A research project conducted by Carnegie Mellon University's (CMU) Software Engineering Institute (SEI) could have unmasked newly-launched Tor hidden services in just two weeks, according to a source familiar with SEI's work. The method used by the SEI may have also let other observers of the Tor network "hijack" SEI's information and de-anonymize Tor sites or users themselves.
SEI "had the ability to deanonymize a new Tor hidden service in less than two weeks," the source said. "Existing hidden services required upwards of a month, maybe even two months."
"The trick is that you have to get your attacking Tor nodes into a privileged position in the Tor network, and this is easier for new hidden services than for existing hidden services," the source, who asked to remain anonymous for fear of losing his or her job, continued.
On Wednesday, Motherboard reported that a "university-based academic research institute" had been providing information to the FBI, leading to the identification of criminal suspects on the dark web, including those allegedly involved with the now-defunct marketplace Silk Road 2.0, and a man charged with possession of child pornography.
Circumstantial evidence pointed to the SEI and an attack carried out against Tor last year. After the publication of Motherboard's report, the Tor Project claimed that CMU was paid at least $1 million for the project, and several academics who focus on the dark web said they were "livid" and "concerned" over the institute's actions.
Now it has emerged that the SEI submitted a research paper to the 21st ACM Conference on Computer and Communications Security (CCS) last year on deanonymizing Tor hidden services and users. It gave results obtained from simulations of an attack on the Tor network.
"From a [computer science] ethics perspective it looked like perfectly ethical research," said the source, because it wasn't being carried out on Tor users in the wild. The researchers "found a bug in Tor and ran some simulations to see how effectively" it could be exploited, the source said.
"You would be crazy to run a hidden service given those results."
The academic submission made no mention of the planned (and ultimately cancelled) BlackHat talk pitched by researchers from SEI, nor an attack being carried out for the behalf of the FBI, although it was funded by a Department of Defense contract, number FA8721-05-C-0003.
Because the paper dealt with simulations, and not "running real experiments on Tor, there would have been no need" for an institutional review board to check the ethical situation around the paper's research, the source said.
The paper was rejected, however. The people who reviewed the paper felt that "the concepts here weren't that different from previous work," the source said. Indeed, one part of the research, which involved "traffic confirmation attacks," has been known since at least 2009.
Bearing this in mind, the source said that Tor probably should have been more "aggressive in detecting" malicious nodes that appeared between January 2014 and July 2014, deanonymizing users.
"Tor screwed up," the source said.
Regardless, the attack detailed in the research "worked really well," the source added. "You would be crazy to run a hidden service given those results."
The source said that, because of the way that the attack had been carried out, "anyone who knew about the attack would have been able to hijack that information and use it to do their own deanonymization."
In essence, it might have been possible for another actor to piggy-back off of SEI's work, so even if the researchers were "careful to only go after bad guys, they could have enabled another attacker (e.g., China, Russia) to go after lots of other people."
The vulnerability that the researchers took advantage of in this attack has since been patched.
Richard Lynch, the public relations manager for the SEI, told Motherboard in an email that "We are not able to comment on Tor."
This post has been updated to clarify that Tor has since patched the vulnerability.