Core members of the Tor project, the free online service that aims to cloak Internet users in anonymity, have admitted that it’s been compromised, leaving privacy advocates wondering if the service, which has built its reputation on trust, can continue. The announcement comes only a week after the hacking community was shaken by word that a scheduled presentation in which researchers would prove that it’s possible to find Tor users was mysteriously canceled.
Tor -- which stands for “The Onion Router,” implying multiple layers of security for users – said in a blog post Wednesday that users who operated or accessed hidden services from Jan. 30 through July 4 of this year should assume that their identity has been compromised. The anonymity network, which is accessible via a browser plug-in, is used by activists, criminals and hackers wishing to avoid the gaze of government monitors or targeted advertising. Made up by a network of volunteers who redirect an individual’s Internet connection, Tor can be used to provide uncensored Internet in unfree countries as well as to make a murder-for-hire plot possible.
“From what we found during our investigation, the attackers seemed to target people who operate or access Tor hidden services,” a spokesman for Tor told International Business Times. “By running a number of relays in the Tor network and modifying the traffic that these relays sent, the attackers attempted to learn about some Tor users visiting hidden services. Unfortunately, it is still unclear how much information the attackers were able to learn.”
The Tor spokesman refused to speculate on who the guilty party might be, but a growing swell of online speculation is pointing the finger squarely at researchers affiliated with CERT Division of Carnegie Mellon's Software Engineering Institute in Pittsburgh. In February of this year CERT researchers requested and were later authorized to deliver a presentation at the Black Hat cybersecurity conference in Las Vegas, promising to reveal a security vulnerability in Tor that rendered users susceptible to identification.
Tor, learning of the scheduled presentation, asked the researchers to turn over their evidence, though CERT would only hand over a small amount of information. An abstract of the research was also posted on the Black Hat conference’s website.
Using the fragment of information provided by CERT, Tor discovered on July 4 that an attack had been going on since shortly before CERT asked to deliver the presentation. Three weeks later, on July 21, the CERT presentation was canceled, with Black Hat releasing a statement saying only that “the materials that [the presenters] would be speaking about have not yet been approved by CMU/SEI for public release.”
The most recent update observers have is Wednesday’s announcement from Tor, which provided a more detailed explanation of the attack and a security update that aimed to address the vulnerability in question. CERT issued a firm “no comment” for this story, but Wednesday’s post from Tor has drawn more attention than the usual Deep Web drama, with experts like Ed Felten, a professor of computer science and public affairs at Princeton University, calling for an explanation.
“This story raises some serious questions of research ethics,” he wrote on Freedom to Tinker, Princeton’s Center for Information Technology Policy blog. “I’m hard pressed to think of previous examples where legitimate researchers carried out a large-scale attack lasting for months that aimed to undermine the security of real users.
“That in itself is ethically problematic at least,” Fenten went on. “The waters get even darker when we consider the data that the researchers might have gathered – data that would undermine the security of Tor users. Did the researchers gather and keep that data? With whom have they shared it? If they still have it, what are they doing to protect it?”
No one seems to know, and those who do are keeping their lips sealed. But there are other, no less pertinent questions. The number of Tor users skyrocketed following last year’s revelations from Edward Snowden, which showed that the U.S. National Security Agency is conducting daily, indiscriminate surveillance on Americans and international residents alike.
With that sudden influx, though, came increased scrutiny. First, in July, the FBI acknowledged that it subverted control of Tor and launched a mass malware attack to find the proprietor of a despicable child pornography ring. Then, just a few months later, the FBI was again able to infiltrate the supposedly ironclad network to identify and arrest the alleged owner of the Silk Road, a shadowy online bazaar that made it possible to find everything from an illegal firearm to drugs to child porn.
Complicating the matter even further is Tor’s admission that that U.S. government provided more than $1.8 million in funding in 2013 alone, all while the NSA and British GCHQ intelligence service reportedly sought to infiltrate the network. This news might be alarming to Internet anarchists and tech-first libertarians, but Tor in fact began as a U.S. military project with the goal of shielding intelligence agents conducting espionage in the aforementioned totalitarian regimes.
“A branch of the U.S. Navy uses Tor for open-source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently,” reads the Tor fine print, as highlighted by Pando Daily. “Law enforcement uses Tor for visiting or surveilling websites without leaving government IP addresses in their web logs, and for security during sting operations.”
Whether the government’s support will be enough to convince Tor users to continue trusting the network or dump it entirely remains to be seen.