Researchers Discover Tor Nodes Designed to Spy on Hidden Services

Two researchers have discovered over 100 Tor nodes that are spying on hidden services. Cory Doctorow explains:

These nodes -- ordinary nodes, not exit nodes -- sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used "honeypot" .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions' existence. They didn't advertise the honions' existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.

No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of "infowar" weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).

The Tor project is working on redesigning its system to block this attack.

Vice Motherboard article. Defcon talk announcement.

Posted on July 8, 2016 at 7:01 AM • 22 Comments


Winston SmithJuly 8, 2016 10:55 AM

Clive R. will say, "See, I told you so...," and he'll be right, but I really like the concept of what TOR attempts to provide and I am hopeful that a functional privacy solution for the average user will be found. Such is desperately needed: we are immersed in poorly maintained security protocols, and, a groundswell of government (and criminal/syndicate) encroachment.

The only real solution I see is predominantly political, not technical: power (political and financial) is concentrated in too few hands, and the corruption is fostered by apathy from the public. Abusers of the power go free without consequence. Education and awareness will help swing the pendulum. Enforcing laws will help, too-- otherwise a republic ceases to function (totalitarian regimes aren't likely to support liberty and a free citizenry anyway). Technical solutions will only tangibly support the political solution, unless a brilliant, unstoppable technical solution could perhaps impose the political solution out of necessity. The latter is faster, I think. Corrupt politicians abhor change.

PeanutsJuly 8, 2016 11:41 AM

'Corrupt politicians abhor change'

Corrupt politicians meet change without FUD. And Fud is used almost always to increase or sell power or to fracture the effectiveness, resources or interest by the authentic stakeholders.

They (who play in security theater) never accept that rights or money are owned by the citizens they are actively robbing or making irrelevant to a constructive change

Their, fixed that for ya


Bumble BeeJuly 8, 2016 11:49 AM

Probably some weaknesses in the Tor protocol, but there are innumerable web server vulnerabilities that can be exploited regardless of whether or not they are behind a Tor hidden service.

100+ malicious nodes? Sybil attack.

BearJuly 8, 2016 3:14 PM

This is a surprise to anyone?

Should I have told people about this? I didn't realize it wasn't general knowledge, or I'd have mentioned it.

BearJuly 8, 2016 3:26 PM

onion servers have for some time been high-value targets for botnets. Whenever one (or more) can be subverted they make ideal control points as a particularly strong trail break between law enforcement and the botnet operator.

Botnet operators have been using hosted onion servers for some time as control points; but hosting companies have been quick to shut them down when they learn that they are being used for botnet control, and then tracing payments back to whoever had the hosting contract. Hijacking someone else's onion server is just the logical next step. It's been going on for at least a year now.

GrauhutJuly 9, 2016 12:00 AM

" when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits."

Wrong conclusion. Me personally, i would never ever attack from a sniffing system in order to protect this asset. I would transfer the target coordinates to a secondary system (or cluster of) and let these attack the hidden service.

Devel02July 9, 2016 3:18 AM

@Grauhut: I read it differently, that they were using the larger sense of "system", the normal-english sense not the common IT sense -- not a particular machine but rather an overall methodology. i.e., your approach (which I agree is vastly more sensible than one node both sniffing and attacking) would be "their" system: machine(s) sniffing, other machine(s) attacking. To put it another way: the surveillance/subversion system sniffed them via one machine, then attacked them with another machine(s).

(heh. even "machine" is not accurate; in fact nowadays far more likely to be a VM. Xen= only 3% penalty to bare metal(!). perhaps "compute-node" would be better.)

@Bruce: bleah. It was only ever a matter of time, but sad to see nonetheless. CYA...

Guido WitmondJuly 9, 2016 4:08 AM

Although it doesn't solve the problem of discovering hidden services and probing these for vulnerabilities, it solves the problem in a different way.

The protocol makes end to end encrypted and authenticated connections through Tor.

It creates a hidden service to connect and rejects connections from anyone except the intended caller. It does the rejection on certificates, no valid certificate means no connection.

In effect, it creates a tunnel through Tor for each caller. After that is's up to the endpoints to decide what protocol to run on top of that, eg, chat, voice, screen sharing, etc.

With a layer of obfuscation on top of TLS, the hidden service is anonymous too, it won't leak the identity of the server certificate to anyone who learned of the existence of the hidden service.

Check out

YouKillMyFatherPrepareToHaveABadDayJuly 9, 2016 10:22 AM

"No one knows who is running the spying nodes..." 21st century ghost story,

Mr. ObviousJuly 9, 2016 6:10 PM

Nice that someone documented it publicly for TOR and I'm glad I heard about it even though I don't use TOR (always nice to have a link or two to give out) but it's not really any different to simple network analysis (happens on all accessible networks all the time, not only TOR) and detection of it.

Anyone can do it so it could be anyone. If you're very patient you can use a single node but the more the better.

Kurt SeifriedJuly 9, 2016 10:31 PM

No different than Shodan running an NTP server to harvest IPv6 hosts to scan.

GrauhutJuly 10, 2016 11:01 AM

@Kurt: Abusing a NTP debug log is one step easier, for logging directory services in Tor you have to insert some kinda cout's in the source code. :)

GrauhutJuly 10, 2016 1:07 PM

@Devel02: "I read it differently, that they were using the larger sense of "system", the normal-english sense not the common IT sense"

Nope. They couldn't point to a group of Tor HS directory servers if they meant it in a larger sense, since they couldn't know if exactly these servers leaked the directory content. Could have been any HS directory server then.

I didn't analyze the Tor directory replication system (if one exists), so i dont know for sure, but the only way to find out wich server leaks in the background would then be an analysis of the replication timing, "wich server knew when and when did an attack begin".

But if an independent researcher could analyze a timing like the Tor directory replication system wide, then the whole system would be fundamentally broken and useless.

Bart SimpsonJuly 10, 2016 3:20 PM

I have repeatedly notified the TOR admins that Tor Browser updates automatically, even if the "DO NOT UPDATE" option is selected in the security tab. Updates are forced and involuntary on TOR!

stineJuly 11, 2016 4:42 AM

What are the chances the nodes are run by Websense, since this is what they do for normal traffic?

AnonJuly 11, 2016 4:32 PM

I'm not surprised by this at all. For all the talk of encryption and anonymization, the system MUST know something about something to function.

These nodes (or any node, service, hidden service, etc.. that makes the TOR network) are on systems not owned by the originator of the request, so nothing can be assumed about them.

Just because a phone number is unlisted, doesn't mean you can't randomly dial it.

Mathias HollsteinJuly 13, 2016 4:08 PM

Doctorow says, [..] the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits [..]. Personally, I think he jumped to conclusions, since such attacks could have also been triggered by something else. However, the DEFCON presentation excerpt by G. Noubir and A. Sanatinia sounds promising so far.

Other than that I would like to repeat what I always said – don't trust or use Tor for mission critical applications. There are way too many crooks out there, and the risks do not outweigh the benefits. Proper usage of Tor involves sophisticated technology and a fair amount of IT/CS knowledge, which average Joe usually doesn't have.

Tor services are high profile targets for a long period of time already. Unfortunately, I think that won't go away. The matter was discussed within my organization years ago. Capable members across Europe run several secured installations and systems for this organization. Despite the knowledge and technology at hand we decided to stay away from Tor.

cqretJuly 14, 2016 4:22 PM

Tor, at the very least, can be used an easy "VPN" through your local ISP.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.