Timing-Analyse: How Seconds Reveal Anonymous People on the Darknet

[Friend]

The method of the German special services allows you to identify the criminal by timing.

German law enforcement agencies have begun to actively use new methods to de-anonymize Tor users. Journalists from ARD-Politikmagazin Panorama and STRG_F (funk/NDR) found out that the German special services use long-term monitoring of Tor servers to reveal the identities of users. Such measures are aimed, first of all, at combating crime on the darknet.

Studies have shown that the data obtained is processed by special statistical methods that allow you to completely destroy the anonymity of Tor. Journalists were able to familiarize themselves with documents confirming the successful use of such methods in four cases. These are the first recorded cases of the use of the so-called "Timing-Analyse" in one criminal case. Previously, it was believed that such actions were almost impossible.

Tor is the world's largest network for anonymous use of the Internet. Users reroute their connections through various servers to hide their online activities. There are about 8,000 Tor relays in the world, located in 50 countries. About 2 million people use this network every day. Tor is especially popular with journalists, human rights defenders, and activists, especially in countries with internet censorship. Many media outlets, such as Deutsche Welle, use Tor to provide access to their sites in countries with restrictions on the free dissemination of information.

However, the anonymity of the Tor network attracts not only human rights activists, but also criminals who use the network for cyberattacks and illegal activities on darknet platforms. Previously, law enforcement agencies faced serious technical difficulties when trying to reveal the identity of users. However, recent investigations by Panorama and STRG_F have shown that the strategy has been changed and long-term monitoring of network nodes is now used.

The essence of Timing-Analyse is to monitor a large number of Tor relays. The principle of the method is to compare timestamps of data transmission through different network nodes. Despite the multi-layered encryption of connections in Tor, the analysis allows you to monitor the movement of data between nodes and users, identifying certain patterns that can point to a specific person.

Even if the traffic is repeatedly encrypted, the correlation of the time of sending and receiving data packets makes it possible to determine the source of the connection. A key element of the technique is the need to control as many relays in the Tor network as possible. This makes it possible to analyze the correlations between the time of sending and receiving data, which ultimately leads to de-anonymization.

One of the successful examples of this method was the case against the darknet platform Boystown. Investigators were able to identify Tor nodes that were used by one of the platform administrators to hide his activities. Experts were also able to identify chat servers where members of criminal communities communicated. This allowed law enforcement to identify and arrest the criminals.

Cooperation with law enforcement agencies in the Netherlands and the United States has also played a key role in solving crimes related to the Tor network. The number of nodes under control in Germany has increased significantly in recent years, which has made it possible to use the Timing-Analyse method more widely.

Experts warn that such technologies can be used not only to fight crime, but also to persecute opposition figures in countries with repressive regimes. Representatives of the Tor Project have already stated that they are taking measures to increase the level of anonymity of users in order to prevent similar attacks in the future.

Recall that recently German law enforcement agencies searched the house and office registered to the address of the organization Artikel 5 e.V., which supports the Tor network. This is the second such case after a similar raid in 2017.

Source

 

[Friend]

The police de-anonymized the pedophile on Tor. Tor Developers Assure Users Are Safe.

The Tor Project has assured users that the Tor browser and network are still secure. The fact is that recently information appeared on the network that law enforcement agencies in Germany and other countries are working together to de-anonymize users using timing attacks.

Recently, a joint report by the German publication Panorama and the investigative YouTube channel STRG_F revealed that the German Federal Criminal Police Office (BKA) and the Prosecutor General's Office in Frankfurt am Main managed to identify at least one Tor user. As a key to de-anonymization, the publication mentions "timing analysis".

"From the timing characteristics of individual packets, anonymous connections can be traced back to a specific Tor user, even if connections on the Tor network are encrypted multiple times," the journalists report, but do not explain exactly how this technique works.

In theory, long-term observation of certain trends, as suggested by the timing analysis methodology, can probably indeed give observers certain clues about the users sending traffic to the network.

Essentially, someone can add their nodes to the Tor network and record the time when packets enter and exit the network. After a while, based on the time parameters obtained, it will be possible to determine who is connecting to a particular .onion service.

At the same time, Matthias Marx, a representative of the well-known hacker community Chaos Computer Club (CCC), confirmed to the media that the available evidence (documents and other information collected by journalists) "indicates that law enforcement agencies have repeatedly and successfully carried out attacks on individual Tor users for several years in order to de-anonymize them, using timing analysis for this."

