By Travis West – Edited by Ashish Bakshi
The National Security Agency (“NSA”) has developed techniques to circumvent the anonymity offered by the Tor network. Tor is a service that anonymizes users’ Internet traffic by routing requests to websites and other services through multiple servers, making it extremely difficult to track. While the NSA can track some Tor users, the agency has been unable to crack the underlying technology and instead relies on tools like browser exploits and its direct access to the Internet backbone to intercept website requests.
The Guardian and The Washington Post published the original stories based on documents leaked by Edward Snowden. Bruce Schneier of The Guardian provided a technical analysis of the NSA’s techniques. Ars Technica and Time Techland provided additional coverage.
The U.S. government has promoted Tor as a tool for political dissidents in repressive governments, provided funding to the organization that develops Tor, and invited its developer to present Tor to the intelligence community. However, the very anonymity that makes Tor powerful for dissidents also makes it a formidable tool for terrorists, drug sellers, and child pornographers. The website Silk Road – which hosted an illegal drug market and was recently seized by the FBI following the arrest of its owner – relied on Tor to remain inaccessible to most Internet users, as Ars Technica reports. The documents provided by Snowden indicate that the NSA views Tor as a significant roadblock in trying to track terrorists and other crime rings.
The NSA uses several tools to track Tor users. For users who downloaded a “bundle pack” from the Tor website, which included the Tor program and the Mozilla Firefox web browser, the NSA developed an exploit, nicknamed EgotisticalGiraffe, that relied on a Firefox vulnerability to track users. Mozilla later accidentally fixed the vulnerability in a Firefox update, but, before the vulnerability was patched, an NSA document boasted that the exploit had uncloaked 24 Tor users in one weekend.
The NSA also uses its relationships with major telecommunications companies to launch sophisticated “man-in-the-middle” attacks against targets. The agency placed secret servers at key Internet nodes to let it redirect requests from targeted users to phony websites that attempt to infect the user with software that allows the NSA to trace the user – even with Tor in use. The documents depict a complex system that is flexible enough to allow analysts to decide which exploit to deploy, based on factors like the value and expected technical sophistication of the target. The NSA’s tools also enable it to track Tor users by “staining” traffic flowing through Tor servers, and to direct the normally randomized routes that traffic takes through Tor.
These recent disclosures about the NSA’s efforts to circumvent a well-known anonymizing tool raise concerns among privacy advocates about how the agency decides to target Tor users, some of whom may be American citizens. The NSA’s ability to use its servers as a privileged backdoor to the Internet highlights the degree of control the U.S. government may have over global online information flow. Conversely, the agency’s admission in one of the leaked documents of its inability to defeat Tor’s underlying technology demonstrates the potential difficulty of tracking the movements of terrorists and other criminals