Latest Snowden Leak Explains NSA Subversion of Tor Users

New documents leaked by Edward Snowden describe the NSA’s ability to subvert users of the Tor anonymity network.

The latest Snowden documents, made public today, suggest the National Security Agency is able to peel back the veil on a small fraction of Tor users at a time, but overall the integrity of the anonymity network remains intact.

Tor promises its users a level of anonymity online for their Web activities by routing traffic through layers of proxies on the network until packets reach their final destination. The network is used by journalists, activists and other privacy-conscious individuals to keep communication secret.

According to a pair of articles in the Guardian today, the NSA has had some success identifying targets using Tor and then hacking into their computers. Expert Bruce Schneier goes into depth explaining a program called FoxAcid, which matches the vulnerabilities discovered on Tor users’ computers to attacks developed by the NSA.

“Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA,” Schneier said. Schneier, a cryptography pioneer and noted author of cryptography and security manuals, was invited by the Guardian to review the top secret cache of documents taken by Edward Snowden, a former NSA contractor now living in exile in Russia.

The secret to FoxAcid’s success is its ability to target vulnerabilities in the Firefox browser belonging to the Tor browser bundle, Schneier said. Another secret set of servers, code-named Quantam, live on the Internet backbone, placed there by the NSA because of secret partnerships with telecommunications companies in the United States, Schneier said. Because of their location, Quantam servers exploit a race condition between the NSA box and the intended webserver; Quantam is quicker to react to web requests than standard web servers are.

“By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond,” Schneier wrote, “thereby tricking the target’s browser to visit a FoxAcid server.”

Quantam servers can impersonate almost any targeted website because of their position on the backbone, including Google in some cases. The NSA then uses injection attacks to redirect web requests to their machine in order to spy on intended targets, the article said.

The materials released today by the Guardian are based off a number of presentations taken by Snowden while working for the NSA, most are about subverting Tor, which apparently has been a frustrating target for the NSA as indicated by the title of one presentation: “Tor Stinks.”

“We will never to able to de-anonymize all Tor users all the time,” a slide within the NSA presentation states. “With manual analysis, we can de-anonymize a very small fraction of Tor users.”

The documents also provide details and insight into proof-of-concept attacks that target Tor exit nodes, something that would allow an attacker in control to identify traffic leaving the network.

“The proof-of-concept attack demonstrated in the documents would rely on the NSA’s cable-tapping operation, and the agency secretly operating computers, or ‘nodes’, in the Tor system,” the Guardian article says. “However, one presentation stated that the success of this technique was ‘negligible’ because the NSA has ‘access to very few nodes’ and that it is ‘difficult to combine meaningfully with passive [signals intelligence].'”

Tor was in the news this week in another large breaking story. The takedown of the Silk Road online drug and hacking marketplace was announced yesterday, including the arrest of ringleader Ross William Ulbricht, also known as Dread Pirate Roberts. Silk Road was accessible only through Tor, keeping transactions relatively private; the operation operated for years and generated more than $1 billion in sales, according to court documents.

Ulbricht and Silk Road, however, did not compromise any facet of the Tor network, and according to law enforcement, Ulbricht was arrested only because of mistakes in operational security.

“Also, while we’ve seen no evidence that this case involved breaking into the webserver behind the hidden service, we should take this opportunity to emphasize that Tor’s hidden service feature (a way to publish and access content anonymously) won’t keep someone anonymous when paired with unsafe software or unsafe behavior,” a blogpost on the Tor website two days ago said. “It is up to the publisher to choose and configure server software that is resistant to attacks. Mistakes in configuring or maintaining a hidden service website can compromise the publisher’s anonymity independent of Tor.”

Suggested articles