A group of around 115 relays that operated for the first half of this year on the Tor anonymizing network, was probably trying to de-anonymize Tor users who visit and run so-called hidden services, the project warned on Wednesday.
This could well be the attack that was the subject of a recently cancelled talk, originally scheduled for the upcoming Black Hat USA conference, although that’s not certain yet.
Those running Tor relays are being urged to upgrade to a recent release, either 0.2.4.23 or 0.2.5.6-alpha, in order to close the relevant vulnerability in the Tor software. Tor also says that those running hidden services through its network should consider changing up the locations from which the services are run.
However, the Tor team warned that this kind of “traffic confirmation” or “tagging” attack remains “an open research problem.” Indeed, variants on this theme have been revealed before. Such attacks involve controlling or observing multiple relays and then doing the math on what passes through, in an attempt to confirm a hypothesis that the entity on one end is trying to communicate with the entity on the other end.
Prying into the Deep Web
Tor works by bouncing users’ traffic around a network of relays, making it very difficult for an outside observer – whether that be an ISP or a spy agency — to tell where traffic is coming from or ultimately going to. In a security advisory on Wednesday, Tor said the attacking relays joined the network on January 30 and were kicked off on July 4.
“While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” the advisory read. “Unfortunately, it’s still unclear what ‘affected’ includes.”
According to the team, the attackers seemed to be trying to identify who was using and running certain hidden services.
One of Tor’s key features is that it makes it possible to have online services that are invisible to anyone except those who know where to look – such “.onion” services are sometimes said to comprise the Deep Web. In order to help users find them, the services use so-called “hidden service descriptors” that are cryptographically signed and findable by those who know which .onion address to visit.
The Tor attackers were looking for those who fetched these hidden service descriptors, and “probably” also those who published them. However, “the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up).”
“In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely,” the advisory added.
Even though the advisory points out that the attack effectively weakened Tor anonymity against other attackers too, putting users at risk, it also expressed a degree of grudging respect:
“This protocol header signal injection attack is actually pretty neat from a research perspective, in that it’s a bit different from previous tagging attacks which targeted the application-level payload. Previous tagging attacks modified the payload at the entry guard, and then looked for a modified payload at the exit relay (which can see the decrypted payload). Those attacks don’t work in the other direction (from the exit relay back towards the client), because the payload is still encrypted at the entry guard. But because this new approach modifies (“tags”) the cell headers rather than the payload, every relay in the path can see the tag.”
Apart from the traffic confirmation attack, this also involved a so-called “Sybil” attack – in other words, setting up a bunch of dodgy relays that pretend to be part of the happy Tor family. This, like confirmation attacks, is a long-running problem that needs to be resolved.
As the advisory noted, solving this problem will involve growing the Tor network so that malicious relays constitute a smaller and therefore less dangerous proportion, as well as finding new ways to identify such relays.
Was this attack the subject of that cancelled talk? The advisory suggested that it was, but not for sure. “In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was,” the team noted.