Targeting Adversaries & Deanonymization Attacks Against Tor Users
Tor is a P2P network for promoting traffic security of various forms of internet communications for millions of users worldwide. In most cases, Tor users are very unlikely to become the target of an adversary, as they are namely shielded via Tor against opportunistic local hackers, local censorship authorities and hostile destinations. Deanonymizing adversaries act through attempting to attack as many Tor users as possible, instead of targeting specific users or groups of users.
For some Tor users, this may be more or less insignificant; however, Tor is mainly intended to protect the identity of human right workers, military personnel, journalists, law enforcement agents and others, who may encounter huge, meticulously determined and generously financed adversaries. Even though a considerable percentage of these adversaries will not target specific users, or are said to be “hoovering” adversaries, some may be interested in specific Tor users, on the basis of offline reasons. Different strategies are deployed by adversaries who may choose to target specific Tor users.
A group of researchers recently published a paper that introduced and investigated “targeting adversaries” who launch attacks against specific users of Tor, or other similarly secure P2P communication networks. Throughout their paper, the researchers argued that attacks launched by “targeting adversaries” represent more realistic and more alarming threats to users who namely rely on Tor’s protection, than attacks which were described in prior studies analyzing Tor’s security. Previous research studies and Tor design strategies have been centered on protection against adversaries with “hoovering” behavior, i.e. who don’t target specific Tor users. The adversaries investigated in this paper specific target users e.g. visitors of a particular web page, users of a given private chat channel……etc, and disregard other Tor users. They presented a model of such “targeting adversaries” and investigated three example cases where specific users might be in the crosshairs of the adversaries;
- A cabal conducting online meetings via MTor, a recently published Tor multicast protocol.
- A cabal online meeting using a private IRC channel.
- Users of a specific anonymous service, or a .onion.sale website.
The study discovered that targeting adversaries comprise their targets faster than deanonymizing attacks examined in previous research studies. Let’s take a look at the results obtained from studying MTor adversaries:
A targeted and compromised user X who belongs to a cabal that holds online meetings only via MTor can reveal to a targeting adversary all communications throughout the cabal, in addition to the group’s long term keys and identifiers. A targeted, yet uncompromised, user X with a compromised guard that connects to an MTor cabal could render the cabal the adversary’s target by association. Note that when the target group is open, the adversary can join it.
The adversary throughout such an attack will try to look at all pairs of users , to link each pair belonging to a multicast group and to identify a specific user engaging in a multicast group. The targeting adversary usually aims at identifying all users of a given multicast group, predicting the size of the cabal and/or pinpointing MTor groups that a target user might belong to.
Targeting adversaries own middle relay nodes that help them estimate the size of the cabal and identify guards that they should target for the purpose of compromise or bridging, in order to identify the clients behind these guards. The MR can predict the size of the cabal.
The guard of a given MTor group user can visualize all of the group’s GID sessions, and may then choose to identify other members of the group. The authors of the paper assumed that the traffic patterns for any member of the cabal during a multicast session will be linked, so that the GID will not be necessary for the adversary to link other users with the cabal; this assumption has been also presented by authors of MTor. The study found out that targeting adversaries are capable of launching active attacks, that can include disruption of communications among a group and/or generation of its very own group traffic if the adversary becomes a member of the group. Nevertheless, for simplicity, the study’s initial analysis assumed that adversaries are passive.
The study highlights the current capabilities of targeting adversaries across Tor and represents a useful resource for forging countermeasures to shield Tor users against such adversaries.