The online privacy tool Tor yesterday announced that it was recently hit by an attack aimed at deanonymizing users.
The attack, according to Tor co-founder Roger Dingledine, involved modifying Tor protocol headers to execute traffic confirmation attacks. “The attacking relays joined the network on January 30, 2014, and we removed them from the network on July 4,” Dingledine wrote in a blog post announcing the breach.
“While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” Dingledine added.
It’s not clear at this point exactly what the attackers were able to see.
“We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up),” Dingledine wrote. “The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service.”
Researchers at Carnegie Mellon University recently canceled a planned talk called “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget” at the upcoming Black Hat conference in Las Vegas.
In his blog post, Dingledine noted, “We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how ‘relay early’ cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild.”
“In fact, we hope they were the ones doing the attacks, since otherwise it means somebody else was,” Dingledine added.
Josh Cannell, senior researcher at Malwarebytes Labs, said by email that while the Tor network is both resilient and successful at providing online privacy, it isn’t perfect.
“It’s important to remember that Tor protects against traffic analysis, but does not protect against traffic confirmation attacks, or endpoint correlation; the folks at Tor have even stated that traffic confirmation remains an ‘open research problem,'” Cannell said. “Tor first released a blog [post] about traffic confirmation attacks in 2009, and it is has been a reoccurring problem since then.”
“The mentioned protocol vulnerability has recently been patched with the latest Tor release,” Cannell noted. “Current Tor users need to upgrade to this version to continue protecting their privacy while using Tor.”