[ISN] Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

From: InfoSec News (alerts@private)
Date: Mon Sep 10 2007 - 22:17:52 PDT


By Kim Zetter

A security researcher intercepted thousands of private e-mail messages 
sent by foreign embassies and human rights groups around the world by 
turning portions of the Tor internet anonymity service into his own 
private listening post.

A little over a week ago, Swedish computer security consultant Dan 
Egerstad posted the user names and passwords for 100 e-mail accounts 
used by the victims, but didn't say how he obtained them. He revealed 
Friday that he intercepted the information by hosting five Tor exit 
nodes placed in different locations on the internet as a research 

Tor is a sophisticated privacy tool designed to prevent tracking of 
where a web user surfs on the internet and with whom a user 
communicates. It's endorsed by the Electronic Frontier Foundation and 
other civil liberties groups as a method for whistleblowers and 
human-rights workers to communicate with journalists, among other uses.

It's also used by law enforcement and other government agencies to visit 
websites anonymously to read content and gather intelligence without 
exposing their identity to a website owner.

But Egerstad says that many who use Tor mistakenly believe it is an 
end-to-end encryption tool. As a result, they aren't taking the 
precautions they need to take to protect their web activity.

He believes others are likely exploiting this oversight as well.

"I am absolutely positive that I am not the only one to figure this 
out," Egerstad says. "I'm pretty sure there are governments doing the 
exact same thing. There's probably a reason why people are volunteering 
to set up a node."

Victims of Egerstad's research project included embassies belonging to 
Australia, Japan, Iran, India and Russia. Egerstad also found accounts 
belonging to the foreign ministry of Iran, the United Kingdom's visa 
office in Nepal and the Defence Research and Development Organization in 
India's Ministry of Defence.

In addition, Egerstad was able to read correspondence belonging to the 
Indian ambassador to China, various politicians in Hong Kong, workers in 
the Dalai Lama's liaison office and several human-rights groups in Hong 

Egerstad says it wasn't just e-mail that was exposed but instant 
messages passed internally between workers and any other web traffic 
that crossed the network. Among the data he initially collected was 
e-mail from an Australian embassy worker with the subject line referring 
to an "Australian military plan."

"It kind of shocked me," he says.

Tor has hundreds of thousands of users around the world, according to 
its developers. The largest numbers of users are in the United States, 
the European Union and China.

Tor works by using servers donated by volunteers around the world to 
bounce traffic around en route to its destination. Traffic is encrypted 
through most of that route, and routed over a random path each time a 
person uses it.

Under Tor's architecture, administrators at the entry point can identify 
the user's IP address, but can't read the content of the user's 
correspondence or know its final destination. Each node in the network 
thereafter only knows the node from which it received the traffic, and 
it peels off a layer of encryption to reveal the next node to which it 
must forward the connection. (Tor stands for "The Onion Router.")

But Tor has a known weakness: The last node through which traffic passes 
in the network has to decrypt the communication before delivering it to 
its final destination. Someone operating that node can see the 
communication passing through this server.

The Tor website includes a diagram showing that the last leg of traffic 
is not encrypted, and also warns users that "the guy running the exit 
node can read the bytes that come in and out of there." But Egerstad 
says that most users appear to have missed or ignored this information.

Unless they're surfing to a website protected with SSL encryption, or 
use encryption software like PGP, all of their e-mail content, instant 
messages, surfing and other web activity is potentially exposed to any 
eavesdropper who owns a Tor server. This amounts to a lot of 
eavesdroppers -- the software currently lists about 1,600 nodes in the 
Tor network.

Egerstad discovered the problem about two months ago when he signed up 
five servers he owns in Sweden, the United States and Asia to be Tor 
nodes, and started peeking at the traffic. He was surprised to discover 
that 95 percent of the traffic that passed through his Tor nodes was not 

Even more surprising was the number of embassies and other government 
agencies that were using Tor, and using it incorrectly.

That prompted Egerstad to narrow his search to e-mail correspondence 
with a focus on government agencies. He wrote a script to search for 
.gov domains and keywords such as "embassy," "war" and "military," and 
focused on sniffing port-25 traffic, the port through which e-mail 

He collected between 200 and 250 accounts belonging to embassies and 
government agencies that were sending passwords and the content of 
correspondence in the clear. None of them belonged to U.S. embassies or 
government agencies.

Among the data he found in the correspondence was a spreadsheet listing 
passport numbers and personal information about the passport holders, as 
well as sensitive details about meetings and activities among government 

Egerstad contacted one account holder about his vulnerability but was 
ignored, he says. So on Aug. 30 he posted 100 of the accounts and 
passwords online to get the word out, but kept largely mum about how 
he'd obtained the information.

Since posting the data, he says only one victim has contacted him to 
find out what they were doing wrong and learn how to fix it: Iran. In 
addition to Iran's Ministry of Foreign Affairs, the country's embassies 
in Ghana, Kenya, Oman and Tunisia were swept up by Egerstad's 
experimental surveillance.

Shava Nerad, the development director for the nonprofit group that 
supports Tor, admits the group needs to produce better documentation for 
users to make the risks of the system clearer. But she adds that people 
in high-risk environments, such as embassies, should understand those 
risks already and should be encrypting their communication on their own.

"If you're in a position like that handling sensitive data and you're 
working for the government," she says, "it is irresponsible to send that 
data unencrypted. They should institute practices that educate their 
users and ensure the privacy of the data by going through encrypted 

Egerstad says he has shut down his Tor nodes.

Visit the InfoSec News Bookstore

This archive was generated by hypermail 2.1.3 : Mon Sep 10 2007 - 22:36:04 PDT