Researchers have discovered over 100 malicious nodes on the Tor anonymity network that are “misbehaving” and potentially spying on Dark Web sites that use Tor to mask the identities of their operators.
Two researchers, Amirali Sanatinia and Guevara Noubir, from Northwestern University, carried out an experiment on the Tor Network for 72 days and discovered at least 110 malicious Tor Hidden Services Directories (HSDirs) on the network.
The nodes, also known as the Tor hidden services directories (HSDirs) are servers that act as introductory points and are configured to receive traffic and direct users to hidden services (“.onion” addresses).
In other words, the hidden services directory or HSDir is a crucial element needed to mask the true IP address of users on the Tor Network. But, here’s the issue:HSDir can be set up by anyone.
“Tor’s security and anonymity is based on the assumption that the large majority of its relays are honest and do not misbehave,” Noubir says. “Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs).”
The pair introduced around 1,500 honeypot servers, which they called HOnions (Honey Onions), running a framework to expose “when a Tor relay with HSDir capability has been modified to snoop into the hidden services that it currently hosts.”
Over 100 Malicious Tor Nodes Snooping Dark Web Users
After the experiment, conducted between February 12, 2016, and April 24, 2016, the researchers gathered and analyzed all the data, revealing they identified at least 110 malicious HSDirs, most located in the US, Germany, France, UK and the Netherlands.
Over 70 percent of these 110 malicious HSDirs were hosted on professional cloud infrastructures, making it hard to learn who is behind the malicious nodes.
Furthermore, 25 percent of all 110 malicious HSDirs functioned as both HSDir and Exit nodes for Tor traffic, allowing the malicious relays to view all unencrypted traffic, conduct man-in-the-middle (MitM) attacks, and snoop on Tor traffic.
The paper, “Honions: Towards Detection and Identification of Misbehaving Tor HSDirs,” [PDF] describes the researchers work in detail and will be presented next week at the DEF CON security conference.While most malicious nodes queried for data like server root paths, description.json server files, and the Apache server status updates, others carried out malicious attacks such as XSS, SQL injection attacks, and path traversal attacks.
“We detected other attack vectors, such as SQL injection,…, username enumeration in Drupal, cross-site scripting (XSS), path traversal (looking for boot.ini and /etc/passwd), targeting Ruby on Rails framework (rails/info/properties), and PHP Easter Eggs (?=PHP*-*-*-*-*),” the research paper reads.
The researchers presented their findings on Friday at the Privacy Enhancing Technologies Symposium in Germany.
Must Read: Former Tor Developer Created Malware for FBI
New Tor Design to Strengthen Tor Hidden Services
The researchers say Tor Project is aware of the HSDir issue and is working to identify and remove malicious HSDirs from the network.
“As far as we can tell, the misbehaving relays’ goal in this case is just to discover onion addresses that they wouldn’t be able to learn other ways—they aren’t able to identify the IP addresses of hosts or visitors to Tor hidden services,” the Tor Project says in its blog.
Although Tor Project is working to remove malicious HSDirs, the long-term solution is a new design for hidden services: Mission: Montreal!
The code of the new design has been written, but a release date is still to be finalized, as the project says, “Tor developers finished implementing the protocol several months ago, and since then we’ve been reviewing, auditing, and testing the code.”
According to the Tor developers, the new design will deploy a distributed random generation system that has “never been deployed before on the Internet.”
Tor Users: Target of Government Hacks
Attacks on Tor are nothing new for Tor Project. This research is the latest indication for hidden services and Tor users that the network can not ultimately guarantee their anonymity.
Last year, the FBI unmasked TOR users in an investigation of the world’s largest dark web child pornography website ‘Playpen’ using its “Network Investigative Technique” (NIT) that remains undisclosed to this day.
The Tor Project reportedly accused the FBI of paying the security researchers of Carnegie Mellon University (CMU) at least $1 Million to disclose the technique they had discovered that could help them unmask Tor users.
The researchers canceled their talk demonstrating a low-cost way to de-anonymize Tor users at 2014’s Black Hat hacking conference with no explanation. The project has since patched the issues that made the FBI’s exploit possible.
Recently, the MIT researchers have created Riffle – a new anonymity network that promises to provide better security against situations when hackers introduce rogue servers on the network, a technique to which TOR is vulnerable, though it is a long way from becoming reality.