Tor connection vulnerability uncloaks hidden web services

Can "circuit fingerprinting" reveal the true location of Tor websites and services?
Written by Charlie Osborne, Contributing Writer

MIT researchers have developed digital attacks which can unmask Tor services in the Deep Web with a high degree of accuracy.

As reported by Net Security, a team from the Massachusetts Institute of Technology (MIT) have developed attacks which can be used to identify an anonymous hidden service, clients and potentially servers.

The Tor network is used to access .onion addresses located in the Deep Web. The point of the Tor network -- a plethora of nodes and relays -- is to mask surfers and make tracking very difficult to achieve.

While Tor is used by criminals for everything from drug to weapon sales, it is also a valuable tool for activists, journalists and those in high-surveillance countries.

When a user connects to Tor, that connection is encrypted and routed through a digital circuit. The first doorway, called a "guard," starts the journey while "exit nodes" finish off a communication circuit.

It should, in theory, be impossible to monitor users and log IP address and destination unless a hacker is able to link both up through a controlling exploit of some kind. However, MIT researchers have developed a series of passive attacks which reveals an alternative approach to tracking the digital footprints of Tor users.

Within the research paper (.PDF), the MIT team describe a process called "circuit fingerprinting," which detects the presence of hidden service activity through a Tor vulnerability related to the guard. The passive network monitoring attack is able to "reduce the anonymity set of a user from millions of Tor users to just the users of hidden services," according to the researchers.

"Tor exhibits fingerprintable traffic patterns that allow an adversary to efficiently and accurately identify, and correlate circuits involved in the communication with hidden services," the team says.

"Therefore, instead of monitoring every circuit, which may be costly, the first step in the attacker's strategy is to identify suspicious circuits with high confidence to reduce the problem space to just hidden services."

Once the hidden service activity has been established, the team were also able to use a secondary attack related to Tor exit nodes. Without wrestling control of a node through aggressive means, the security researchers were successful in identifying which Tor service a user was accessing -- as well as servers hosting a hidden service -- 88 percent of the time, potentially unmasking both the service and physical location of a server.

"Since the attack is passive, it is undetectable until the nodes have been deanonymized, and can target thousands of hosts retroactively just by having access to clients' old network traffic," the paper states.

In order to prevent such attacks, the paper suggests a number of ways the Tor could be modified. These include reducing the amount of time a circuit is allowed to exist before a reset, introducing "padding" cells of data which can mask outgoing and incoming information, and hiding 'true' circuits within pre-made circuits to prevent information leaks.

The Tor Project told Motherboard:

"It's [..] a known issue that hidden service circuits are noticeable in certain situations, but this attack is very difficult to execute.

The countermeasures described in the paper are interesting since the authors claim that deploying some of them would neutralize their attack and better defend against hidden service circuit fingerprinting attacks in general. This has yet to be proven."

Beach reads for tech junkies

Read on: Top picks

In pictures:

Editorial standards