Fusion has a lengthy and informative report on the recent TOR attack. To some extent, the TOR project dropped the ball and failed to understand the seriousness of what they were seeing. The real villains, though, appear to be two Carnegie Mellon researchers.
One of the weaknesses of the TOR system is that it’s possible for someone with malevolent intent to participate in network by providing one or more relay nodes. Usually, these attacks focus on the exit nodes because the data is unencrypted as it leaves the TOR network. This attack used intermediate nodes so even though the suspicious activity was detected by the network monitoring system, it was initially ignored because the TOR team believed that a successful attack must involve the exit nodes.
By the time the TOR team realized the seriousness of the situation, the damage was done. The story became more disturbing when the FBI arrested several dark net operators and boasted that they had broken the TOR protocol with the help of some university researchers. There’s lot of circumstantial evidence pointing to the involvement of Carnegie Mellon’s Software Engineering Institute (SEI) a government funded entity. As the TOR project pointed out, once the government became aware that the SEI had deanonymized IP addresses they were sure to ask for them and the SEI would have been obligated to provide them.
How would the government have known? It turns out that the researchers were scheduled to give a talk at the Black Hat Conference and had submitted their paper. At the last moment the talk was withdrawn citing confidentiality concerns.
After all this became known, CMU, the FBI, and the researchers behaved exactly as you would expect someone caught with their hands in the cookie jar to react. They issued carefully worded denials and then refused to say more citing, again, confidentiality.
There are huge ethical concerns involved and the academic community is up in arms about what happened. TOR has even questioned whether the research had IRB (Institutional Review Board) approval. Regardless, it’s clear that many innocent people got caught up in the attack and perhaps have had their safety put at risk.
TOR is said to be pondering their legal remedies including suing CMU for hacking their network. Whether they would prevail given the courts’ current schizophrenic approach to security issues is open to question but they may be able to use discovery to prise out the truth about CMU’s involvement and their collaboration with the government.
Read the Fusion article to see what the TOR project has done to fix the problem. If you’re a TOR user, now would be a good time to send them a few dollars so they can beef up their resources and prevent another incident like this.