The Tor Project has defended the integrity of its privacy-preserving network following allegations from German authorities that user anonymity on Tor has been compromised. The controversy centres around claims that German police successfully unmasked at least one Tor user, Andres G, through surveillance, raising concerns about the system’s effectiveness in protecting its users.
Andres G runs a notorious .onion website called Boystown, which hosts child sex abuse material (CSAM). Andres relied on the Ricochet messaging app, which runs over the Tor network, but is believed to have used an outdated version that lacked crucial protections against timing attacks.
Authorities reportedly matched his Ricochet traffic with data from internet service provider Telefonica, allowing them to trace his connections and ultimately identify him.
The claims, first aired by the German news program Panorama and investigative YouTube channel STRG_F, assert that Germany’s Federal Criminal Police Office (BKA) and the Public Prosecutor General’s Office in Frankfurt employed “Timing analysis” to track and identify a Tor user, reports The Register.
While the specifics of how the timing analysis works were not fully explained, the report suggests that matching the timing of packets entering and exiting the Tor network provided law enforcement with crucial clues.
Despite reports, the Tor Project insists the user was identified not because of a fundamental flaw in the Tor network but because ‘G’ used insecure, outdated software.
According to Tor, it is far more likely that authorities conducted a ‘guard discovery attack,’ targeting the entry node of the user’s connection. Once they identified the entry node, they could request subscriber data from Telefonica and link to the user.
Tor also claims that the Ricochet messaging app ‘G’ was an older version lacking protection against such attacks. These vulnerabilities, Tor says, were patched in a newer fork of Ricochet, called Ricochet-Refresh, which included updated security measures as of June 2022.
The Tor Project has requested more information on the techniques used by German law enforcement to deanonymise the user in this case. Without access to the relevant documents, the organisation has expressed difficulty in issuing official guidance to its users and relay operators on preventing similar attacks in the future.
In the News: Python packages used to deliver PondRAT on Linux, macOS