The debate over online anonymity is as old as the internet itself. On one side, privacy advocates and civil rights groups argue that anonymity is essential for protecting freedom of speech, especially for those living under repressive regimes, journalists, activists, and whistleblowers. Those who want privacy rely on a variety of tools like privacy enhanced browsers, and operating systems (OS), ad blockers, VPNs, end-to-end encryption, or Tor (The Onion Router) depending on their particular goals.
On the other side of the coin, cyberattack attribution is notoriously difficult and law enforcement and government agencies assert that absolute anonymity enables criminal activities, such as drug trafficking, cybercrime, and child exploitation. Recent claims by German authorities about de-anonymizing Tor users using timing analysis highlight the ongoing struggle between those who defend the right to privacy and those who seek to uncover identities in the name of security.
In this article we will explore the news story to uncover how German authorities implemented a strategy to track and identify criminals using Tor to hide while distributing child sexual abuse material (CSAM). While Tor Project's official response is that the Tor technology is still safe, offering reasonable privacy protection, there have been several previous theoretical attacks against Tor anonymity.
Tor is utilized by a diverse range of users, each with unique motivations for seeking anonymity online. Many people have legitimate reasons for using Tor, such as journalists, activists, and individuals in oppressive regimes that rely on Tor to bypass restrictions and maintain anonymity. However, criminal organizations often leverage Tor (and other privacy-based technologies such as Blockchain to evade law enforcement and conduct illegal activities like conducting cyber attacks, selling drugs, or sharing illicit content. Even government agencies and businesses can use Tor to safeguard sensitive communications. The platform’s dual-use nature means that while it serves as a powerful tool for privacy, it also inevitably attracts those with malicious intent.
Statistics show the daily number of Tor users averaged around 5 million per day in 2023. User statistics from the official Tor website for July 1st, 2023, it shows that Germany held the highest number of users.
The official numbers indicate that user numbers have significantly dropped in 2024.
The German authorities successfully achieved de-anonymization of Tor users through a coordinated effort involving timing analysis attacks and controlling a significant number of Tor nodes. The investigation was conducted to combat child sexual abuse by darknet community known as "Boystown", who used the Ricochet chat service to facilitate anonymous communication. The site, which had been active since 2019 and amassed over 400,000 registered users, hosted some of the most extreme forms of abuse, primarily targeting young boys.
The German law enforcement agencies surveilled individual Tor nodes, sometimes for years, to collect data that could be used to deanonymize connections passing through these nodes. The collected data was analyzed using timing analysis techniques, allowing digital forensic experts to statistically correlate the timing of Tor traffic with data from ISPs, making it possible to trace Tor traffic to specific users.
The district court (Amtsgericht) in Frankfurt am Main also issued a legal order compelling the internet service provider (ISP) Telefónica to disclose data on which customers connected to their covert Tor nodes. This ISP data was then correlated with the timing analysis results to establish the identity and location of Andreas G. a key administrator of online community responsible for child sexual abuse.
This technique to de-anonymize users by controlling Tor entry and exit notes has been known since at least 2007, with a paper on Tor traffic correlation attacks published in 2013, and other methods have been proposed to de-anonymize Tor users, such as Bitcoin transaction analysis. However, it's rare that Tor de-anonymization is publicly acknowledged by law enforcement agencies or used in a conviction. Tor Project has also published their own efforts to identify attempts to de-anonymize users by controlling Tor entry and exit nodes and published other attacks such "tagging attacks" which can be used to identify Tor users.
Tor ultimately routes traffic through multiple layers of encryption and various servers known as relays (or nodes). The Wireshark Wik describes Tor as: "Tor a distributed overlay network designed to anonymize low-latency TCP-based applications such as web browsing, secure shell, and instant messaging."
Network Layer Protocol: Tor operates at the network layer protocol of the OSI model, meaning it works at the level of how data is transmitted between systems over the network. It modifies how internet traffic is routed, encrypting data multiple times as it passes through multiple relay nodes in the Tor network.
Onion Routing: The core principle of the Tor protocol is onion routing. This involves encapsulating messages in multiple layers of encryption, like the layers of an onion, where each relay decrypts only one layer of encryption to know the next relay in the path, without knowing the entire journey or the original source of the data.
Transport Layer Security: The protocol also establishes end-to-end encryption between the user and the exit node, providing confidentiality at every hop except the final one. This prevents any intermediary relays from being able to read the content of the traffic.
Some identifiable traits of Tor packets include:
Consistent Packet Sizes: Tor uses fixed-size cells (typically 514 bytes), making its traffic stand out from other encrypted protocols like HTTPS, which can have variable packet sizes.
Timing and Frequency: The timing and frequency of packets can be characteristic of Tor traffic, especially when packets are sent at regular intervals, which is different from typical web browsing patterns.
TLS Fingerprinting: Tor traffic uses TLS for encryption between nodes. The specific cipher suites, certificates, and handshake behavior used by the Tor client can be fingerprinted and differentiated from other TLS implementations.
The key difference between a Tor relay and a Tor bridge server is their purpose and visibility. Tor relays are the primary nodes routing traffic through the network and are publicly listed in the Tor directory, making them accessible to anyone. They include entry nodes, middle relays, and exit nodes, each playing a specific role in the network.
In contrast, Tor bridges are designed to help users access the network in regions where Tor is blocked. Because bridges are not listed in the Tor directory, they are harder for authorities and ISPs to detect and block, providing an alternative entry point for bypassing censorship.
German authorities were recently able to de-anonymize Tor users through timing analysis attacks that shed light on the complexities of balancing privacy and security. Although the Tor network is known for its robust anonymity measures, timing analysis techniques and ISP cooperation can be used to enact justice against those using Tor to hide criminal activities.
While privacy advocates continue to support Tor as a necessary tool for free speech and protection, cases like this remind users that they should be cautious and continually vigilant when seeking online anonymity. Although there are many cases where de-anonymization techniques can be used to enact justice, they may also be used by authoritarian regimes to identify activists for social justice.
Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.