Tor insists its network is safe after German cops convict CSAM dark-web admin
Outdated software blamed for cracks in the armor
The Tor project has insisted its privacy-preserving powers remain potent, countering German reports that user anonymity on its network can be and has been compromised by police.
A report by German news magazine program Panorama and YouTube investigative journalism channel STRG_F claims that the German Federal Criminal Police Office (BKA) and the Public Prosecutor General's Office in Frankfurt am Main were able to identify at least one Tor user after carrying out network surveillance.
The report mentions “timing analysis” as the key to identifying Tor users. “Timing individual data packets, anonymised connections can be traced back to the Tor user, even though data connections in the Tor network are encrypted multiple times,” the report states – sadly without explanation of how the technique works.
Tor offers enhanced anonymity for users of its network by routing their traffic through a so-called dark-web of nodes so that the true origin of a connection is obfuscated. Traffic sent to Tor is wrapped in layers of encryption and first reaches an “entry” or “guard” node. Traffic then bounces through at least three servers chosen at random – aka “relays" – before returning to public networks via an “exit node” or connecting to a .onion service. That process hides the source of a connection, and makes it harder to observe what a particular user is doing online just from their network traffic.
Observing long-term usage trends, as suggested by the “timing analysis” methodology, could perhaps erode Tor’s potency by giving observers clues about users who send traffic into the network. Essentially, for instance, someone could add nodes to the Tor network and note the timing of packets observed going in and packets seen coming out. After a while, these timings may help give away who is connecting to a particular .onion service.
Matthias Marx, a spokesperson for famed European hacker collective the Chaos Computer Club (CCC), lent credence to the method by telling the news outlets the available evidence – documents and other information sourced by the journos – "strongly suggest that law enforcement authorities have repeatedly and successfully carried out timing analysis attacks against selected Tor users for several years in order to deanonymize them.”
The Tor Project, while conceding it hasn't seen all the documents involved despite asking the reporters for them, believes German police were able to unmask a Tor user due to that person's use of outdated software as opposed to the plod exploiting some unknown vulnerability or similar.
The German report claims the timing analysis attack was used during investigations into an individual known as “Andres G”, the suspected operator of a .onion website called Boystown that hosted child sex abuse material (CSAM).
“G” allegedly used the anonymous messaging app Ricochet that passes data between senders and recipients over Tor. More specifically, it's said that he used a version of the chat program that failed to secure its Tor connections against the timing-based deanonymization methods used by the police.
The report says German authorities secured the cooperation of carrier Telefónica, which provided data on all O2 customers who connected to a known Tor node. Matching that info with observations of Tor timing info allowed authorities to identify “G”, who was arrested in North Rhine-Westphalia, charged, convicted, and jailed for years in 2022.
Tor has argued that method does not indicate its service is flawed.
The org has instead advanced a theory that by using the insecure Ricochet, “G” was caught by a guard discovery attack. In short, that means the cops were to able to figure out the entry or guard node he was using to send data over the Tor network. The police can ask Telefónica to list the subscribers who connected to that guard, and deduce the identity of the Tor user.
Tor claims that "G" probably used an old version of Ricochet that did not include protections against such attacks. "This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022," Tor’s write-up states.
- Microsoft Defender 'finally' stops flagging Tor Browser as malware
- Cutting kids off from the dark web – the solution can only ever be social
- Tor turns to proof-of-work puzzles to defend onion network from DDoS attacks
- Signal shoots down zero-day rumors, finds 'no evidence' of device takeover
"For timing analysis of traffic, you do need to compromise a guard node, since it's the first in the Tor circuit and can see the IP address of the user," Bill Budington, senior staff technologist at EFF, told The Register. If the guard cannot be directly compromised, network timings can be obtained to complete the surveillance.
Tor users are concerned that the network could be overwhelmed with police-controlled nodes that would compromise anonymity. But the number of nodes required to do this would need to be huge. The Tor Project acknowledged that it has seen an uptick in exit nodes being deployed – over 2,000 of late – but claimed this isn't anything to worry about.
"The claim that the network is 'not healthy' is simply not true," Tor's PR director Pavel Zoneff told The Register.
"The Network Health team has implemented processes to identify possible large groups of relays that are suspected to be managed by single operators and bad actors, and not allow them to join the network. As a result, it has flagged numerous bad relays for removal, which then got banned by the Directory Authorities. Many of those likely posed no real threat to users," he said.
The project has also called for help in understanding exactly what the police did. "We need more details about this case," the team said. "In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users."
For now the message is: "Don't panic." ®