Developers at the Tor Project are working towards releasing a patch to a critical vulnerability researchers planned to disclose at the Black Hat security conference that could de-anonymize Tor users.
Black Hat recently announced their keynote briefing schedule, including one titled: “You Don’t Have to be the NSA to Break Tor: De-anonymizing Users on a Budget” by security researchers Alexander Volynkin & Michael McCord from Carnegie Mellon University’s Computer Emergency Response Team (CERT). Shortly after the conference schedule went live, the talk was canceled at the request of legal counsel of the university’s Software Engineering Institute as it was not approved to be publicly disclosed.
“In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months,” the CERT researchers wrote in their preview of the disclosure. “There is nothing that prevents you from using your resources to de-anonymize the network’s users instead by exploiting fundamental flaws in Tor design and implementation. And you don’t need the NSA budget to do so” they continue. “ The total investment cost? Just under $3,000.”
Tor Project leader Roger Dingledine published in the Tor Project email update that the company did not ask Black Hat or CERT to cancel the talk. Instead, Tor Project developers had only been shown information found public on the Black Hat website that researchers had scheduled to disclose, but never received detailed slides or further information. Researchers were going to include “real-world de-anonymization case studies.”
Regardless that Dingledine and his researchers were not briefed on the vulnerability, he believes his team has found the same issue CERT was scheduled to disclose and is working towards fixing it. “We’ve been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they’d opted to tell us everything,” Dingledine continues in his mailing list.
In another email Dingledine suggests the discovered issue affects Tor relays, which are Tor network nodes that route users connections through various relays to help anonymize traffic and thwart off potential threats.
“Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn’t the end of the world. And of course these things are never as simple as ‘close that one bug and you’re 100% safe’.”
Tor project is highly popular among researchers and users who desire privacy, ex-NSA whistle blower Edward Snowden even stated his favorite operating system was ‘Tails’, an operating system based off of the Tor project.
As previous Snowden disclosures show that the NSA put Tor users under extra surveillance, we are eager to see if any research that the NSA abused this bug surfaces.