Attackers Compromised Tor Network in Effort to Identify Users

A critical vulnerability in the Tor Network was abused for over six months in effort to de-anonymize the identity of the Tor user, the project warned in a security advisory Wednesday.

Tor Projects security advisory published Wednesday stated the Tor team found over 115 malicious fast non-exit relays, resulting in 6.4% of the whole Tor network begin compromised. The relays were actively monitoring both ends of the Tor circuit in an effort to unmask the end user. ” While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” the security advisory reads.

The attacks could be related to the alleged Tor Network vulnerability that was scheduled to be debuted at Black Hat 2014 by Carnegie Mellon University (CMU) researchers, Alexander Volynkin, and Michael McCord. The conference was later canceled July 21 according to a notice received from CMU’s Software Engineering Institute legal counsel, which advised against the talk as the material had not been approved by the SEI for public disclosure.

Tor officials said it is “likely” that the researchers were behind the malicious relays or attacks. “In fact, we hope they were the ones doing the attacks, since otherwise it means somebody else was,” the advisory states. A Carnegie Mello SEI spokesperson told Threatpost in an email: “We have nothing to add to the Tor statement.”

When connected to the Tor network, the service anonymizes the user by masking their IP address and encrypting all traffic that goes through the connection. Tor routes the user through several nodes making it difficult for cyber criminals, law enforcement, or government agencies to trace the connection or identify such users.

All relays identified to be malicious on the Tor network were running Tor version 50.7.0.0/16 and 204.45.0.0/16 for over six months of 2014 thus far. Tor developers stated the evil relays were trying to de-anonymize Tor network users who visit and host alleged Darknet, known as Deepweb, “.onion” domains.

The Tor project is urging Tor relay operators to upgrade the Tor firmware to the most recent update, either 0.2.4.23 or 0.2.5.6-alpha, to patch the de-anonymizing vulnerability that was actively begin exploited in the wild. Tor has also removed all relays identified as malicious by their team and has advised hidden service operators to consider changing the location of their hidden service.

Tor Project commented numerous times on how such attacks could be crafted, “the attack involved modifying Tor protocol headers to do traffic confirmation attacks.”

The advisory continues stating that attackers were seeking to identify who was utilizing the hidden service descriptor, but it was unlikely that any traffic that filtered through the hidden service was ever accessed.

“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” Tor said in its advisory. “In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely.”