Tor Story 3

On Monday we looked at the origins of TOR, and on Wednesday we looked at how TOR works.  Today we tackle some of the vulnerabilities that have been discovered about TOR.

TOR Browser


So just how did the FBI beat the anonymity of TOR? The story is a complicated one, and has not been fully revealed by the FBI.  Although in the case of the operator of Silk Road, he made an epic fail in operations security, and his Silk Road user account was attached to his personal email address. This ultimately aided in his undoing.

Even though the FBI has been tight-lipped about how finding the Silk Road server was accomplished, we can make some assumptions based on other events that happened or DIDN’T HAPPEN around the same time. We already talked about the discovery of the rogue relays by the TOR project in July 2014. Around the same time, two researchers from Carnegie-Mellon had announced a presentation they were planning to make at the annual Black Hat conference in Las Vegas about work they had down that allowed them to compromise TOR, including finding IP addresses and locations of hidden services on TOR. Suddenly in July, the talk was cancelled, at about the same time that TOR made its discovery.

Theoretically, if you control enough of the TOR network, it’s possible to get a fairly decent view of at least some of the traffic passing through TOR. Anyone can contribute a relay node to the TOR Project, and if a government agency with deep pockets set up a bunch of them, anonymity would indeed be compromised for traffic passing through those relays.

Exit nodes present another problem, since all traffic is unencrypted and readable at this point. Again, it appears that some government agencies have successfully exploited this vulnerability.

It is also possible to use an obscure Cisco protocol called Netflow, that is used for traffic partitioning and analysis, ( to track traffic backward through a series of TOR relays. Setting this up is fairly complicated, but certainly with in the reach of most government cyber forces.

Other vulnerabilities exist. Using BitTorrent with TOR reveals the originating IP address in BitTorrent control messages. If a TOR session originates and ends on the same Autonomous System (think Internet Service Provider, like Comcast), it would be possible to analyse traffic records and determine the origination and destination IP addresses.

The FBI appears to be using something known as a “watering hole attack.”  In this scenario, an attractive web site is set up by the feds on the Dark Web, and the people who visit the site get a drive-by download of tracking  software, and this allows the FBI to follow them around on the Dark web, revealing other sites.

A July 22 article on Sophos describes other vulnerabilities that may have allowed the FBI to take down a child pornography operation on the Dark Web.

So, while TOR is great, it is not perfect. And as usual, the weakest link is going to be the TOR user, the human operator, who often provides identifying clues through poor operational security.

Sources for more information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.