Can the movements of your mousepad betray your activities on surveillance-thwarting networks? According to one researcher, it's possible.
Jose Carlos Norte, a security researcher based in Barcelona, has devised a technique in which users can be tracked and their online activities watched -- even across the Tor network.
The Tor network is used by privacy advocates, journalists, traders -- both legal and illegal -- as well as users who simply don't want their online activities on the record. The network offers one of the best layers of privacy out there, being comprised of nodes and relays, of which obscure your IP address and the flow of traffic -- therefore making it difficult to track down specific users.
In comparison, browsing the Web through standard browsers such as Firefox and Chrome allows you to be followed via tracking cookies, browser histories, search enquiries and plugins, among other software.
In today's cyberattack and surveillance-happy landscape, using encryption and networks which provide layers of privacy protection is not a bad idea. However, there is no one-stop solution for being anonymous online, and Norte's new techniques highlight this concept well.
Tor and the Tor browser are able to mask IP addresses, but user fingerprints -- behaviors, patterns and writing styles -- could still be used to identify users online.
If a Web domain is able to generate a unique fingerprint for each user, then it is possible to track and correlate their visits, even if an IP is obscured.
"Even worse, it could be possible to identify the user if the fingerprint is the same in [the] Tor browser and in the normal browser used to browse [the] Internet," Norte says. "It is very important for the Tor browser to prevent any attempt on fingerprinting the user."
UberCookie is able to slurp hardware data "leaked" by most browsers, including the mouse wheel event. Elements which can be captured include usage patterns, scroll speed and hardware capabilities.
However, the researcher said the most interesting fingerprint vector in the Tor browser is getClientRects, which allows the code to get the exact pixel position and size of a box of a given DOM element.
"Depending on the resolution, font configuration and lots of other factors, the results of getClientRects are different, allowing for a very quick and easy fingerprinting vector, even better than the canvas fingerprinting that is fixed," the researcher says.
Norte has provided a proof-of-concept (PoP) and demo to demonstrate the attack.
While this fingerprinting technique is interesting, it is unlikely it could be used en masse to track users. However, this kind of research can help patch up weaknesses in surveillance-thwarting networks and help keep online privacy alive.
Security researcher Lukasz Olejnik told Motherboard:
"The utilized techniques seems to be used in a rather basic form, time and mouse movements analysis are known in the research community to differentiate between devices/users, it still poses a challenge to use them effectively.
If enhanced, mouse movements tracking could be a form of behavioral tracking."
ZDNet has reached out to the Tor project and will update if we hear back.
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?