Darknet: Investigators use timing analysis to anonymize Tor users

According to investigation files, analysis of data traffic played a key role in anonymizing the operator of the darknet pedo platform Boystown, political magazine Panorama reported. Investigators did not exploit security gaps in the Tor anonymization service, but rather exploited temporary connections to be able to trace the path of data through the Tor network to the recipient.

Advertisement

To anonymize Tor Browser users, the connection is encrypted at least three times and routed over the Internet through three different servers before reaching its destination. At the beginning there is the so-called entry node, also called the entry guard, to which the Tor Browser connects in an end-to-end encrypted form. Only this node knows the user’s real IP address.

From the entry node, the Tor browser establishes an end-to-end encrypted connection to another Tor node, the so-called middle node. The middle node only knows the IP address of the entry node, so it does not know which user is behind it. In turn, the entry node does not know what the Tor user and the middle node are discussing with each other, since it only sees the encrypted communication between the Tor user and the middle node.

Open letter: For uniform AI regulation across the EU

The Tor browser contacts at least one other node, the exit node, through the middle node. However, the middle node cannot read the data because the connection between the Tor user and the exit node is also end-to-end encrypted. In turn, the exit node does not know where the user is because it only knows the IP address of the middle node. Only the exit node establishes a connection to the target website (hopefully encrypted via HTTPS). If the target is a so-called hidden service of the darknet, the data is routed through three additional Tor nodes and encrypted each time.

Cascading at least three times, the entry node knows the user, but has no idea what he or she is using the Tor network for. The middle node is essentially the most ignorant; it knows neither the originator of the data packet, nor the destination nor the purpose; it is merely an intermediary between the entry and exit nodes. The exit node, on the other hand, knows where the data flows, but has no idea who the originator is.

In addition, the Tor browser changes the middle and exit nodes after a maximum of ten minutes so that the connection cannot be tracked for a long time. This makes it very difficult for investigators to trace the identity of Tor users.

Data flow at a glance

With so-called correlation analysis, also known as timing analysis, authorities take advantage of the fact that Tor is a low-latency network: data is passed in real time if possible. The delay is usually so low that you can even run live streams and live chats via Tor. For example, if a Tor user starts downloading a large file, an investigator observing the exit node’s traffic may see a corresponding increase in the amount of packets. Due to the low latency, the outgoing traffic to a specific server increases at the same time – the middle node would be exposed without the authorities gaining access to the exit node or decrypting the data.

The increase in incoming and outgoing traffic can also be observed at the middle node in the same temporary context and thus the entry node can be determined. And in the next step, if you manage to observe the entry node, anonymize the user himself. With about 8,000 Tor nodes worldwide, it seems hardly possible to monitor a relevant number for such temporary connections.

Compared to live chat and instant messengers, Tor is particularly vulnerable due to its low latency: a message is instantly transmitted from the sender through the Tor node to the recipient. According to Panorama, this is what authorities are said to have exploited in the Boystown case by communicating with the alleged operator via the Ricochet chat software, which encrypts data and transmits it anonymously over the Tor network.

Since the investigators, as originators, knew exactly when they were sending a new message, it was enough to monitor a few hundred Tor nodes for simultaneous incoming data packets of the same size – possibly followed by the authorities renting a corresponding number of fast, well-connected servers and using them as Tor put nodes on the network. Since the Tor browser changes exit and middle nodes every few minutes and favors low-latency, high-bandwidth nodes, it was only a matter of time before their Ricochet interlocutor used the investigators’ Tor node as a middle node. This way you can determine the entry node.

To obtain the suspect’s IP address, they would have to redirect him to one of the investigators’ entry nodes or monitor or take over the node he was using. Due to previous attacksIn which Tor users used to quickly switch entry nodes to nodes controlled by attackers and then get exposed, the Tor browser now uses the same entry node for several days to several weeks – which is why it is now called an entry guard. It can take several months for the suspect in the Boystown case to be transferred to an entry guard controlled by authorities.

IP addresses monitored

It is still unclear from where, but investigators clearly knew that the suspect o₂ used as the internet provider. That’s why they chose a different approach: based on correlation analysis of the middle node, they had already figured out the IP address of the entrance guard – and could expect that the suspect would continue to use it in the next few days and weeks. So the next time the suspect in Ricochet is online all you had to do was call Telofonika for the addresses of all those O₂-Ask the customers who have just had a connection with the same entry guard. The result may be a fairly short list.

This is not proof that one of these individuals is the Boystown operator. However, narrowing it down to a few people allows authorities to focus their investigation. Contact with the entry guard or the timing of the data packet is a small clue. Catching the culprit remains classic police work – correlation analysis has helped to single out only a few suspects from among thousands of Tor users around the world.

The method of correlation analysis has been known for a long time; it is said to have played a role in the seizure of the darknet forum Germany in the Deep Web (DiDW) in 2017. At that time, hidden service connection failures occurred every day, which resulted in forced DSL disconnections of the operator’s Internet access. Issue 22/2017 also does not report in detail about the method and the important role of the middle node in correlation attacks.

It’s hard to find a quick solution

Making the Tor network more robust against such correlation attacks would be difficult. If there were multiples of the current 8,000 Tor nodes, attackers and investigators would need far more servers to be selected by the suspect with sufficient probability. However, the biggest critical point in timing analysis is the low latency, which makes the Tor network attractive to users. In this way, nodes can collect data packets, compress them or hide them with additional, random data so that each incoming data packet cannot be immediately identified as an outgoing packet of approximately the same size.

Tor users should make sure to use as few real-time applications as possible, as these are particularly susceptible to correlation analysis. There is no general protection because a compromised hidden service can also split images and other data into packets of very specific sizes or send them at specific time intervals, producing a specific signal that investigators can easily track through the dark web.

In the long term, the Tor Project will have to think of a solution. State investigators are not always out to find pedo-criminals. In some countries, opposition politicians, dissidents or simply people who think differently are victimised on the dark web and, in the worst case, pay with their lives for insufficient anonymity.

(Middle)