The Onion Router, colloquially known as Tor, is a popular way of connecting to the internet by those who want to hide their identity online. It’s commonly used by activists in repressive regimes, whistleblowers and people who are just tired of having their every online move monitored – so it’s a bad day when the committee that oversees Tor reveales that they the whole system has been breached and original IP addresses associated with online activity– again.
In September last year, the FBI admitted that it hacked into the network to get more information on Freedom Hosting’s operator Eric Eoin Marques for his involvement in a massive child pornography operation.
But yesterday, Tor’s creators posted a blog entry in which they revealed that the network was the target of an attack from late January this year, but was only discovered in June. Engineers found a group of relays which they assume were trying to deanonymise thousands of users who operate or access Tor’s hidden services. Technically, the attack modified Tor protocol headers so that it will launch traffic confirmation attacks.
Tor works by bouncing internet traffic around different relays before connecting a computer to one on the internet at large. If you’re a Tor user, the site you’re visiting only sees the IP address of the last Tor gateway you passed through, and backtracing a request through the network to the computer of origin was thought to be virtually impossible. Essentially the compromised relays were decrypting that information quietly without anyone knowing.
“The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4th,” the Tor team write, “While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.”
The bigger question for Tor’s creators is not how the attacks came to happen, but what the attackers were after, as they still don’t know the extent of the information gathered as a result.
“Unfortunately, it’s still unclear what ‘affected’ includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service.”
Tor has taken a number of measures for a short-term solution, which includes removing the attacking relays from the network and putting out a software update for relays.
The timing of the attack announcement is suspect, as researchers from the CERT division of Software Engineer Institute (SEI) at Carnegie Mellon University were due to give a talk and demonstration on deanonymising Tor at this year’s Black Hat USA conference – but was mysteriously cancelled last week for no reason. For this reason, the Tor blog says, it suspects (and hopes) that the attacks detected were part of these investigations, and not placed there for some darker purpose.
And that is one of the burning questions that Tor wants to know. “Was this the Black Hat 2014 talk that got canceled recently?” it posted in the blog entry under the headline ‘Open Questions’.
“We don’t know for sure, but it seems likely that the answer “yes”. In fact, we hope they [the researchers] *were* the ones doing the attacks, since otherwise it means somebody else was.”