Over 100 suspicious, snooping Tor nodes discovered

Tor nodes are acting oddly -- and it may be a sign that they are snooping on services they host.

tor-spying-nodes-zdnet.jpg
Symantec

Researchers have discovered at least 110 nodes on the Tor network that are "misbehaving" and potentially spying on service activity.

Over 72 days, computer science PhD student Amirali Sanatinia and Guevara Noubir, professor at the College of Computer and Information Science at Northeastern University uncovered nodes on the network which were not behaving as they ought.

The nodes, otherwise known as Tor Hidden Services Directories (HSDirs), servers which receive traffic and directs users to hidden services, are a crucial element needed to mask the true IP of users on the network.

The Onion Router (Tor) is a network comprised of nodes and relays which disguise traffic and make tracking online activity far more difficult. While a thorn in the side of law enforcement, Tor is a powerful tool in the hands of privacy activists, journalists and those attempting to circumvent censorship and surveillance -- but if nodes are collecting data on users, this could erode Tor's anti-spying principles.

The researchers' paper, "HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs," (.PDF) will be presented next week at the DEFCON security conference. Within the paper, Noubir says:

"Tor's security and anonymity is based on the assumption that the large majority of the its relays are honest and do not misbehave. Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs)."

The team set up "honey onions" which detected when HSDirs were modified to perform different behaviors, and by logging requests made by these nodes, the researchers were able to identify those deemed malicious.

It is possible that some of these nodes could be run by researchers, law enforcement or state agencies attempting to block access to hidden services, but the range is so diverse it is difficult to ascertain exactly who is doing what, and why.

As noted by ThreatPost, project representatives are aware of the issue but dismiss the misbehaving nodes as a security risk.

Instead, Tor says the problem is an "ongoing annoyance," and in a new network design, the nodes' strange behavior will be addressed. While the researcher's attack can snoop on hidden service metadata and tell the attacker a service exists and is available, the nodes' behavior does not reveal operators behind hidden services.

A release date for the enhanced Tor network is yet to be determined.

Tor has experienced upheaval recently, with the abandonment of Lucky Green -- a prominent contributor and operator of key nodes -- as well as a full board shakeup and a scandal involving core Tor developer Jacob Appelbaum.