sale and access to child abuse images, which do not show up in normal search engine results and would not be available to those who did not know where to look.

Two-pronged attack

The Tor Project suggests the perpetrator compromised the network via a "traffic confirmation attack".

This involves the attacker controlling both the first part of the circuit of nodes involved - known as the "entry relay" - as well as the exit relay.

By matching the volumes and timings of the data sent at one end of the circuit to those received at the other end, it becomes possible to reveal the Tor user's identity because the computer used as an entry relay will have logged their internet protocol (IP) address.

The project believes the attacker used this to reveal hidden-site visitors by adding a signal to the data sent back from such sites that included the encoded name of the hidden service.

Because the sequence of nodes in a Tor network is random, the infiltrator would not be able to track every visit to a dark net site.

image caption Tor can be likened to an onion because of the many layers through which it sends data

Tor also has a way of protecting itself against such a danger: rather than use a single entry relay, the software involved uses a few relays chosen at random - what are known as "entry guards".

So, even if someone has control of a single entry and exit relay, they should only see a fraction of the user's traffic, making it hard to identify them.

However, the Tor Project believes the perpetrator countered this safeguard by using a second technique known as a "Sybil attack".

This involved adding about 115 subverted computer servers to Tor and ensuring they became used as entry guards. As a result, the servers accounted for more than 6% of the network's guard capacity.

image copyright Black Hat image caption Two researchers had planned to reveal a way to unmask Tor users at the Black Hat conference

This was still not enough to monitor every communication, but was potentially enough to link some users to specific hidden sites.

"We don't know how much data the attackers kept, and due to the way the attack was deployed, their... modifications might have aided other attackers in de-anonymising users too," warned Mr Dingledine.

Several government agencies are interested in having a way to unmask Tor's users.

Russia's interior ministry is currently offering a 3.9m roubles ($110,000; £65,000) prize to anyone who cracks such identities. It says it wants to protect the country's "defence and security".

A report by the German broadcaster ARD suggests US cyberspies working for the NSA have also made efforts to overcome Tor's system, despite the fact the Tor Project is partly funded by other US government departments.