Users of the online privacy service Tor – designed to allow users to access hidden sites anonymously – may have been unmasked after an attack lasting as long as five months, crafted to de-anonymize traffic on the service, according to the BBC’s report.
Tor is a privacy tool which allows users to access “hidden” sites and services, with the .onion suffix, which are accessed via customized versions of open-source browsers such as Firefox. It’s used by political activists – but also said to host child pornography, and illegal markets in everything from drugs to weaponry.
The Tor Project said that it had halted the attack on 4 July, but it may have been ongoing as long as five months. Business Insider said that it was not clear what data on users, or hidden services, the attackers had obtained.
V3 reported that Tor warned users to “assume” they had been affected.
Usually, Tor users are extremely hard to track – the privacy tool “bounces” information between 5,000 volunteer PCs to hide its tracks. Even America’s National Security Agency (NSA) described it as, “the King of high secure, low latency Internet anonymity.”
The service is used by whistleblowers, political activists and news organizations, but The Telegraph claims it is also “widely used” by criminals.
The Tor Project said it believed the attack had been carried out by two researchers due to give a talk at the Black Hat conference in Las Vegas next week. The presentation was cancelled by lawyers from Cornell University for unspecified reasons.
The talk, entitled “You Don’t Have to be the NSA to Break Tor” aimed to showcase a technique which could “uncloak” users of the anonymizing web service for less than $3,000.
Tor has since pushed out software updates to deal with the problem, but warned, “Hidden service operators should consider changing the location of their hidden service.” The Tor Project also warned that the attack could pave the way for future attempts by other adversaries such as “large intelligence agencies.”
“So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future.
“On July 4 2014 we found a group of relays that we assume were trying to de-anonymize users,” the Tor Project said via its blogs. They appear to have been targeting people who operate or access Tor hidden services. While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.Unfortunately, it’s still unclear what “affected” includes.”
The Tor Project said, “So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future.”
Author Rob Waugh, We Live Security