How Does Law Enforcement 'Subvert' Tor?


Related Links

Related Stories

  • Silk Road Shut Down, and Dread Pirate Roberts Arrested
    Silk Road is perhaps the most infamous illicit marketplace on the hidden (dark) web. It has been seized and shutdown by the feds; and its owner, allegedly Ross William Ulbricht (aka Dread Pirate Roberts), has been arrested.
  • Did the FBI Use CIPAV Against Tor?
    Following the arrest of Eric Eoin Marques last week, websites in the darknet hidden services began to go down. A piece of javascript malware was found and posted to the internet. Researchers are now wondering if this is the first live sample of the FBI's fabled CIPAV malware.
  • Feds Seek Extradition of Child-Porn Dealer – Darknet Compromised
    On Friday the Irish High Court denied bail to Mr Eric Eoin Marques, arrested the day before on an extradition warrant issued in Maryland charging him with distributing and promoting child pornography on the internet.
  • Researchers build browser-based darknet
    Researchers have developed technology that enables users to participate in an anonymous, private communication session using nothing but an HTML 5-compliant web browser.

Top 5 Stories


How Does Law Enforcement 'Subvert' Tor?

07 October 2013

Last summer an FOI request showed that the FBI had abandoned an investigation into TSChan, allegedly a child pornography site on the Darknet, since "because everyone... connected to the TOR Network is anonymous, there is not currently a way to trace the origin of the website. As such no other investigative leads exist."

This was almost certainly a diversion to deflect the intelligence agencies' and law enforcement's program of infiltration and subversion; for the last month has demonstrated that the agency is quite at home in the Darknet. First it took down Freedom Hosting, believed to host many of the Darknet's child porn sites, and arrested the alleged operator Eric Eoin Marques. Last week it took down Silk Road, a marketplace for illegal drugs, and arrested Ross William Ulbricht, aka Dread Pirate Roberts and allegedly its operator.

The question now is whether Tor is fatally flawed – have the NSA and GCHQ compromised Tor's anonymity protection for both national security and law enforcement purposes?

On Friday the Guardian released the latest Snowden leaks; one of which is a document titled "Tor Stinks." This is an NSA presentation, also dated in the summer of last year, detailing the efforts of both the NSA and GCHQ to subvert Tor's anonymity. This presentation starts with the statement, "We will never be able to de-anonymize all Tor users all the time," but "With manual analysis we can de-anonymize a very small fraction of Tor users..." In another of the documents, Tor is described as  "the king of high-secure, low-latency internet anonymity."

Because of the inherent strength of Tor's anonymity, the agencies' focus has shifted towards exploiting the network, rather than attempting to directly de-anonymize its users. Bruce Schneier has described the basic process, which starts with the agencies' ability to monitor the greater part of the internet itself. While they cannot directly learn the identity of a Tor user, they can easily recognise the use of Tor.

"After identifying an individual Tor user on the internet," explains Bruce Schneier, "the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer." He goes on to explain, "Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA."

In short, the latest Snowden leaks suggest that the NSA and GCHQ cannot directly subvert the Tor network itself. The NSA has consequently turned to exploiting vulnerabilities in Tor users' browsers, Firefox, using what is effectively a man-in-the-middle attack based on fast-reacting servers (which it codenames Quantum) that it has secretly installed on the internet backbones. 

Technically, explains Schneier, "The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server... Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

This particular attack makes it clear that the NSA has a number of exploits it can use against Firefox, and relies upon knowledge of flaws that it has, that Mozilla hasn't. But it is not the only type of attack that can be used. There are Tor relay servers that are really NSA relay servers. If they are used as an entry point for a Tor session, then the NSA will know the IP address of the user. If they are used as the exit point for a session, then the NSA will have discovered one of the Tor 'hidden services.'

What all of this demonstrates is that Tor itself is not broken; but Tor users will need to be very careful if they wish to remain unknown to and undiscovered by the NSA.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×