Few weeks ago, the German political magazine Panorama and STRG_F reported that law enforcement agencies infiltrated the Tor network in order to expose criminals. The reporters had access to documents showing four successful deanonymizations. I was given the chance to review some documents. In this post, I am highlighting publicly documented key findings.
Findings
- 2024-09-12: Telefónica implements IP Catching
- Frankfurt District Court orders Telefónica (O2) to surveil its customers for up to three months
- Telefónica reports all customers connecting to a specific Tor entry relay named by the German Federal Criminal Police Office (Bundeskriminalamt, BKA). This is called IP catching
- After a few days, the measure is completed successfully
- Data of unsuspects was allegedly deleted immediately and not transmitted to law enforcement authorities. It remains unclear how this can happen without already knowing the suspect
- There is no legal basis for IP catching. Telefónica still claims to be obliged to implement the measure
- 2024-09-16: First statement of the Tor Project
- Pinpointing Tor entry relays of onion services to successfully deanonymize Tor users
- Timing analyses in combination with broad and long-term monitoring of Tor relay
- V2 and V3 onion addresses were affected, at least between 2019/Q3 and 2021/Q2
- nusenu references KAX17
- 2024-09-18: Journalists detail one case
- Operation Liberty Lane is referenced
- Four successful measures [=deanonymizations] in one investigation
- 2x identification of Ricochet users
- 2x further measures
- Deanonymization is based on timing analysis
- It’s not a classic software vulnerability that is exploited
- Tor Project agrees that nothing indicates that a vulnerability in the Tor browser is exploited. Problem: The attack works even though the Tor software is working properly
- Sources speak of widespread monitoring of Tor relays
- Number of surveilled Tor relays in Germany has risen sharply in recent years
- 2024-09-18: The second statement of the Tor Project gives the impression that only Ricochet is affected
- 2024-09-25: Interview with Daniel Moßbrucker
- More and more Tor relays in Germany are under surveillance for longer and longer periods, in such a way that apparently data has been used for timing analysis
- Deanonymization takes some time. Tor users are not deanonymized by the authorities in the blink of an eye
- Not only Ricochet is affected, but twice also normal v3 Onion Services
- Timing analyses was always possible when, to put it simply, there was „little traffic“ on an onion service and only a few packets were transmitted, which could then be assigned to a specific user. On whistleblowing platforms, there is usually little traffic until a source decides to submit data
- The journalists first reached out to Ricochet in July 2023, mentioning cases of deanonymization of Tor users by revealing their entry relays. Ricochet immediately informed the Tor Project
Media reports
- 2024-09-12
- tagesschau.de: o2-Kunden zeitweise überwacht
- 2024-09-16
- tor-relays mailing list: Update on an upcoming German broadcasting story about Tor/Onion Services
- 2024-09-18
- tagesschau.de: Strafverfolger hebeln Tor-Anonymisierung aus
- Panorama: Anonymisierungsdienst Tor angreifbar: Snowden-Effekt verpufft
- Panorama: Investigations in the so-called darknet: Law enforcement agencies undermine Tor anonymisation
- Strg_F: Pädokriminelles Forum: So agierte Andreas G.
- Tor Project: Is Tor still safe to use?
- 2024-09-25
- Deutsche Welle: Daniel Moßbrucker: Immer mehr Tor-Knoten werden überwacht
- Deutsche Welle: Q&A: Ist das Tor-Netzwerk noch sicher?
- 2024-09-28
- Deutsche Welle: Dark web: Is the Tor browsing network still secure?