Law enforcement undermines Tor

Few weeks ago, the German political magazine Panorama and STRG_F reported that law enforcement agencies infiltrated the Tor network in order to expose criminals. The reporters had access to documents showing four successful deanonymizations. I was given the chance to review some documents. In this post, I am highlighting publicly documented key findings.

Findings

  • 2024-09-12: Telefónica implements IP Catching
    • Frankfurt District Court orders Telefónica (O2) to surveil its customers for up to three months
    • Telefónica reports all customers connecting to a specific Tor entry relay named by the German Federal Criminal Police Office (Bundeskriminalamt, BKA). This is called IP catching
    • After a few days, the measure is completed successfully
    • Data of unsuspects was allegedly deleted immediately and not transmitted to law enforcement authorities. It remains unclear how this can happen without already knowing the suspect
    • There is no legal basis for IP catching. Telefónica still claims to be obliged to implement the measure
  • 2024-09-16: First statement of the Tor Project
    • Pinpointing Tor entry relays of onion services to successfully deanonymize Tor users
    • Timing analyses in combination with broad and long-term monitoring of Tor relay
    • V2 and V3 onion addresses were affected, at least between 2019/Q3 and 2021/Q2
    • nusenu references KAX17
  • 2024-09-18: Journalists detail one case
    • Operation Liberty Lane is referenced
    • Four successful measures [=deanonymizations] in one investigation
      • 2x identification of Ricochet users
      • 2x further measures
    • Deanonymization is based on timing analysis
    • It’s not a classic software vulnerability that is exploited
    • Tor Project agrees that nothing indicates that a vulnerability in the Tor browser is exploited. Problem: The attack works even though the Tor software is working properly
    • Sources speak of widespread monitoring of Tor relays
    • Number of surveilled Tor relays in Germany has risen sharply in recent years
  • 2024-09-18: The second statement of the Tor Project gives the impression that only Ricochet is affected
  • 2024-09-25: Interview with Daniel Moßbrucker
    • More and more Tor relays in Germany are under surveillance for longer and longer periods, in such a way that apparently data has been used for timing analysis
    • Deanonymization takes some time. Tor users are not deanonymized by the authorities in the blink of an eye
    • Not only Ricochet is affected, but twice also normal v3 Onion Services
    • Timing analyses was always possible when, to put it simply, there was „little traffic“ on an onion service and only a few packets were transmitted, which could then be assigned to a specific user. On whistleblowing platforms, there is usually little traffic until a source decides to submit data
    • The journalists first reached out to Ricochet in July 2023, mentioning cases of deanonymization of Tor users by revealing their entry relays. Ricochet immediately informed the Tor Project

Media reports

Operation Liberty Lane

Operation Liberty Lane is the alleged name of what is believed to be a joint operation of the United States, UK, Germany and potentially other countries with the goal to expose Tor users of illegal onion services. This operation caught my interest in January 2024, after someone had published screenshots of case files on Reddit.

According to the Reddit user Efficient_Wish_9790, this once theoretical attack has been operationalized and has unmasked thousands of users. The NCA and FBI have jointly developed a software program called „Good Listener“ that involves LE spinning up as many guard and middle nodes as possible, and then using a timing attack to correlate the IP at the malicious gaurd to the timing at the illegal HS.“

The screenshots reference an email sent by the Chief of the Federal Criminal Police in Germany (Bundeskriminalamt).

Agents in the United States are discussing their operation with Germany in email exchanges dated June 13, June 14, June 20, June 21, and June 24 of 2019. (FOIA Response, attached as Ex. E, pp. 3-11.). On June 24, 2019, for instance the Chief of the Federal Criminal Police in Germany emailed a redacted HSI agent, saying “good job! The report will be useful for us.” (Id.) This is not a one way street.

I tried to obtain email and report. The Federal Criminal Police, however, could not find the documents I requested.

Another user compiled a list of US cases associated with this operation. The relating documents include interesting Tor-related snippets. Here are snippets from Case 1:21-cr-00007-LJV-JJM Document 112:

As an initial matter, the prosecution in this case has claimed that it does not know how the hidden IP address was recovered. The government cannot, therefore, assure this Court that the manner in which it was uncovered would not shock the conscience. It is still unknown how the IP addresses were deanonymized – an ability that only nation states appear to have. To this point, the prosecution is only saying that the UK provided a “tip” to the United States that certain IP addresses accessed certain Tor websites.

Second, we now know that the United States government was more than a passive recipient of a generous tip […]>

Other emails released in this batch demonstrate that at least as early as 2018, HSI and the FBI were working together on projects they called “good listener” and were emailing documents about “guard research.” (Id., at p. 24) In the world of Tor, the entry node is often called the guard node; it is the first node to which the Tor client connects. One email purports to show how “good listener” actually works, with sections on “Background” and “Methodology.” This document is dated September 2018, well before the United States claims to have gotten a lucky “tip.”

Since January 2024, Operation Liberty Lane was discussed in multiple relay operator meetups. Until recently, no one was able to confirm or to debunk the suspicions. In recent news on law enforcement agencies undermining Tor anonymization, the Tor Project claims it is just speculation. For me, it’s sufficient to question if I should continue to recommend the use of onion services to journalists or whistleblowers. First I need to understand in more detail how the attacks are carried out and whether Iran or China, for example, could also carry out these attacks.

Tor-Knoten an Universitäten

Während Universitäten mit ihrer Infrastruktur und Kompetenz ideale Bedingungen für den Betrieb von Tor-Knoten bieten, ist ihr Anteil am Tor-Netz erstaunlich gering. Wir berichten über unsere Erfahrungen beim Betrieb von zwei Exit-Knoten an der TU Berlin und an der Uni Hamburg. Dazu gibt es Empfehlungen zum Betrieb. Der Artikel ist auf Deutsch und auf Englisch verfügbar. Einen Vortrag dazu gibt es hier.

Hausdurchsuchung dank Tor?

Wer Tor-Exit-Knoten betreibt, wird unter Umständen von der Polizei besucht. Hier gibt es Links zu diversen Vorträgen, Medienberichten und weiterem Infomaterial.

Vorträge und Podcasts
Presse
weiteres Infomaterial