Two researchers, Amirali Sanatinia and Guevara Noubir, from Northwestern University, carried out an experiment on the Tor Network for 72 days and discovered at least 110 malicious Tor Hidden Services Directories (HSDirs) on the network.
Cory Doctorow explains:
These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.
The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.
This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.
No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of “infowar” weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).
Attacks on Tor are nothing new for Tor Project. This research is the latest indication for hidden services and Tor users that the network can not ultimately guarantee their anonymity.
Last year, the FBI unmasked TOR users in an investigation of the world’s largest dark web child pornography website ‘Playpen’ using its “Network Investigative Technique” (NIT) that remains undisclosed to this day.
The Tor Project reportedly accused the FBI of paying the security researchers of Carnegie Mellon University (CMU) at least $1 Million to disclose the technique they had discovered that could help them unmask Tor users.
The researchers canceled their talk demonstrating a low-cost way to de-anonymize Tor users at 2014’s Black Hat hacking conference with no explanation. The project has since patched the issues that made the FBI’s exploit possible.