In response to this post, the Tor team writes in a blog post that everyone who uses the latest versions of the Tor Project tools is safe, and timed attacks are a well-known technique against which there have long been effective defenses.

The Tor Project said it did not see all the documents (although they requested them from journalists), but believe that the German police were able to identify one particular Tor user because he used outdated software, and not because law enforcement officers took advantage of an unknown vulnerability or found an effective use for timed attacks.

For example, according to German researchers, the timing attack was used in the investigation of a man known as Andres G. Allegedly, law enforcement officers believed him to be the operator of the Boystown onion service, which posted materials on child sexual abuse (CSAM), that is, child pornography.

It is alleged that Andres G used the anonymous messenger Ricochet, which transmits data between senders and recipients via Tor. Moreover, it is alleged that he used a version that could not protect his Tor connections from deanonymization through timed attacks, which is what the police used.

Allegedly, the German authorities enlisted the support of the operator Telefónica, which provided data on all O2 customers who connected to a well-known Tor relay. Matching this information with timing analysis data allowed authorities to identify Andres G, who was eventually arrested, charged, convicted, and imprisoned back in 2022.

Tor developers write that the described method is unlikely to indicate that Tor is vulnerable. The Tor Project believes that using the vulnerable Ricochet, Andres G was de-anonymized using a guard discovery attack. That is, the police were able to figure out the entry node or guard node that the suspect was using to transmit data through the Tor network. The police could then request from Telefónica a list of subscribers who connected to this node and eventually found out the identity of a particular user.

The developers believe that Andres G used an old version of Ricochet, which did not have protection against such attacks.

"This protection is present in Ricochet-Refresh, a supported fork of the long-abandoned Ricochet project, starting with version 3.0.12, released in June 2022," they write.

Following the publication of the report by Panorama and STRG_F, Tor users feared that the network could be flooded with police-controlled nodes, compromising their anonymity. However, according to the developers, the number of nodes required for such an attack should be simply gigantic.

"The claim that the network is 'unhealthy' is not true," Pavel Zoneff, director of public relations at Tor, told The Register. "The Network Health team has implemented processes to identify large relay groups that can be controlled by a single operator or attackers and prevent them from joining the network. As a result, many dangerous relays were identified to be removed, which were then banned by the Directory Authorities. Many of them most likely did not pose a real threat to users".

In addition, the Tor Project statement emphasizes that the attacks described by journalists took place between 2019 and 2021, and since then the Tor network has expanded significantly, and now it has become much more difficult to carry out attacks in time.

 

[Man]

Against the backdrop of arrests and deanonymization of darknet administrators, Tor Browser users have questions about its security. A number of experts related to the development of the browser tried to clarify the situation.

A major wave of concern began (see above) after German investigators found a way to uncover the identity of cybercriminals on Tor through temporal analysis. In particular, the authorities identified the owners and one active user of the largest darknet site with child pornography Boystown.

The temporal analysis method does not use software vulnerabilities, but with long-term monitoring of traffic, it allows you to trace it back to a specific person.

The Tor team admitted that it does not know the exact technology for de-anonymization. However, the developers suggested that the German authorities used the outdated Ricochet messenger, which was used by the arrested criminal.

"In addition to adding relays and expanding bandwidth, the Tor network team has also recently implemented new critical features to improve security mechanisms, speed, and performance", Pavel Zoneff, director of strategic communications at Tor, told Cointelegraph.

MatterFi CEO Michal Pospiszalski noted that attacks using temporal analysis are always possible.

A clever loophole

Panorama examined documents related to the case, but did not disclose details about the work of the temporary analysis. Journalists mentioned that the method targets "entry servers," also known as security nodes, Ricochet's instant messaging services.

"Based on the limited information available to the Tor Project, we believe that one user of the long-defunct Ricochet app has been completely de-anonymized by the Guard Discovery attack", Zoneff said.

When you use Tor to browse the web, traffic goes through three sets of nodes: entry nodes, intermediate nodes, and exit nodes. Only the security node in this scheme knows the user's IP address.

For services like Ricochet, there is no exit node, where the connection is made through a "rendezvous point" within the Tor network itself. This means that the traffic does not "exit" to the Internet.

Ricochet wiring diagram. Data: Tor blog.

According to experts, during the attack on Ricochet, law enforcement officers could have captured several intermediate nodes in the Tor network, increasing the chances of tracking traffic.

