Law enforcement undermines Tor

Few weeks ago, the German political magazine Panorama and STRG_F reported that law enforcement agencies infiltrated the Tor network in order to expose criminals. The reporters had access to documents showing four successful deanonymizations. I was given the chance to review some documents. In this post, I am highlighting publicly documented key findings.

Findings

  • 2024-09-12: Telefónica implements IP Catching
    • Frankfurt District Court orders Telefónica (O2) to surveil its customers for up to three months
    • Telefónica reports all customers connecting to a specific Tor entry relay named by the German Federal Criminal Police Office (Bundeskriminalamt, BKA). This is called IP catching
    • After a few days, the measure is completed successfully
    • Data of unsuspects was allegedly deleted immediately and not transmitted to law enforcement authorities. It remains unclear how this can happen without already knowing the suspect
    • There is no legal basis for IP catching. Telefónica still claims to be obliged to implement the measure
  • 2024-09-16: First statement of the Tor Project
    • Pinpointing Tor entry relays of onion services to successfully deanonymize Tor users
    • Timing analyses in combination with broad and long-term monitoring of Tor relay
    • V2 and V3 onion addresses were affected, at least between 2019/Q3 and 2021/Q2
    • nusenu references KAX17
  • 2024-09-18: Journalists detail one case
    • Operation Liberty Lane is referenced
    • Four successful measures [=deanonymizations] in one investigation
      • 2x identification of Ricochet users
      • 2x further measures
    • Deanonymization is based on timing analysis
    • It’s not a classic software vulnerability that is exploited
    • Tor Project agrees that nothing indicates that a vulnerability in the Tor browser is exploited. Problem: The attack works even though the Tor software is working properly
    • Sources speak of widespread monitoring of Tor relays
    • Number of surveilled Tor relays in Germany has risen sharply in recent years
  • 2024-09-18: The second statement of the Tor Project gives the impression that only Ricochet is affected
  • 2024-09-25: Interview with Daniel Moßbrucker
    • More and more Tor relays in Germany are under surveillance for longer and longer periods, in such a way that apparently data has been used for timing analysis
    • Deanonymization takes some time. Tor users are not deanonymized by the authorities in the blink of an eye
    • Not only Ricochet is affected, but twice also normal v3 Onion Services
    • Timing analyses was always possible when, to put it simply, there was „little traffic“ on an onion service and only a few packets were transmitted, which could then be assigned to a specific user. On whistleblowing platforms, there is usually little traffic until a source decides to submit data
    • The journalists first reached out to Ricochet in July 2023, mentioning cases of deanonymization of Tor users by revealing their entry relays. Ricochet immediately informed the Tor Project

Media reports