Tor’s Privacy Broken?
HD Moore claims to have broken Tor’s privacy model using a series of known tools. Basically he claims to be able to “poison” the exit nodes to have them send more information back to him than is safe - thereby de-anonymizing users. If you don’t know who HD Moore is, he’s the founder of the Metasploit project and he was the mastermind behind the month of browser bugs so I doubt this is a joke. The toolset is called Torment, and it uses a large number of known issues in Tor and does require that the user “performs some risky actions” like running JavaScript.
Anyone who has been reading this site for a while can probably tell where this is going. Not that I’ll claim to know exactly what he’s got up his sleeve, but we all know how difficult it is for any proxy to stop leaking information once the browser’s DOM gets involved. There are so many ways to fingerprint users, it’s ridiculous. So while this won’t actually help you stop bad guys from performing actions it will allow you to detect who they are - or so the article hints. I’ll be very interested to hear the details once it comes out.
March 9th, 2007 at 11:34 am
Just read this on security.nl (dutch) http://www.security.nl/article/15625/1/Onderzoeker_hackt_Tor_om_pedofielen_op_te_sporen.html
Moore says his intentions were to reveal people who were using ToR to watch child porn or something. He’s not really solving the issue though.
March 9th, 2007 at 2:26 pm
The claim wasn’t that Tor itself is broken, just that its trivial to obtain the real IP address and personal information of most users of the Tor software. This is a project I started back in June of 2006 with the intent of tracking folks who tried to use my server to access child pornography.
The torment code is really just a general-purpose patch for the Tor daemon that embeds a Ruby interpreter and allows easy filtering and dropping of content. The secondary use for torment is to detect and drop file sharing requests traveling through my exit nodes. The torment code is slightly outdated (in terms of what version of Tor it is based on), but you can grab it from the Metasploit subversion server at:
http://metasploit.com/svn/torment/trunk/
The source code and description of the decloaking code is now public on the Metasploit.com web site. This code uses a custom DNS server, a Java applet, a Flash movie, and a lot of javascript to determine the real IP address of any Tor user. You can check out the demo at:
http://metasploit.com/research/misc/decloak/
March 9th, 2007 at 3:40 pm
Awesome, I didn’t know about that perl module (Net::DNS::Nameserver). That looks handy. And if it wasn’t clear, I certainly didn’t say you broke tor, only that you broke the privacy model. Nice work!
March 9th, 2007 at 6:57 pm
[…] has a post about it as well, along with some nice comments from HD over at ha.ckers.org Share and […]
March 9th, 2007 at 7:27 pm
[…] the LexisNexis web applications. RSnake also inspired me to talk about the connection between the Tor network which also appears to be in recent […]
March 9th, 2007 at 7:57 pm
Interesting find. I had actually just started looking at using Tor as most of the kids on 4chan, 7chan, 420chan, and a few other sites have been using it lately to perform large-scale DDoS attacks against a few notable sites.
March 10th, 2007 at 12:33 am
I am trying the example page.
All it seems to do is freeze my browser. (FF 2.0.0.2)
Should I wait more than 5 minutes for it to work? :-\
March 10th, 2007 at 8:22 pm
It’s easy to unmask someone’s real IP if you host a tor node yourself with Ethereal http://www.ethereal.com/ and adjusting the exitpolicies on the tornode you host to only accept cleartext, cause if they go via SSL no one can trace them. Tor developers know this from the start, but there is one problem: If you infringe it’s privacy they are willing to sue those who do.
March 10th, 2007 at 8:29 pm
Uhh… and it seems everyone is forgotten this one: http://www.jungsonnstudios.com/blog/?i=47&bin=101111
Does it the silent way, and is a lot faster then Java Applets, and flash movies.
March 11th, 2007 at 3:18 pm
Andrew Christensen did similar research early in 2006 and then later the same year on how to track TOR users.
http://www.fortconsult.net/images/pdf/220806.pdf
http://www.fortconsult.net/images/torutils.tgz
http://www.fortconsult.net/images/pdf/Practical_Onion_Hacking.pdf
April 17th, 2007 at 6:26 pm
Quite strange, I thought tor was very secure. Oh well. But then again, anything can be cracked given enough time.
[url=http://www.freewebs.com/myhalotrialmodz]http://www.freewebs.com/myhalotrialmodz[/url]
October 16th, 2007 at 12:31 am
tor is only a part of a solution to privacy. it is one step that must be combined with others that are clearly explained on the site. that chain is not broken, nor is tor. what has been claimed is patently false. i have not found one example where my privacy has been broken, and i use tor as directed.
October 16th, 2007 at 8:08 am
Jack - I think most of us considered knowing the origin IP address as breaking privacy and that is what is described. Further, there are a number of examples where people’s information has been stolen directly through malicious tor exit nodes - I think that’s a prime example of how exactly one would lose privacy information to an attacker.
February 11th, 2008 at 1:35 pm
RSnake - I think what Jack is saying is, it’s not Tor that’s broken, this is just the way HTML works. If you are naive enough to use Tor with Javascript, plugins, etc, enabled, you deserve to have your anonymity stripped and your machine owned. There are also far more interesting attacks that can be performed (i.e. rewriting binaries in transit), again, no fault of Tor here. Unless you verify your destination’s identity somehow (like an SSH host key fingerprint), the Tor network is just like a regular old Ethernet network - vulnerable to every mitm attack under the sun. HDM did not “break” anything here.