Tor Internet Privacy Service Warns Users It Was Breached
You may never have heard of the Tor Project, but the anonymous browsing service is making headlines on Wednesday. Tor’s developers are warning users they might be victims of an attack launched against the project in early 2014.
In a blog post, Tor said it found a group of relays it assumed were trying to deanonymize users. Specifically, those relays appear to have been targeting people who operate or access the browsing service’s features. The attack essentially modified Tor protocol headers to do traffic confirmation attacks.
“The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4,” the developers said in a blog post. “While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.”
Who Was 'Affected'?
The news gets worse from there. Tor can’t confirm what “affected” includes. All they know is the attack searched for users who fetched “hidden service descriptors.” Tor suspects the attackers could not actually see any application-level traffic, such as what pages were loaded or whether users visited the hidden service they looked up. But no one is completely sure.
“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely,” the blog post said. “And finally, we don't know how much data the attackers kept, and due to the way the attack was deployed … their protocol header modifications might have aided other attackers in deanonymizing users too.”
Tor developers said relays should upgrade to a recent Tor release or close the particular protocol vulnerability the attackers used, then reminded that preventing traffic confirmation in general remains an open research problem.
“Clients that upgrade -- once new Tor Browser releases are ready -- will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one,” the developers said. “Hidden service operators should consider changing the location of their hidden service.”
Tor is Quick to React
We caught up with TK Keanini, CTO of network security firm Lancope, to get his take on the Tor Project. He told us Tor remains important infrastructure to those who must operate on the Internet anonymously -- but it is a nuisance to those charged with monitoring and identifying the network activity of users.
“Despite the bounties placed on comprising Tor, or the endless amounts of threats made to subvert the technology, Tor evolves and remains a target as [do] many other services on the Internet. The Tor community is quick to react to incidents and this readiness is important to witness as there is a lot we can learn in how to be resilient despite a hostile and advanced threat,” Keanini said.
“The talk from Black Hat that was pulled is operationally insignificant because all the folks actively working on ‘breaking’ Tor are hard at work on their objective and conferences are not their thing.”