Service vulnerable
Law enforcement agencies can undermine Tor anonymization
The Tor network, which allows people around the world to surf the Internet anonymously, can apparently be monitored by German investigative authorities in order to deanonymize users. This is shown by investigations by the German TV stations ARD and NDR, which for the first time document cases in which methods previously thought impossible were successful.
Tor is the world's largest network for moving anonymously on the Internet. Tor users route their connection via servers, so-called Tor nodes, to disguise what they are doing: Using the Tor browser, they can navigate websites on the internet anonymously or access pages on the so-called darknet. There are currently almost 8000 Tor nodes in operation in around 50 countries.
For journalists and human rights activists, Tor is an important research and communication tool for exchanging information with sources - especially in countries where the internet is monitored and censored. However, the anonymity also attracts criminals who use Tor to carry out cyber attacks or trade in illegal goods, for example.
Technical hurdle overcome
For years, Tor represented a technical hurdle for investigating authorities that was almost impossible to overcome. However, research by the ARD magazine Panorama and the NDR magazine STRG_F shows that they have apparently recently expanded their strategy to overcome Tor. This requires years of monitoring individual Tor nodes, officially known as "timing analysis".
The more nodes in the Tor network are monitored by the authorities, the more likely it is that a user will attempt to disguise their connection via monitored nodes. The timing of individual data packets allows anonymized connections to be traced back to the Tor user. The "timing analysis" is successful even though data connections in the Tor network are encrypted multiple times.
For years, there was speculation as to whether "timing analysis" was even possible on the Tor network. The Tor Project, a non-profit organization based in the USA that aims to ensure the maintenance of the anonymization network, stated on request that it was not aware of any documented cases to date.
Pedocriminals revealed
However, Panorama and STRG_F researched the fact that the German Federal Criminal Police Office and the Public Prosecutor General's Office in Frankfurt am Main identified several Tor nodes in the investigation into the paedocriminal darknet platform Boystown, which were used by one of the people behind it to anonymize themselves.
For example, the BKA twice investigated Tor nodes used by platforms operated by the then Boystown administrator Andreas G. to connect to the Tor network. This was a scene chat in which leading members of various pedocriminal forums exchanged information. According to a statement from the NDR, it was also possible to identify so-called entry servers from the Ricochet chat service used by G. on two occasions - a breakthrough for the BKA.
For the final identification, the Frankfurt am Main district court finally obliged the provider Telefónica to find out from all customers of the provider o2 which of them connected to one of the identified Tor nodes. The investigation led to the arrest of Andreas G. in North Rhine-Westphalia. In December 2022, he was sentenced to many years in prison. The verdict is not yet final.
Widespread surveillance of Tor servers
The responsible public prosecutor's office in Frankfurt am Main stated on request that it would neither confirm nor deny a "timing analysis" in the Boystown proceedings. The BKA also refused to comment on the details of the case.
However, reporters from the two magazines were able to speak to people who have independent knowledge of large-scale surveillance measures of such Tor servers. The number of Tor nodes monitored in Germany is said to have risen sharply in recent years. The monitored data also suggests that it may be used for "timing analyses".
Experts who were able to view the research documents independently confirmed the research results. Matthias Marx, one of the spokespersons for the Chaos Computer Club, said: "The documents in conjunction with the information described strongly suggest that law enforcement agencies have repeatedly and successfully carried out timing analysis attacks against selected Tor users for several years in order to deanonymize them."
"Still secure and anonymous"
Various investigative authorities in Germany did not want to comment on any surveillance programs in relation to the Tor network. When asked, the Tor Project explained that Tor users can continue to use the Tor browser to surf the internet securely and anonymously. They did not want to speculate on the specific incident without access to the research documents. A representative of the affected chat service Ricochet, which is now called Ricochet Refresh and is one of the most secure ways to communicate online, made a similar statement.
This article has been automatically translated,
read the original article here.
