An Overview of Modern Tor Deanonymization Attacks

Tor was designed to provide a decentralized, censorship resistant network that can offer internet users, websites and various web services anonymity via easy-to-implement means. Nevertheless, since the advent of Tor, some users have failed to maintain their anonymity. Throughout this article, we will discuss Tor’s deanonymization techniques that are available today. We will go through traffic and timing correlation attacks, operational security (OPSEC) failure, electronic fingerprinting and remote code execution as discussed by a recently published research study.

Given the fact that Tor network harbors controversial content, including drug markets, child pornography…etc, law enforcement agencies (LEAs) have been utilizing a myriad of exploits to deanonymize some of Tor’s users. These techniques involve exploits of human errors, in addition to complicated mathematical methods that can take advantage of software flaws. Moreover, operational security (OPSEC) failures, which are usually related to mistakes committed by users, can facilitate deanonymization.

Operational Security (OPSEC) Failure:

The most famous example of this approach is how the identity of Ross Ulbricht, the mastermind behind Silk Road, was revealed. Attackers monitor the pattern of behavior of a Tor user, and collect critical cumulative info to deanonymize him/her. Ross used multiple aliases including “frosty”, “Dread Pirate Roberts” (DPR) and “altoid” on Silk Road and online forums throughout which he communicated with his clients.

LEAs used multiple observations regarding Ross’s online behavior and correlated them to reveal his identity and accuse him of running the “Silk Road” darknet market:

1. On October 11, 2011, an account named “altoid” posted on bitcointalk.org a thread titled “a venture backed bitcoin startup company”, looking for partners for a bitcoin startup. Altoid referred people to contact him at [email protected] He also discussed the “Silk Road” marketplace in the thread. Shortly after, Silk Road was advertised on the forum “shroomery.org” by a user also named “altcoin”.

2. Ross’s Youtube channel and Google Plus page included links to Mises Institute, an Austrian blog that published content related to the economic theory. On the Silk Road forum, DRP also backlinked to Mises Institute and shared the site’s content there. Through one of these posts, he mentioned that his time zone is the (PT), i.e. the Pacific Time zone.

3. Ross posted on Stakoverflow this question “How can I connect to a Tor hidden service using curl in PHP?”. Initially, Ross posted the question using an account aliased with his real name, yet less than a minute later, the account’s alias was changed to “frosty”.

4. Ross bought 9 fake identification documents that included his real picture, yet different names. The US border customs intercepted the package which had been shipped from Canada to Ross’s apartment in San Francisco.

These OPSEC, or operational security, related events helped the FBI close in on Ross, who was arrested in a public library. Access to Ross’s laptop provided massive evidence that facilitated his conviction as the owner and administrator of the Silk Road marketplace.

Attacks Targeting Tor Network Affiliated Systems:

Tor is nothing more than a service that a server or a user might be running. As such, systems affiliated with Tor’s network are still vulnerable to traditional cyberattacks. Depending on the exposure and the special configurations of the system, various techniques could be utilized to uncover the real identity of a web user or a hidden service within the Tor network. The deanonymization process ensues after the attacker obtains relevant information or even fully controls the target Tor affiliated system.

Service visibility heightens the exposure of a system and hence, the probability of a successful cyberattack. Typical attacks at application level include session handling, input validation and access control, while at the level of the operating system, attacks usually target misconfiguration. Moreover, system performance can be undermined via denial-of-service DDoS attacks, which can precipitate system crash, or failure.

Typically, input validation attacks rely on injection and usually involve buffer overflows, cross site scripting (XSS) and upload of malicious files. Session handling attacks are based on targeting tokens exchanged throughout communication to guarantee a correct state at the two endpoints of communication and include token value guessing, token value eavesdropping and session fixation. Access control attacks are centered on privilege escalation, i.e. an ordinary user will be promoted to a user with administrator privileges.

In August 2013, the FBI found a vulnerability in the Firefox/Tor browser that they exploited to attack Freedom Hosting sites and turn them into malware spreading trackers. Freedom Hosting was a web hosting company that hosted child pornography websites on a wide scale. The FBI manages to access Freedom Hosting’s servers and inject a malicious Javascript code. The code searches for a hostname and a MAC address and then relays them back as HTTP requests to servers in Virginia, exposing the real IP address of the user.

Attacks On Hidden Services:

These forms of attacks exploit flaws and mistakes that can reveal critical info about a Tor website or a hidden service.

SSH services are typically used to provide remote login to Linux machines for an onion address. If the same SSH service is offered on a public IP address, as well as through an onion address, this will lead to uncovering of the IP address of Tor’s hidden service. The following represents a demonstration of this deanonymization technique:

Tor listens to SOCKS connections via the localhost port. As such, any application that interacts with Tor will connect to localhost. Due to the fact that the application acts as if the connections are routed from localhost, a new risk for undermining anonymity is exposed as many online frameworks consider localhost a safe zone. A perfect example is the commonly used Apache HTTP Server and the Apache Server Status module which by default, comes activated to localhost connections http://127.0.0.1/server-status/. Typically, this represents a safe configuration, as localhost is mostly a safe zone, and only users who have login credentials to the server can have access to this server status page. Nevertheless, with an onion address and Tor, connections to this page via Tor to Apache are routed from localhost, and Apache will show the page http://somehsaddress.onion/server-status/ to the public. Such services can deanonymize Tor’s hidden services.

Traffic Timing Correlation Attacks:

Tor is not immune against end-to-end timing attacks. An attacker that observes traffic reaching the first relay node (entry guard), as well as traffic reaching the final destination (hidden service, exit relay node….etc) can utilize statistical analysis to determine that they belong to the same circuit. As such, Tor does not promote absolute anonymity. The user’s address as well as the destination address of the monitored traffic are obtained by the attacker, who can successfully deanonymize the target via correlation attacks. It is worth mentioning that the attacker needn’t have full control over the first and last router along a Tor circuit to be able to correlate traffic streams monitored at those relay nodes. The attacker only needs to be able to monitor the traffic.

Occasionally, deanonymization does not require performing sophisticated forms of statistical analysis. For instance, a student in Harvard University was arrested for sending fake bomb threats, via Tor, to get out of an exam! According to FBI data, the emails were sent from an email provided by Guerilla Mail, an email provider that allows users to create temporary emails. Guerilla embeds the IP address of the sender in all outgoing emails, and in this particular case, this pointed to the IP address of the user’s exit node on Tor. The FBI stated that the student sent the emails via Tor from the campus wireless network. Correlation helped the FBI identify the student, who confessed during interrogation.

Traffic and correlation attacks are somehow easy to execute when the anonymity set (number of clients using Tor) is relatively small. In other words, if there is a small number of people using Tor, within the context of a specific network, then it is relatively easier to deanonymize them. More complex forms of attacks require more complicated techniques of statistical analysis of both traffic and timing. Recent research studies have proven that these techniques can deanonymize a considerable percentage of Tor users and hidden services.

This was a brief overview of the techniques available currently for deanonymization of Tor users and hidden services. As you might have noticed, the weakest link along the chain of anonymity is the user. The Tor Project offers users detailed tutorials and extensive guidelines to help them protect their anonymity online. Nevertheless, as we presented throughout the article, even the most technically savvy individuals can sometimes fail to implement simple OSPEC guidelines, or simply commit silly mistakes that lead to uncovering of their real identities.