Evidence of traffic confirmation attacks found, relays removed

Jul 30, 2014 13:39 GMT  ·  By

Some relays in TOR anonymization network are believed to have attempted to reveal the identity of the individuals either operating or using TOR’s hidden services, by modifying TOR protocol headers to carry out traffic confirmation attacks.

A security advisory posted today on TOR (The Onion Router) project website informs that some relays have been discovered and removed on July 4, this year, and that they had joined the network on January 30, 2014.

The administrators of the network cannot tell with certainty the impact these attacks had on users, but they found clear evidence that the attacks targeted users that retrieved hidden service descriptors.

Details like accessed pages and if the hidden service was visited by the user may not have been compromised by the attackers.

Since there was no evidence that the intruders managed exit relays, the network administrators believe that the intruders did not use the attack to find the destination of the user on normal TOR circuits.

The most important question is whether this sort of attack is actually what would have been presented at the Black Hat USA conference this year by researchers Alexander Volynkin and Michael McCord from the Carnegie Mellon University in Pittsburgh.

Even if the presentation was suddenly cancelled by the legal counsel of the University, the team managing TOR was offered some information, which hinted at “relay early” cells that could be leveraged for traffic confirmation attacks.

The team hopes that this was the vulnerability discovered by the two researchers, since it would be the safest alternative for the impacted users.

“We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how ‘relay early’ cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild,” said a member of the TOR team, who made a great technical presentation on how the attack was possible.

“In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was,” he added.

However, other questions are still to receive an answer, as the admins do not know if all the malicious relays have been identified and have no details on the type of information the attackers have.

In order to mitigate the risk, all relays should be updated to a more recent release of TOR (0.2.4.23 or even the alpha 0.2.5.6), which removes the protocol vulnerability. Also, operators of hidden services should take into consideration moving them to a different location.