Small Number of Malicious Tor Exit Relays Snooping on Traffic

Research into the behavior of Tor exit relays found that more than two dozen are malicious or misconfigured and could be snooping on traffic leaving the privacy network.

A small number of Tor exit relays are misbehaving, conducting man-in-the-middle attacks and monitoring encrypted traffic from users of the anonymity network.

Researchers from Karlstad University in Sweden published a paper this week examining the malicious behavior of some Tor exit relays and found 25 that were either behaving maliciously, or were misconfigured to the point where they would raise a red flag on the network. The nearly two dozen relays in question are a small fraction of the available exit nodes—as many as 1,000 at a given time—that act as a final gateway for a user’s traffic to pass before it hits the open Internet.

The experiment, conducted by Phillip Winter and Stefan Lindskog, began on Sept. 19 and was carried out using a free tool built by the two researchers called exitmap. The tool scans exit relays using a number of modules the pair developed that scan for common attacks such as man-in-the-middle, SSH, DNS, and even sslstrip attacks developed by researcher Moxie Marlinspike.

The scans went on for four months and 25 malicious or misconfigured exit relays were exposed. Most of the relays, the pair’s paper “Spoiled Onions: Exposing Malicious Tor Exit Relays” said, reside in Russia. Most of the attacks were man-in-the-middle attacks where someone tried to inject code into an encrypted traffic stream as it left Tor. Two sslstrip attacks were discovered, while a handful of others blocked traffic to pornography sites or social media sites in areas where censorship of the Internet is tight.

The Russian relays had the same fingerprint, leading the researchers to conclude the same person or group was behind those relays; the fingerprint characteristics include similarities in the self-signed certificates used by the relays and the use of the same root certificate called “Main Authority.” Most of the IP addresses belonging to those relays were run on the network of a virtual private system provider, the paper said, adding that several were on the same netblock belonging to GlobalTel-Net. The attacks, the paper said, may date back to February 2013.

Those Russian relays, the paper said, also took a great interest in users’ activities on Facebook and designed attacks that tried to tamper with connections to Facebook. The researchers wrote that targeting individuals using Tor is difficult, but less so is the targeting of classes of users based on their destination. The paper made no claim as to the identity of the attackers or what their interest in Facebook activity might be.

The use of a self-signed certificate in these attacks points to a lack of sophistication on the attacker’s part, in that self-signed certs trigger the about:certerror warning page on the Tor browser. Similar to Firefox, on which the Tor browser is built, about:certerror warns a user that the connection is untrusted and forces the user to click through if they wish to continue.

Winter and Lindskog wrote a separate post on the Tor Project blog that put the attacks into perspective, clarifying the risk and pointing out that the number of malicious relays is low.

“Tor clients select relays in their circuits based on the bandwidth they are contributing to the network. Faster relays see more traffic than slower relays which balances the load in the Tor network,” they wrote. “Many of the malicious exit relays contributed relatively little bandwidth to the Tor network which makes them quite unlikely to be chosen as relay in a circuit.”

They also point out that some of these same attacks are used on public Wi-Fi networks for example, and said the bigger issue is what they call the “broken” Certificate Authority system.

“Do you actually know all the ~50 organisations who you implicitly trust when you start your Firefox, Chrome, or TorBrowser?” they said. “Making the CA system more secure is a very challenging task for the entire Internet and not just the Tor network.”

Suggested articles