Swedish Researchers Uncover Dirty Tor Exit Relays

Researchers find 25 “spoiled onions” used to look through or censor users’ Tor traffic

Sweden-based researchers have uncovered a range of malicious Tor exit relays that could threaten the privacy of the Onion router network user base, but the findings could also help improve its security.

An exit node, the final destination in the series of servers Tor users hop through to acquire privacy, can be set up quickly and anonymously, without the need to give away contact information.

Whilst Tor has protections in place to prevent snooping via those exit relays, and regularly votes on which ones to block, if users visit sites with poorly implemented security, such as where session cookies are sent in the clear, they can still be spied on.

Online surveillance © - Fotolia.comResearchers from Karlstad University in Sweden have created a number of “fast and modular” exit relay scanners, building a tool called exitmap, which collected data over four months.

Scanning for Tor security issues

Claiming to have published the first thorough study of active attacks taking place over Tor, the students uncovered a number of “spoiled onions” using exitmap. They found 25 malicious relays, most of which were traced back to Russia, and some of which were used to support censorship laws in certain countries.

Attackers appeared to have used some of these relays to disrupt or prevent encrypted communications between a user and a web server, known as an sslstrip attack.

“While the HTTP Strict Transport Security policy prevents sslstrip, it is still an effective attack against many large-scale websites with Yahoo being one of them as of January 2014,” the report read.

Man-in-the-middle attacks that grab SSL certificates were also carried out over the nasty relays, as were DNS-based attacks. By creating their Python-based tool, the researchers said they enabled “continuous and crowd-sourced measurements rather than one-time scans”, looking for attacks such as those named above. The method involves provoking exit relays to tamper with the researchers’ connections, revealing their malicious activity.

The modular architecture of exitmap allows it to scan the entire Tor network in seconds without taking up too much bandwidth, the whitepaper claimed.

However, exitmap could also be used for malicious purposes. “It can be used for various unintended – and even unethical – purposes. For example, modules for web site scraping or online voting manipulation come to mind,” the paper read. But such activity would take place with our without the tool, the code for which has now been made open source, the researchers said.

In a blog post for the Tor Project, one of the paper’s authors, Philipp Winter, said it was important to note that “25 relays in four months isn’t a lot”.

“Even if your traffic is going through a malicious exit relay, it doesn’t mean that everything is lost,” Winter added. “We want to point out that all of these attacks are of course not limited to the Tor network.”

 What do you know about Internet security? Find out with our quiz!