Darknet: Investigators use timing analysis to deanonymize Tor users

According to the investigation files, the analysis of data traffic played a key role in the deanonymization of the operator of the darknet pedo platform Boystown. This is reported by the political magazine Panorama. The investigators did not exploit a security gap in the anonymization service Tor, but rather temporal connections in order to be able to trace the path of the data through the Tor network to the recipient.

Advertisement

In order to anonymize users of the Tor browser, the connection is encrypted at least three times and routed through three different servers and across the Internet before it reaches its destination. At the beginning is the so-called entry node, also known as the entry guard, with which the Tor browser connects using end-to-end encryption. Only this node knows the user’s true IP address.

From the entry node, the Tor browser establishes an end-to-end encrypted connection to another Tor node, the so-called middle node. The middle node only knows the IP address of the entry node, so it does not know which user is behind it. The entry node, in turn, does not know what the Tor user and the middle node are discussing with each other, because it only sees the encrypted communication between the Tor user and the middle node.

The Tor browser contacts at least one other node, the exit node, via the middle node. However, the middle node cannot read the data because the connection between the Tor user and the exit node is also end-to-end encrypted. The exit node, in turn, does not know where the user is located because it only knows the IP address of the middle node. Only the exit node establishes the connection to the target website (hopefully encrypted using HTTPS). If the target is a so-called hidden service from the darknet, the data is routed via three more Tor nodes and encrypted each time.

The at least three-fold cascading ensures that the entry node knows the user, but has no idea what he is using the Tor network for. The middle node is the most clueless, it knows neither the originator of the data packets nor the destination or the purpose, it is merely an intermediary between the entry and exit nodes. The exit node, on the other hand, knows where the data is going, but has no idea who the originator is.

In addition, the Tor browser changes the middle and exit nodes every ten minutes at the latest so that connections cannot be tracked over a longer period of time. This makes it so difficult for investigators to find out the identity of Tor users.

Data flow in view

In the so-called correlation analysis, also known as timing analysis, the authorities take advantage of the fact that Tor is a low latency network: data is transmitted through it in real time if possible. The delay is usually so low that even live streams and live chats can be run over Tor. If a Tor user starts downloading a large file, for example, an investigator observing the data traffic of the exit node could see a corresponding increase in the volume of packets. Due to the low latency, the outgoing traffic to a specific server increases at the same time – the middle node would be exposed without the authorities gaining access to the exit node or decrypting the data.

In the middle node, too, an increase in incoming and outgoing traffic could be observed at the same time, thus determining the entry node. And in the next stage, the user himself could be deanonymized if one could manage to observe the entry node. With around 8,000 Tor nodes worldwide, it seems hardly feasible to monitor a relevant number for such temporal relationships.

However, compared to live chats and instant messengers, Tor’s low latency makes it particularly vulnerable: a message is transmitted instantly from the sender to the recipient via the Tor nodes. According to the authorities, this is exactly what Panorama is said to have exploited in the Boystown case by communicating with the suspected operator via the Ricochet chat software, which encrypts the data and transmits it anonymously over the Tor network.

Since the investigators, as the originator, knew exactly when she wanted to send a new message, it was enough to monitor several hundred Tor nodes for simultaneously incoming data packets of a similar size – presumably by the authorities renting a corresponding number of fast, well-connected servers and putting them on the network as Tor nodes. Since the Tor browser changed the exit and middle nodes every few minutes and preferred nodes with lower latency and high bandwidth, it was only a matter of time before their ricocheting partner used the investigators’ Tor node as a middle node. This allowed them to determine the entry node.

To get the suspect’s IP address, they had to redirect him to an entry node used by the investigators or monitor or take over the node he was using. Due to previous attacks in which Tor users quickly switched entry nodes to nodes controlled by attackers and were then exposed, the Tor browser now uses the same entry node for several days or even weeks – which is why it is now called an entry guard. It could take months for the person suspected in the Boystown case to switch to an entry guard controlled by the authorities.

IP addresses monitored

It is still unclear where from, but the investigators apparently knew that the suspect O₂ as an Internet provider. Therefore, they chose a different approach: Based on the correlation analysis of the middle node, they had already found out the IP address of the entry guard – and could hope that the suspect would continue to use it in the coming days and weeks. They only had to ask Teleofnica for the addresses of all those O₂-Customers who had a connection to this particular Entry Guard. The result must have been a pretty short list.

This is by no means proof that one of the people is the Boystown operator. However, narrowing the search down to a few people allows the listeners to concentrate their investigations. Contact with the entry guard or the temporal relationships between data packets are at best a small clue. Convicting the perpetrator remains classic police work – the correlation analysis has only helped to sift out a few suspects from the thousands of Tor users worldwide.

The correlation analysis method has been known for a long time and is said to have played a role in the seizure of the Darknet Forum Germany in the Deep Web (DiDW) in 2017. At that time, there were daily telltale connection failures of the hidden service, which turned out to be forced DSL disconnections of the operator’s internet access. c’t also reported in detail in issue 22/2017 on the method and the crucial role that the middle node plays in correlation attacks.

Quick remedy difficult

Making the Tor network more robust against such correlation attacks will be difficult. If there were many more Tor nodes than there are currently 8,000, attackers and investigators would need many more servers to have a sufficient chance of being selected by the suspect. The biggest sticking point in timing analyses, however, is the low latency that makes the Tor network attractive to users. Nodes could collect data packets, compress them, or mask them with additional, random data so that not every incoming data packet can be immediately recognized as a packet of almost the same size.

Tor users should be careful to use as few real-time applications as possible, as these are particularly vulnerable to correlation analysis. There is no general protection, as even a compromised hidden service could split images and other data into packets of very specific sizes or send them at specific intervals, thus generating a characteristic signal that investigators can easily track through the dark web.

In the long term, the Tor project must come up with a solution. It is not always government investigators who are out to find paedophiles. In some countries, it is opposition politicians, dissidents or simply people who think differently who are hunted on the darknet and, in the worst case, pay with their lives for inadequate anonymization.

(Center)