"This is a form of Sybil attack", said Brute Brother wallet recovery company CEO Or Weinberger.

He stressed that such an operation requires significant resources.

In order to establish a connection with the alleged perpetrator, the authorities likely sent numerous requests or packets to the user's address on Ricochet in order for them to eventually connect through a malicious mid-node.

Once a connection is established, law enforcement cannot instantly determine the target's IP address, but they are able to conduct a temporal analysis to correlate the traffic passing through the node. After identification, law enforcement agencies request the necessary data from the Internet provider.

Outdated method

Almost three years have passed since the deanonymization incident. During this time, the Tor team has released many changes that have made it much more difficult to carry out attacks.

"It's not uncommon for certain customers to have their own set of issues or vulnerabilities. However, [they] are always detected, and the responsible teams eliminate the exploit as quickly as they can", said Lisa Laud, executive director of the Secret Foundation.

The old version of Ricochet has also effectively ceased to exist, having been updated to Ricochet-Refresh with Vanguard's improved protection system.

The Sybil attack vector uses a random sample of average nodes, so the new security mechanism applies a set of random nodes to connect, eliminating the ability to track the connection over time.

Ricochet-Refresh wiring diagram. Data: Tor blog.

"Countermeasures are always taken against any security measure," Weinberger added.

At the same time, he clarified that there is no full-fledged protection, since the resources of states allow them to test new methods.

Nodes in Germany

At the moment, most of the Tor relays are located in Germany.

Data: Tor Metrics: https://metrics.torproject.org/rs.html#aggregate/cc

As of October 18, there are 1852 out of 8085 repeaters in the country. In addition, Germany leads the world in terms of consensus weight (36.7%), which takes into account other factors such as capacity and capacity.

"Your Tor client is more likely to choose a high-performance security node rather than a low-performance one. Therefore, I assume that nation states will use long-running security nodes with high bandwidth to attract more Tor users," Weinberger explained.

Tor's advanced security system makes it difficult, but not impossible, for states or any entities with significant resources to conduct temporary user analysis.

Technological advances also provide more opportunities for de-anonymizing users.

"Eventually, AI, which has many data monitoring points and a lot of computing power, will become very good at temporal analysis. I wouldn't be surprised if such a project already exists secretly somewhere", the CEO of MatterFi reflects.

At the same time, most experts agreed that Tor is still safe for ordinary users, but the authorities keep darknet criminals on their toes.

"Will anonymous surfing on the Internet survive? Could be. It's a race, and anything can happen in the next few years to affect the final result", Loud concluded.

 

[Man]

In late October, Tor administrators, relay operators, and even the Tor Project team began receiving complaints about port scans allegedly being conducted by their servers. As it turned out later, the attackers used fake IP addresses to send false reports of suspicious traffic on behalf of Tor nodes.

As a result of the investigation, it turned out that the cause of the complaints was a coordinated attack with IP Spoofing. The attackers spoofed the IP addresses of non-exit relays and other nodes in the Tor network, which led to automatic complaints against operators. Experts managed to find the source of the false packets and fix the problem on November 7.

It is important to emphasize that this incident did not affect Tor users. The attack affected only a small number of repeaters, temporarily disabling them. However, repeater operators had to face a wave of complaints and an additional burden due to the need to deal with providers. Although the attack was aimed at the Tor community, IP spoofing activities like this could affect any online service.

At the moment, the project is faced with the task of supporting relay operators: it is necessary to restore their accounts and help providers unblock the IP addresses of Tor directional nodes. Operators whose relays are still blocked are recommended to use the OONI Probe tool and the Circumvention test to check the availability of directional nodes. If they are still not available, you should contact the support of your hosting provider.

Affected operators can also send a template letter to their ISPs explaining that the relays have fallen victim to the attack and are not the source of suspicious traffic.

The critical directional nodes of the Tor network play a critical role in maintaining a list of available relays, and the attack on them was aimed at disrupting the entire network. The attackers used fake SYN packets to create the illusion that the IP addresses of Tor relays were the sources of the scan. This has led to the blocking of IP addresses in major data centers such as OVH and Hetzner on false complaints.

The attack caused a wide response among cybersecurity specialists. Especially valuable was the information provided by Pierre Bourdon, who analyzed the mechanism of the attack in detail and shared his findings with the community. Thanks to Bourdon's analysis, it was possible to gain a deeper understanding of the essence of the incident.