Tor users could be vulnerable to IP unmasking through router analysis, according to a cross-university whitepaper. Users could be impacted more than four-fifths of the time.
By studying traffic at various points in the anonymity network, researchers could discern the identity of users all of the time in lab conditions, achieving the same 81.4% of the time in real-world experiments, with a 6.4% false positive rate.
"Previous research has shown that having access to a few Internet exchange points is enough for monitoring a significant percentage of the network paths from Tor nodes to destination servers," the researchers said.
"Although the capacity of current networks makes packet-level monitoring at such a scale quite challenging, adversaries could potentially use less accurate but readily available traffic monitoring functionality, such as Cisco’s NetFlow, to mount large-scale traffic analysis attacks."
They added that a single autonomous system could be used to monitor two-fifths of randomly generated Tor relays, meaning that a group of hackers could attack the network without being backed by a state.
Through injecting repetitive traffic into the network, both outside and inside, the team was able to compare exit traffic and work out the identity of a client, a flaw attributed to the low-latency activities the anonymity network was designed for, such as web browsing.
Despite this, Tor played down the paper’s significance, pointing to the false positive rate as a problem for hackers looking to exploit this flaw.
"That sounds like it means if you see a traffic flow at one side of the Tor network, and you have a set of 100000 flows on the other side and you’re trying to find the match, then 6000 of those flows will look like a match," it said.
"It’s easy to see how at scale, this "base rate fallacy" problem could make the attack effectively useless."
Researchers on the paper hailed from Columbia University in New York, the Stevens Institute of Technology in New Jersey and the Sapienza University of Rome.
