Yesterday, Tor issued a security advisory which revealed that a group of relays had been discovered on July 4th which looked like they "were trying to deanonymize users."
The advisory states that the attack "involved modifying Tor protocol headers to do traffic confirmation attacks" with the relays having joined the network at the start of the year. This means they were potentially deanonymizing users between January 30th and July 4th when they were finally removed.
A Tor spokesperson says that they know the attack "looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic" so no details of pages visited or whether hidden services searched for were actually visited at all for that matter. The advisory goes on to warn that it is likely that the attackers tried to learn "who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service."
No evidence was found to suggest that any exit relays were being operated, so the probability of linking users to destinations on standard Tor circuits remains remote. For full technical details of the attack methodology, see the advisory which goes into this at some length.
The following steps have been taken to remediate the damage in the short term:
- Attacking relays removed from the Tor network
- A software update has gone out for relays in order to prevent such use of 'relay early' cells again
- A new Tor version warns in the logs if a relay on your path injects any relay-early cells
Meanwhile, Amichai Shulman who is the CTO at security experts Imperva says "sadly the ideal of having a distributed, crowd based network for protecting free speech is largely abused by pirates (software and content) as well as evil-doers – from child pornography to drug trafficking and terrorism. This in turn makes the TOR network a target for all intelligence agencies as well as some domestic security organizations. I suspect the reported attack, targeted mostly at people who operate and access TOR hidden service, is of that origin."
Craig Young, a security researcher at Tripwire, takes a slightly different view saying "While the attacker(s) in this case are still technically anonymous, it would appear that there is most likely a connection between this incident and the recently withdrawn Black Hat presentation on deanonymizing TOR users. If this was in fact a university research project, it was conducted without appropriate regard to users of the TOR network. This attack involved manipulating TOR protocol messages to encode information about observed requests so that the information could be correlated with an identity by relays in other parts of the network. In doing so the attackers not only made it possible to themselves unmask some TOR hidden services and users but they have also created an unquantifiable risk as these messages could also be decoded by other parties either while the attack was in progress or in retrospect by analyzing stored packet captures."
