Swedish Researchers Uncover Dirty Tor Exit Relays

Sweden-based researchers have uncovered a range of malicious Tor exit relays that could threaten the privacy of the Onion router network user base, but the findings could also help improve its security.

An exit node, the final destination in the series of servers Tor users hop through to acquire privacy, can be set up quickly and anonymously, without the need to give away contact information.

Whilst Tor has protections in place to prevent snooping via those exit relays, and regularly votes on which ones to block, if users visit sites with poorly implemented security, such as where session cookies are sent in the clear, they can still be spied on.

Researchers from Karlstad University in Sweden have created a number of “fast and modular” exit relay scanners, building a tool called exitmap, which collected data over four months.

Scanning for Tor security issues

Claiming to have published the first thorough study of active attacks taking place over Tor, the students uncovered a number of “spoiled onions” using exitmap. They found 25 malicious relays, most of which were traced back to Russia, and some of which were used to support censorship laws in certain countries.

Attackers appeared to have used some of these relays to disrupt or prevent encrypted communications between a user and a web server, known as an sslstrip attack.

“While the HTTP Strict Transport Security policy prevents sslstrip, it is still an effective attack against many large-scale websites with Yahoo being one of them as of January 2014,” the report read.

Man-in-the-middle attacks that grab SSL certificates were also carried out over the nasty relays, as were DNS-based attacks. By creating their Python-based tool, the researchers said they enabled “continuous and crowd-sourced measurements rather than one-time scans”, looking for attacks such as those named above. The method involves provoking exit relays to tamper with the researchers’ connections, revealing their malicious activity.

The modular architecture of exitmap allows it to scan the entire Tor network in seconds without taking up too much bandwidth, the whitepaper claimed.

However, exitmap could also be used for malicious purposes. “It can be used for various unintended – and even unethical – purposes. For example, modules for web site scraping or online voting manipulation come to mind,” the paper read. But such activity would take place with our without the tool, the code for which has now been made open source, the researchers said.

In a blog post for the Tor Project, one of the paper’s authors, Philipp Winter, said it was important to note that “25 relays in four months isn’t a lot”.

“Even if your traffic is going through a malicious exit relay, it doesn’t mean that everything is lost,” Winter added. “We want to point out that all of these attacks are of course not limited to the Tor network.”

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

US Widening AI Lead Over China, Finds Stanford Report

US widening lead over China on AI development, as UK places third in Stanford index…

5 hours ago

Amazon To Pump Another $4bn Into AI Start-Up Anthropic

Amazon to invest a further $4bn into AI start-up Anthropic, doubling its investment as it…

6 hours ago

The Cost of Tech Skills

The demand for tech skills is surging, driving economic growth but revealing challenges. Financial costs,…

6 hours ago

Supreme Court Says Meta Must Face Multibillion-Dollar Fraud Lawsuit

US Supreme Court tosses Meta's appeal over Cambridge Analytica-linked investor lawsuit, meaning case must proceed

6 hours ago

Uber Seeks $10m Stake In Pony AI Via IPO

Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…

7 hours ago

Apple Developing ‘LLM Siri’ AI For 2026

iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…

7 hours ago