Attacking a ToR Network

Attacking a ToR .network

gAtO hAs– found that there are a few ways to attack a secure network some is old fashion technology and some more modern. The FBI and Secret Service and other international law enforcement have used these technique and they have been de-classified:

UPDATE: -5-21-2012 -0900 There a re few more attack vectors that I recently found in the .onion network – let’s just say attack from within that – If you are a legit-legal Security Researcher please write me. I want to keep those secret for now —

Let’s take a look at:

The Cold Boot Attacks

One of the problems with encryption is that in order for it to work, your computer has to know the private key and any other information needed for decryption. This information is stored in memory and while memory isn’t a good place to store things long term, it does store data for an amount of time from seconds to minutes after your machine has been turned off. An adversary, knowing that they are facing a locked down machine with lots of encryption, may perform a cold boot attack. This involves turning off your computer, spraying your memory with liquid nitrogen (or something to keep it cold), and then recovering your encryption key from memory. Once frozen, data in memory can be retained (and then further reconstructed) for hours. Countermeasures:  If you feel this is a risk, you need to implement physical security measures that deal with the possible threat. This could be as simple as a laser tripwire on a door that triggers a shutdown.

Radio Leakage, TEMPEST, etc.

All electronics create radio interference as a consequence of their operation. While this radio interference is often useless it can also provide valuable information for your adversary. For instance, the radio interference generated by keyboards can divulge your passwords to an adversary sitting across the street from your house. RF shielding is the only solution for this problem and involves surrounding your machine in some type of metal. This isn’t all though, as the power pull generated when you use the keyboard, etc. can also be monitored through your wall socket. I don’t know of any solutions to this. One idea would be to lock your machine in a box with a UPS to filter the electricity and a security scheme similar to the one used to prevent cold boot attacks but I’m not sure how effective this would be. Countermeasures: Get some chicken wire and build a faraday cage for all your secure computing equipment. What ever music you like play it loud I would suggest Metal this is filled with so many harmonics that it will very hard to extract the EMF.

Physical Security

An adversary may put a camera, microphone, or some other recording device in the room with your hidden service machine. If they capture your encryption passphrase, your data will be compromised. Recently the FBI and Secret Service used this technique against a bust of the ShadowCrew carding board and it’s been used for a long time by both law enforcement and intelligence. While using a blanket will deter a camera, the audio generated by your keyboard may not be sufficiently muffled to stop a microphone from knowing what’s going on. Countermeasures:  Always be careful of anyone coming into the place were your computing equipment or office. Remember that todays technology has WiFi cameras and all kinds of devices. Also check you router to see any weird connections to it and remember the logs they will show failed attempts to access your network. Another way is to scan for SSID with Kismet or NetStumbler you may be able to scan for the device. And for microphones : What ever music you like play it loud I would suggest Metal this is filled with so many harmonics that it will very hard to extract the from the noise.

Traffic Correlation

If your adversary suspects you run a hidden service, they can watch your internet connection and try to use traffic analysis to determine if the hidden service is run on your network. If your adversary downloads a few 50 megabyte files from your server and every time around 50MB of encrypted traffic goes across your network, it’s pretty good evidence. Combine that with shutting off the power to your machine and watching the hidden service go down and you’ve got somebody who knows what’s going on.  Countermeasures: There are creative ways of dealing with this such as cover traffic, UPSs, redundant servers, and physical security.

a government censor can render it moot by simply blocking the relays


gAtO hopes that this will help you understand that the ToR network a little better and don’t worry the Tor Project is working hard on Traffic Correlation attacks. – gAtO oUt



5 responses

  1. Pingback: Tor anonymity: how it works and how to use it « Doug Vitale Tech Blog

  2. I’m not that much of a internet reader to be honest but your blogs really nice, keep it up!

    I’ll go ahead and bookmark your site to come back in the future.

  3. Hi! I just wanted to ask if you ever have any trouble with hackers?
    My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no back up.
    Do you have any solutions to stop hackers?

    • There is no way to stop hackers. If you don’t behave like a dipshit, people leave you alone. Don’t behave like a dipshit when working amongst a tight group, or they will treat you like a dipshit.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: