In perhaps one of the biggest blows to the rather famous Tor network, researches at the Massachusetts Institute Of Technology have now developed attacks which can find out Tor services hidden in the Web with high accuracy.
For those unfamiliar with the workings of the Tor network, it’s used to access those Onion services hidden in the deep web, which can then be used for shady activities like masking the identity of the user and/or allowing access to websites blocked in that particular region. However, it’s not all bad and like everything else, can — and is — also used by activists, journalists and the prosecuted in various countries.
Tor basically works by encrypting a user’s connection and taking it through two steps. The first step involves a “guard,” which starts the journey while the second consists of “exit nodes” that finish off the circuit.
What makes it so difficult to follow someone using Tor is the fact that once the connection passes through the ‘Guard’ it’s encrypted making monitoring, a task well-nigh impossible, unless one somehow manages to log both the IP address and destination.
However, hard as it may be, the MITians have done it by using a series of passive burst attacks to monitor the network in a process, which is being called as circuit fingerprinting, which is able to detect the presence of hidden service activity in order to, “reduce the anonymity set of a user from millions of Tor users to just the users of hidden services.”
Once the process enables the identification of the IP circuits, all that remains is to point out those who may be using Tor and then further sift through them.
Once the adversary succeeds in identifying IP circuits, he is able to mark suspicious clients, and he can proceed to identifying their RP circuits. This can reduce his classification costs, and false positives.
Thus increasing the accuracy of Tor user identification.
The strategy is different from the conventional ones in that it prefers identifying possible culprits rather than waging an all out monitoring war on all the incoming connection, thus increasing the efficiency.
Therefore, instead of monitoring every circuit, which may be costly, the first step in the attacker’s strategy is to identify suspicious circuits with high confidence to reduce the problem space to just hidden services.
Once the hidden activity was identified, a secondary attack was used at the exit nodes and was able to identify the Tor service being used with a 88 percent accuracy.
Since the attack is passive, it is undetectable until the nodes have been deanonymized, and can target thousands of hosts retroactively just by having access to clients’ old network traffic,
said the researchers working on the subject.
The paper also stated ways in which Tor could be modified to ward of these attacks, suggesting faster reset times, data cells which can mask outgoing and incoming information, and hiding ‘true’ circuits within pre-made circuits.
However, do note though, that this isn’t the first time Tor’s security has been called into question. Last year, a group of cyber attackers by the name of ‘Lizard Squad’ had gained control over Tor, thus rendering it useless and over-congested for hours.