Tor Project Confirms Five Month Attack Compromised Anonymity
The identities of Tor users could have been revealed during a five month period when unknown attackers compromised the network

The Tor Project has revealed that a five-month long attack tried to de-anonymise users on its network earlier this year, and the team behind the anonymity-focused network is hoping the attack was carried out by the researchers behind a recently cancelled talk.

Researchers from the CERT division of Software Engineer Institute (SEI) at Carnegie Mellon University were due to talk at the Black Hat 2014 conference in early August about a method for identifying Tor users and services with "newly discovered shortcomings in design and implementation of the Tor network" - saying the attack would only cost $3,000 to exploit.

Last week the talk was surprisingly cancelled without explanation and today the Tor Project has revealed that a five-month long attack on the network has more than likely put the identities of users at risk.

People use the Tor network because is anonymises traffic meaning that no one - not even the NSA - can track those who use it.


That claim has however been put at risk with the team behind the Tor Project revealing in a blog post the details of the attack and its consequences.

"While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected."

What "affected" means is still unclear at this stage but the attackers seems to have been trying to identify who was running or trying to access some of Tor's hidden services.

At the end of the blog post, the Tor team posed four open questions, the first of what asked if the Black hat researchers were behind the attack. While the team say the answer is "likely" yes, they are still unsure.

"We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how "relay early" cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer is "yes"."

Five month window

The attack used over 100 relays - which are the nodes used to bounce traffic off in order to anonymise it - which were introduced to the Tor network on 30 January.

For the next five months the attackers used these relays to carry out "traffic confirmation attacks" before the Tor team removed the relays on 4 July.

Even if this attack was carried out by researchers rather than malicious actors, the Tor development team says it was not the right way to go about it:

"The way this attack was performed weakens Tor's anonymity against these other potential attackers too — either while it was happening or after the fact if they have traffic logs. So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future."

Unanswered questions

While the Tor team believes this was the work of researchers, there are still a number of unanswered questions which remain.

First, were all the malicious relays discovered? Second, what information did the attackers keep and are they going to destroy it? And finally, how have they protected the data since they accessed it?

The team says that at this stage it has no answers to these questions.

Tor has grown in popularity in the last 12 months following the revelations from Edward Snowden that governments around the world are spying on people online.

Tor is used as a tool by journalists and academics to discuss sensitive topics but it has also gained notoriety for its widespread use by criminals, paedophiles and drug dealers as an anonymous marketplace where they can buy and sell everything from malware to child abuse images with impunity.