The Tor network has millions of daily users who rely on it for anonymous access to resources on the open internet and within Tor itself. There have been various attacks on the anonymous aspect of Tor over the years, but a new proof of concept from researchers at MIT demonstrates what may be the simplest way yet to find out what people are accessing through Tor. Luckily, there’s also a fix Tor’s operators can implement.

Tor was originally an acronym for “the onion router,” which is an accurate description of how it’s structured. It offers anonymous access to online resources by passing user requests through multiple layers of encrypted connections. It all starts at the entry node, sometimes called the guard. That’s the only system that knows your real IP address, but the next node in the chain only knows the IP of the entry node, the next only knows the previous node’s address, and so on until you reach the destination.

This scheme prevents anyone from knowing who is accessing what websites via Tor, and security is even stronger when it comes to hidden services that are hosted entirely within Tor. The now-defunct Silk Road and similar sites are examples of Tor hidden services. Breaking the encryption to unmask users of Tor is complicated and can’t be done reliably right now, but the MIT technique doesn’t require compromising encryption. Instead, it’s a very clever form of traffic fingerprinting.

The attack targets the previously mentioned entry nodes, as have several attacks in the past. Basically, the attacker sets up a computer on the Tor network as an entry node and waits for people to send requests through it. When a connection is established over Tor, a lot of data is sent back and forth. MIT researchers used machine learning algorithms to monitor that data and count the packets. Using only this metric, the system can determine with 99% accuracy what kind of resource the user is accessing (i.e. the open web, a hidden service, and so on).

Simply knowing what sort of connection a user is making isn’t particularly useful, but the algorithms can do a lot more with the traffic data. Traffic fingerprinting can be used to determine which hidden services a user is accessing with 88% accuracy based solely on the pattern of packets sent. Keep in mind, the encryption is still uncompromised in this scenario.

This is only possible because the attacker is running the entry node the victim is connected to. However, the entry node is selected randomly for each session. The attacker would need to run a lot of guard nodes to identify a significant number of connections and it would be very hard to target a specific user.

The fix for this attack is actually pretty simple. The Tor network needs to start sending dummy packets that make all requests look the same. If there’s no discernible pattern to the data, the destination can’t be determined. Tor developers have acknowledged the issue and are considering ways to implement a fix.