On Monday we looked at the origins of TOR, and on Wednesday we looked at how TOR works. Today we tackle some of the vulnerabilities that have been discovered about TOR.
WEAKNESSES OF TOR
So just how did the FBI beat the anonymity of TOR? The story is a complicated one, and has not been fully revealed by the FBI. Although in the case of the operator of Silk Road, he made an epic fail in operations security, and his Silk Road user account was attached to his personal email address. This ultimately aided in his undoing.
Even though the FBI has been tight-lipped about how finding the Silk Road server was accomplished, we can make some assumptions based on other events that happened or DIDN’T HAPPEN around the same time. We already talked about the discovery of the rogue relays by the TOR project in July 2014. Around the same time, two researchers from Carnegie-Mellon had announced a presentation they were planning to make at the annual Black Hat conference in Las Vegas about work they had down that allowed them to compromise TOR, including finding IP addresses and locations of hidden services on TOR. Suddenly in July, the talk was cancelled, at about the same time that TOR made its discovery.
Theoretically, if you control enough of the TOR network, it’s possible to get a fairly decent view of at least some of the traffic passing through TOR. Anyone can contribute a relay node to the TOR Project, and if a government agency with deep pockets set up a bunch of them, anonymity would indeed be compromised for traffic passing through those relays.
Exit nodes present another problem, since all traffic is unencrypted and readable at this point. Again, it appears that some government agencies have successfully exploited this vulnerability.
It is also possible to use an obscure Cisco protocol called Netflow, that is used for traffic partitioning and analysis, (http://motherboard.vice.com/read/how-the-nsa-or-anyone-else-can-crack-tors-anonymity) to track traffic backward through a series of TOR relays. Setting this up is fairly complicated, but certainly with in the reach of most government cyber forces.
Other vulnerabilities exist. Using BitTorrent with TOR reveals the originating IP address in BitTorrent control messages. If a TOR session originates and ends on the same Autonomous System (think Internet Service Provider, like Comcast), it would be possible to analyse traffic records and determine the origination and destination IP addresses.
The FBI appears to be using something known as a “watering hole attack.” In this scenario, an attractive web site is set up by the feds on the Dark Web, and the people who visit the site get a drive-by download of tracking software, and this allows the FBI to follow them around on the Dark web, revealing other sites.
A July 22 article on Sophos describes other vulnerabilities that may have allowed the FBI to take down a child pornography operation on the Dark Web.
So, while TOR is great, it is not perfect. And as usual, the weakest link is going to be the TOR user, the human operator, who often provides identifying clues through poor operational security.
Sources for more information:
- Sophos – FBI Again Thwarts Tor…
- Wikipedia – Tor (anonymity network)
- TOR Project
- TOR Warning Document
- NSA “Tor Stinks” Presentation
- eWeek – Tor Puts NSA at Odds With Browser’s U.S. Navy Creators, Other Agencies
- Vice.com – How the NSA (Or Anyone Else) Can Crack Tor’s Anonymity
- Forbes – How Did the FBI Break TOR?
- Sophos – Can You Trust TOR’s Exit Nodes?
- Business Insider – Both Of The Men Accused Of Running The Silk Road Made The Exact Same Mistake