Monday03 October 2022

New TOR hack only needs traffic from one direction and is 95% accurate. no surprise there...

Reading time is around minutes.

Gasp! There has been another published attack on the TOR Project. This time the attack and compromise technique comes from the gang at Princeton. The Princeton team claims that their new methods are around 95% successful and only require traffic in one direction. The information that they have presented is interesting and certainly could be used to grab information from users of the anonymous service, but it is not really new and not surprising to hear about.

Now to get an understanding of what we are talking about we need to list out the conditions that the Princeton team says work.

Monitoring traffic from the client to the entry relay, and catching TCP ACKs from the server to the exit relay;
Capturing TCP ACKs from a guard relay to a client, as well as data traffic from the exit relay to the server;
Capturing two sets of TCP ACKs: from the guard relay to the client, and from the server to the exit relay;
Monitoring data traffic from the client to the entry relay, and from the exit relay to the server.

So what does this mean? Well it means that if someone can see traffic leaving your system and connecting to the TOR network (either normal or guard relay) AND the traffic leaving the TOR network at the exit and going to the target web server then they can unmask you. This is something that is already possible through a variety of means. I have witnessed unmasking done with less information than what the Princeton team had (little more than an IP and a time stamp on a web server).

TOR and other proxy services are not as secure as most people would like to believe. They are great if you want to mask your IP or you want a little more privacy than a regular connection to the internet affords, but the service itself is not going to stop someone from finding out who you are. There are ways to setup additional measures to limit your exposure, but that is for another article.

Still what the Princeton team shows is that there is a flaw in TOR that could allow for large scale unmasking simply because of the way that ISPs track user information. The ability to track the applications that someone is using over the internet is very mature now so the data is out there. A well-funded attacker (NSA, FBI, etc.) could gather information on TOR users from an ISP to gain the needed data for mass unmasking. By grabbing the data on connections entering the exiting the TOR network they have everything they need without needing to actually compromise the TOR network.

There are ways to mitigate this including forcing the TOR client to use guard relays before any others and to ensure that they have the shortest AS path to the client as well as expanding the subnets that relays are advertising (moving to a /24 network or 254 possible IPs). There are other steps, but these would involve ISPs changing the way they do business and that is just not likely to happen.

Stay safe out there.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.