DecryptedTech

Friday07 October 2022

TOR Project Warns Users of Attack that Attempted to Expose Users between January and July


Reading time is around minutes.

Following on the heels of the removal of a talk about unmasking users of the TOR network we are now hearing that someone has been attacking the anonymity service for the last 5-6 months in an attempt to ind out who is using the service. The TOR Project has just warned its users about an attack that is trying to expose users.

The attack ran from January until it was stopped in July and is similar in nature to what would have been disclosed during a now canceled talk during Black Hat 2014. So far neither the TOR Project nor the security researchers at Carnegie-Mellon University have confirmed that it is the same attack or even related. It is possible that someone else discovered the same flaw that was to be the topic of the talk and decided to act on it.

It is also worth noting that Russia recently offered a reward for anyone that can reliably unmask users of the TOR network. The attack uses a group of relay servers that were modified inside the network. This allowed the attackers to modify the protocol headers so that they could confirm traffic. The relays were modified offline and then joined to the network at the end of January.

According to the TOR project the attack was focused on TOR’s hidden services (that can house some pretty shady stuff) in an attempt to see who accessed those services. Right now they are advising that anyone that operate or access hidden services between early February and July 4th (when the kicked the attacking nodes out) should assume they were affected. If that concerns you then the last two paragraphs in the warning should make your skin crawl.

“Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up).
The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely.”

The TOR Project has released an update for their node and client packages to remove the flaw that allowed this type of attack to happen. We fully expect to hear about more attempts to breach the TOR network in the coming months simply because the issue of privacy and anonymity on the internet is becoming more and more prevalent. As people turn to services like TOR to escape the watching eyes of others more attention will be paid to the service. It makes me wish that kaos.theory had finished (and made public their SAMAEL (Secure, Anonymous, Megalomaniacal, Autonomous, Encrypting Linux) project...

Tell us what you think in our Forum

Last modified on Wednesday, 30 July 2014 16:30

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.