Security researchers Filipo Valsorda and George Tankersley showed Friday at the Hack in the Box security conference in Amsterdam why Tor connections to hidden services are more vulnerable to traffic correlation attacks.
One of Tor's primary goals is to provide anonymity for Internet users. This is achieved by routing their Web traffic through a series of randomly chosen nodes or relays before passing it back onto the public Internet.
The nodes that make up the Tor network are run by volunteers and they can have specialized roles. There are nodes called entry guards that serve as the first hops onto the network and there are also exit relays that pass the traffic back onto the Internet.
Internet servers that receive traffic from Tor users won't see the real IP (Internet Protocol) addresses of those users. What they'll see will be the IP addresses of randomly chosen Tor exit nodes.
The Tor hidden service protocol extends the anonymity protection to servers as well. It makes it impossible for users to see the real IP address of a server that runs a Tor hidden service, like for example, a website.
Hidden services use addresses that end in .onion, a pseudo top-level domain that doesn't exist on the Internet and only resolves inside the Tor network. This anonymity protection for both servers and users makes hidden services attractive to political activists in countries where free speech is not well protected or where Internet surveillance is common, but also to criminals who use such websites to hide their activities from law enforcement.
The infamous online bazaar Silk Road where users sold drugs, arms and other kinds of illegal goods and services, operated as a Tor hidden service. The FBI eventually shut it down and arrested its owner, but other similar marketplaces have taken its place.
The biggest threat to the Tor network, which exists by design, is its vulnerability to traffic confirmation or correlation attacks. This means that if an attacker gains control over many entry and exit relays, they can perform statistical traffic analysis to determine which users visited which websites.
The Tor developers are closely monitoring exit relays and removing bad ones from the network, so it's relatively hard for someone to pull off such an attack. In addition, if an attacker wants to identify Tor users visiting a specific Internet website, they'd have to gain control over a very large number of exit and entry nodes in order to increase their chance of success, since the relays will be different for every connection.
That's not the case with Tor hidden services and in fact attackers could quite easily and with 100 percent reliability take control of all the rendezvous points between Tor users and specific Tor hidden services, at least for a period of time.
Tor hidden services rely on nodes with a special HSDir (hidden service directory) flag to advertise themselves on the Tor network so they can be discovered by users. Every hidden service will select six HSDir nodes to serve as its rendezvous points on a given day. This selection is done from a pool of around 4,000 nodes based on a predictable date-dependent formula.
With this formula both a Tor client and a Tor hidden service should select the same 6 HSDirs on a particular day. However, the researchers found that they could use brute force techniques to generate the keys needed for their own nodes to take up those rendezvous positions for a specific day.
The researchers managed to place their own nodes as the 6 HSDirs for facebookcorewwwi.onion, Facebook's official site on the Tor network, for the whole day on Thursday. They still held 4 of the 6 spots on Friday.
Brute-forcing the key for each node took only 15 minutes on a MacBook Pro and running the Tor relays themselves cost US$62 on Amazon's EC2 service.
New nodes receive the HSDir flag automatically after being up for around five days and attackers could set up nodes to become the HSDirs for a particular hidden service for the next five days with around US$200, the researchers estimated.
This technique will give attackers control over one end of the connection, but in order to perform traffic correlation attacks the attacker would also need to have visibility into the entry point. This can be achieved by someone who can monitor users' traffic before it enters the Tor network.
For example, a government monitoring its Internet users through ISPs could use this attack to perform traffic analysis and determine who visited a dissident site hosted on Tor. A law enforcement agency could do the same with the help of ISPs to identify who is visiting an illegal website that runs as a Tor hidden service.
The goal of the two researchers was to prove that "hidden service users face a greater risk of targeted de-anonymization than normal Tor users," because it's much easier to reliably control all HSDirs for a specific hidden service than to control all Tor exit relays that might be used to access a website.
Runa Sandvik, a security researcher and former Tor developer who was at the conference, agreed that it's technically easier to pull off such an attack than to monitor Tor exit traffic, but pointed out that the Tor Project is aware of the issue and has been working on a fix for some time.
There is a proposal for the next generation of hidden services that will address not only this problem, but also other potential issues, Sandvik said. In the meantime, the Tor developers have tools that can detect relays trying to attack users of Tor hidden services, she said.
A change in Tor that will be implemented soon will make it harder for new nodes to become HSDirs by forcing them to obtain a stable flag first, Valsorda and Tankersley said. This will require nodes to be online for a longer period of time before they can become HSDirs so it will make the attack more expensive, but not technically harder to pull off, they said.
While users can't do much to defend themselves against this, the operators of Tor hidden services do have one option. They could use the attack themselves so that their own nodes will become HSDirs for their own hidden services.
This won't prevent others from trying to take over the rendezvous positions, because the attack is essentially a race condition. However, if this happens, it will be very easy to detect that an attack is going on, the researchers explained.
They released the brute-force tool they created for the attack on Github, as well as a separate HSDir analysis tool that can potentially detect such attacks.