Over 100 Tor Nodes Have Gone Rogue, Snooping on the Dark Web Sites

Rafia Shaikh
When Tor goes rogue

Researchers have discovered over 100 Tor nodes that have gone rogue, potentially spying on the Dark Web sites that use the service to mask their operators' identities.

Tor, short for The Onion Router, is a service that promises anonymity to its users. Tor uses "nodes" and Tor hidden services directories (HSDirs) to shuffle your network traffic from apps or browser, before sending it to the desired destination. Shuffling through randomly chosen nodes disguises location, making it harder for servers to spot you on repeat visits. This helps in masking the sender's identity, making tracking and surveillance more difficult. Using thousands of these nodes that are run by volunteers around the world, Tor relies on the honesty of the relays and their operators. Simply put, it's these nodes that help Tor in masking the true IP addresses of the users. However, HSDirs can be set up by anyone. Which is where the problem lies.

Tor's security and anonymity is based on the assumption that the large majority of its relays are honest and do not misbehave. Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs). - Noubir

Nodes are "expected" to follow the see, hear and speak no evil. But, that apparently isn't true. Using a number of tricks, these relays can unmask your identity.

110 snooping Tor nodes discovered

Researchers Amirali Sanatinia and Guevara Noubir from the Northwestern University have discovered [PDF] over 100 nodes on the network that are misbehaving. These nodes are potentially spying on the users, thereby removing anonymity that the service promises. The research team carried an experiment that lasted for 72 days to gather and analyze data. They discovered at least 110 malicious HSDirs on the network, mostly located in the US, UK, France, Germany, and the Netherlands.

25 percent of all 110 nodes discovered in the experiment functioned as both the HSDir and Exit nodes. This allowed their operators to view all unencrypted traffic, and possibly launch man-in-the-middle (MitM) attacks. But, it's not as easy for nodes to go rogue as it sounds. They have to use tons of traps and tricks to achieve that, and Tor already has a strategy to identify bad relays. It's techniques aren't "perfect" though.

When we find a bad relay, we throw it out of the network. But our techniques for finding bad relays aren’t perfect, so it’s good that there are other researchers also working on this problem. Acting independently, we had already detected and removed many of the suspicious relays that these researchers have found. - Tor

Tor is working on a new design for hidden services. But if you are someone who uses Tor for life threatening reasons (read, a journalist in the war zone), it might be better to use additional security services too.

Share this story

Deal of the Day