The Tor Project has issued a security advisory warning it has detected evidence hackers have hit Tor with cyber attacks that could de-anonymise hidden services running on the network.
The Tor Project issued the advisory after it uncovered evidence attackers were using a number of malicious relays to launch the attacks.
“On 4 July 2014 we found a group of relays that we assume were trying to de-anonymise users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks,” read the advisory.
Tor, also known as the Onion Router, is a network of virtual tunnels powered by a series of voluntary relays. It is designed to offer people a safe way to browse the web anonymously and host services without having them indexed on the regular open internet.
The advisory warned the traffic confirmation attacks could be used to access Tor’s hidden services directory and called for users to assume they have been impacted.
“While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.
“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” read the advisory.
The traffic confirmation attack was described as being doubly dangerous as it had the potential to de-anonymise specific Tor users, though the project said it has not seen any evidence suggesting this has occurred.
“We don’t know how much data the attackers kept, and due to the way the attack was deployed, their protocol header modifications might have aided other attackers in de-anonymising users too,” read the advisory.
The advisory said the hackers also hit Tor users with a less serious Sybil attack. Sybil attacks are designed to dupe peer-to-peer networks’ reputation systems and give hackers more control of a network by flooding it with a massive number of fake entities or accounts owned by the hacker.
The advisory downplayed the significance of the second attack, stating: “The second class of attack they used, in conjunction with their traffic confirmation attack, was a standard Sybil attack – they signed up around 115 fast non-exit relays, all running on 126.96.36.199/16 or 188.8.131.52/16. Together these relays summed to about 6.4 percent of the Guard capacity in the network.”
It is currently unclear who mounted the attacks, though the Tor Project said it believes they were mounted as a part of a “research” project being run by Carnegie Mellon’s Computer Emergency Response Team (CERT), which was scheduled to do a talk about Tor at the Black Hat trade show.
“We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how ‘relay early’ cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild,” read the advisory.
“They haven’t answered our emails lately, so we don’t know for sure, but it seems likely. We hope they were the ones doing the attacks, since otherwise it means somebody else was.”
Tor has issued fixes for the flaw and has recommended users migrate to an unaffected version as soon as possible.
Tracking Tor users’ movements and web habits has been an ongoing goal of numerous law enforcement agencies, such as the Russian’s which have offered up to four million roubles for anyone that can help crack its services.