Status: 18.09.2024 06:00 AM
Through the Snowden revelations in 2013, the Tor browser became popular worldwide. Panorama has researched that the underlying anonymization network has been infiltrated by investigative authorities in recent years. How did they manage to do that?
by Robert Bongen and Daniel Moßbrucker
When an anonymous user on the platform "Reddit" spread information on January 20 of this year that law enforcement agencies from the USA, Brazil, Germany, and the UK were operating servers in the Tor network to deanonymize users, it barely caused a stir. It seemed like another rumor, of which there had been several in recent years, this time about an alleged "Operation Liberty Lane". The Tor Project, which advocates as a non-governmental organization for the maintenance of the Tor network, also saw "no evidence" in the Reddit post, but rather "speculative scenarios," as it stated in response to Panorama.
What was new about this post, however, was that the anonymous user published a series of court documents that contained hints suggesting a coordinated, international surveillance operation by law enforcement agencies. For reporters from Panorama and _STRG_F, they were another piece of the puzzle in an investigation that lasted over two years and independently of the Reddit post suggests that German investigators are already capable of undermining Tor anonymity with a measure previously thought impossible.
More information
The Tor network is considered the most important tool for surfing the internet anonymously. Law enforcement agencies have apparently begun to infiltrate it in order to expose criminals. They have been successful in at least one case. more
It depends on the 'timing'
_Panorama-_Reporter have researched the world's first cases where Tor users can be deanonymized using so-called "timing" analyses. This method differs from ordinary IT attacks in that it does not require security vulnerabilities to target users. When cybercriminals spread viruses or states want to monitor smartphones, they usually inject corresponding software that specifically exploits security vulnerabilities.
Dem BKA gelang es im Ermittlungsverfahren gegen die pädokriminelle Darknetplattform „Boystown“ Tor-Knoten zu identifizieren, die einem der Hintermänner dienten, sich zu anonymisieren.
The Tor Project emphasized that the Panorama investigations did not indicate that the Tor browser was being exploited due to a vulnerability. What is meant to sound reassuring shows how serious the incident is for the Tor Project: The attack documented by Panorama works even when the Tor software is functioning flawlessly. In the so-called "timing" analyses, the size of encrypted data packets is particularly captured and assigned to individual users. While it is not possible to see what users are sending, it is visible that they are communicating. This data is statistically processed in such a way that tracing through the Tor network becomes possible: Investigators start with the anonymous darknet user and trace the trail back to the real IP address of a person.
More information
"Boystown" was one of the largest pedocriminal darknet forums of all time. Until its shutdown by law enforcement in 2021, it was run by Andreas G. from his kitchen table. Panorama gave an interview - in prison. more
Theoretical attack is now real
That such "timing" analyses could also be possible in the Tor network has been theoretically proven by IT scientists in recent years. However, they were considered impractical in practice because an attacker would either have to monitor many Tor servers or secretly operate them themselves – or both. The effort is correspondingly high. Various investigative authorities in Germany did not want to comment to Panorama. Not even the information on whether they at least tried to use "timing" analyses to unmask criminals was something an investigator wanted to comment on openly.
Matthias Marx, one of the spokespersons of the Chaos Computer Club, was able to review the research documents from Panorama and STRG_F. He says: "The documents in connection with the described information strongly suggest that law enforcement agencies have repeatedly and successfully conducted timing analysis attacks against selected Tor users for several years in order to deanonymize them."
The network is no longer 'healthy'
The Tor Project initially stated upon request that people could continue to use the Tor browser to "surf the internet safely and anonymously." However, a few days after the Panorama request, the managing director Isabela Fernandes resorted to an unusual measure: she quoted from this request and openly disseminated the results of the research on the internet without informing the editorial team and waiting for the actual publication. A spokesperson for the Tor Project had previously asked a Panorama reporter to disclose their sources. The editorial team refused to comment on this.
The reactions show how hard the revelations hit the network once personally recommended by Edward Snowden. When the whistleblower revealed the widespread surveillance of the internet by Western intelligence agencies in 2013, the network experienced unprecedented growth. The "timing" analyses have now become possible on one hand because law enforcement agencies are increasingly cooperating internationally and have expanded their surveillance. On the other hand, however, the Tor network is no longer "healthy," as experts call it. In fact, the strength of Tor should be that anyone can operate so-called nodes through which Tor users can connect to the internet and obscure their identity. The idea behind this so-called decentralization: The more different people operate Tor servers in different countries, the harder it would be for a state to monitor large parts of the network. However, with around 7000 to 8000 Tor nodes, the network has not grown substantially for years.
Strong concentration in data centers
Even worse for Tor is that the existing servers are controlled by fewer and fewer people. This increases the risk that just a few monitored nodes are enough to control large parts of the network. "It is problematic when too large a share of the Tor network is operated by only a few people or too many nodes are centrally operated in the data centers of a few mass hosters in a few countries," said Gero Kühn, board member of the Essen-based association "Article 5."
The association operates its own Tor servers, according to its own statements, to strengthen "citizen rights in the digital age." Kühn calculated to Panorama that the ten largest operators of so-called exit nodes, that is, those with which users leave the Tor network, accounted for about 50 percent of the total capacity. The Tor Project also admitted to Panorama that the diversity of the network is a "burning issue" for the Tor community.
Promising Method for Investigators
Investigative authorities have found a way to successfully unmask criminals even in the isolated dark web with extensive surveillance programs. Especially since "timing" analyses do not rely on software vulnerabilities, a response from the Tor Project in the form of a quick update is unlikely. "The Tor Project is now under pressure to improve anonymity protection," says Matthias Marx from the Chaos Computer Club.
The network activists do not accuse authorities of wanting to unmask criminals in the dark web. But: "The technical possibility of conducting timing analyses exists not only for German law enforcement agencies to pursue serious crimes, but equally for unjust regimes in the persecution of journalists, opposition members, and whistleblowers," warns Marx.
"Secures the core of a free press"
In this respect, Helene Hahn, a representative for internet freedom at Reporters Without Borders (RSF), also appears concerned. Especially in countries with extensive internet censorship, anonymization services like the Tor network are a refuge for people who can only work under the protection of absolute anonymity: "Being able to remain anonymous on the internet thus secures the core of a free press."
Reporters Without Borders operates its own Tor servers to support the network. Even in Germany, most investigative media have a so-called anonymous mailbox that potential sources can safely access via Tor and digitally "drop" their information, says Hahn. "In the end, we all benefit from this, as information that is in the public interest comes to light through brave sources and independent journalism."