Tor Sniffs Out Attacks Trying to Deanonymize Hidden Services Users

facebook .onion

Tor is warning users of its hidden services to upgrade relays after attackers were discovered on the network trying to deanonymize users.

UPDATE: For a little more than six months, attackers were on the Tor network trying to deanonymize users who operate or use Tor hidden services.

Tor issued a security advisory this morning warning users who operated or accessed hidden services between Jan. 30 and July 4 that they were likely affected. Tor officials are also recommending users to upgrade relays to the most recent Tor release, which closes off the vulnerability exploited by the attackers. Hidden service operators are also advised to change the location of their services.

The attacks could be related to research done for a cancelled Black Hat talk on attacking Tor and deanonymizing users that was scheduled to be delivered by Carnegie Mellon University researchers Alexander Volynkin and Michael McCord. The talk was scrapped on July 21 and according to a notice on the conference website from CMU’s Software Engineering Institute , legal counsel advised  them against doing the talk because the material had not been approved by the SEI for public release.

Tor officials in today’s advisory said it is “likely” that the researchers were responsible for the attacks. “In fact, we hope they were the ones doing the attacks, since otherwise it means somebody else was,” the advisory says. Requests for comment from Volynkin and McCord were not answered prior to publication. A Carnegie Mellon SEI spokesperson told Threatpost this morning: “We have nothing to add to the Tor statement.”

Tor executive director Roger Dingledine said in a blogpost that Tor did not ask CMU CERT to cancel its talk, nor did it know the talk would be pulled in advance of the show. He also said that the researchers never approached Tor with the vulnerabilities they’d discovered, and only informally had shared some information upon request.

Such an attack cuts to the core of Tor’s value proposition for its users, many of whom are in oppressed areas of the world where censorship prevents access to the free Internet. It’s also used by business people, journalists and activists who need to keep their online activities private.

According to, the anonymity network allows users to run services through its network while simultaneously hiding their location. “Using Tor ‘rendezvous points,’ other Tor users can connect to these hidden services, each without knowing the other’s network identity,” a description on the website says.

Tor has also been targeted by the National Security Agency’s surveillance efforts. Last October, documents released by The Guardian and leaked by Edward Snowden revealed the frustration the NSA had in intercepting Tor traffic.

“We will never to able to deanonymize all Tor users all the time,” said a slide from an internal NSA presentation called “Tor Stinks.” “With manual analysis, we can deanonymize a very small fraction of Tor users.”

That apparently didn’t stop someone from trying starting early this year.

“The attack involved modifying Tor protocol headers to do traffic confirmation attacks,” today’s advisory said.

Tor officials said the attackers were seeking users who were using hidden service descriptors; it was unlikely any traffic such as pages visited or even if they hidden service was accessed.

“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” Tor said in its advisory. “In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely.”

It is believed the attackers chained together a traffic confirmation attack and a Sybil attack against Tor hidden services users. A traffic confirmation attack happens when an attacker can watch Tor entry and exit relays and make a determination if relays are on the same circuit. In this attack, the advisory says, a signal is injected into the Tor protocol headers that is read at the other end of a relay.

“Then they injected the signal whenever they were used as a hidden service directory, an looked for an injected signal whenever they were used as an entry guard,” the advisory says.

“When Tor clients contacted an attacking relay in its role as a Hidden Service Directory to publish or retrieve a hidden service descriptor, that relay would send the hidden service name (encoded as a pattern of relay and relay-early cells) back down the circuit,” the advisory continues. “Other attacking relays, when they get chosen for the first hop of a circuit, would look for inbound relay-early cells (since nobody else sends them) and would thus learn which clients requested information about a hidden service.”

The Sybil attack was used to sign up a chunk on fast non-exit relays that eventually became entry guards for a large number of users during the attack, Tor said.

This article was updated at 11:45 a.m. ET with a comment from Carnegie Mellon SEI and clarifications throughout.

Suggested articles