Many security experts and tech journalists for years have been championing Tor, a platform designed to prevent network traffic analysis (a surveillance technique) as a means to securely share sensitive information over public networks without compromising the sender’s privacy.
SEE: Information Security Policy (Tech Pro Research)
However, these same pundits (including me) are now warning that government agencies, including the FBI, are finding ways to circumvent the technology behind Tor. Knowing that might, and should, give pause to those who use and rely on Tor. Adding more fuel to the fire are two researchers at Northeastern University: Guevara Noubir, professor of computer and information science, and Amirali Sanatinia, Ph.D. student.
Noubir and Sanatinia in their research paper: HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs (PDF) start by giving kudos to the Tor platform and its success over the past 10 years. However, the two researchers quickly offer the following warning:
“Tor remains a practical system with a variety of limitations and is open to abuse. Tor’s security and anonymity are based on the assumption that a large majority of its relays are honest and do not misbehave.”
HSDirs and HOnions
Hidden Services Directories (HSDirs) are the misbehaving components directly under the researcher’s figurative microscope. Simply put, HSDirs are hidden websites (relays) in the Tor network that offer services such as web publishing or instant messaging.
To study the nearly 3,000 Tor nodes with HSDir capability, Noubir and Sanatinia configured 1,500 Honey Onions (HOnions), a framework to detect and identify Tor nodes with HSDir capabilities that may have been snooping on individuals using those particular relays. The researchers programmed the HOnions to log all requests received by the HSDirs. Using that information, Noubir and Sanatinia identified 110 potentially malicious Tor nodes with HSDirs (Figure A).
Image: Guevara Noubir and Amirali Sanatinia
Noubir and Sanatinia, after sifting through the HOnion data came up with the following results:
- 70% of the Tor nodes with HSDirs are hosted on cloud infrastructure, which hampered attempts to locate the source.
- 25% are Tor nodes with HSDirs and exit nodes
- 20% of the misbehaving Tor nodes with HSDirs are both exit nodes and hosted on cloud systems in Europe and Northern America
- Countries having the most suspected Tor nodes: USA, Germany, France, UK, and Netherlands.
As to the activity on the Tor nodes, the authors suggest most of the visits were automated queries trying to determine the root path of the server. However, Noubir and Sanatinia singled out close to 20 visits that appeared to be manual probes. “Some snoopers kept probing for more information even when we returned an empty page,” mentioned the research paper. “One of the snooping HSDirs was actively querying the server every hour asking for a server-status page of Apache. It is part of the functionality offered by mod status in Apache, which provides information on server activity and performance.”
SEE: Over 100 suspicious, snooping Tor nodes discovered (ZDNet)
Besides potentially snooping on individuals whose traffic flows through the subverted Tor nodes, Noubir and Sanatinia suggested the following attacks can be mounted from the HSDirs:
- SQL injection targeting the information_schema.tables
- Username enumeration in Drupal
- Cross-site scripting (XSS)
- Path traversal (looking for boot.ini and /etc/password)
- Targeting Ruby on Rails framework (rails/info/properties)
- PHP Easter Eggs
Noubir told Dan Goodin of Ars Technica that people at the Tor Project are aware of the problem and have been working on a resolution, adding, “The long-term solution is a new design for hidden services.”
What it all means
Noubir and Sanatinia presented their findings a few weeks ago at the Privacy Enhancing Technologies Symposium in Germany. The researchers made it clear there is no direct evidence of Tor nodes with malicious HSDirs identifying operators or visitors to the hidden sites, nor is there any evidence of monitoring the clear traffic passing between nodes.
But the potential is there and very real. “Both SQL and XSS exploits can reveal a wealth of sensitive information on servers containing administration or configuration errors or vulnerabilities that aren’t publicly known,” mentions Goodin. “What’s more, more than a quarter of the rogue directories also functioned as exit nodes, a status that allowed the malicious relays to view all unencrypted traffic.”
Something else to consider: The bad guys would have to modify the code provided by Tor to add logging capabilities—a deliberate action. This seems to signify that it is only a matter of time.