Tor exit nodes 'sniffing' data - research

Compromised Tor exit nodes are spying on users, according to research by Swedish security specialist Chloe

Tor network nodes would appear to be sniffing and/or reading data as it is routed, according to an investigation by a security researcher.

In an experiment, Swedish researcher "Chloe" set up honeypots that saved logins in plaintext files via each of the Tor exit nodes, which is publicly available information. Using a different password at each node, Chloe was able to ascertain which nodes might be compromised.

"[The project] BADONIONS is really simple, it works like this: you download a list of all the Tor exit nodes and then you use the Stem API to connect to every exit node out there and login to a website over HTTP.

"Now, if an exit node is sniffing the traffic he will see my login and now when he has my password he probably will do something bad with my account, or sell it, I don't know. So here's the catch.

"Every exit node has its unique password and because BADONIONS saves every login I can go back and check if a password has been used more than once, and if that's the case I can simply look up which exit node that used that password," wrote Chloe when she set up the experiment in April.

More recently, Chloe has blogged about the results: "The results are not so surprising, but what is most surprising about this is that two nodes with the 'guard'-flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor."

It has long been suspected that security services might set up their own Tor exit nodes as a means of spying on traffic in what is otherwise a highly secure network. The experiment may underestimate the level of eavesdropping undertaken as it only counts subsequent attacks against the honeypots established by Chloe.

She found 15 instances of multiple uses of a unique password, and 650 unique page visits, which can also be considered suspicious. "We can see that there's passive MITM [man-in-the-middle attack] going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing," she concludes.

She continues: "We can also see that nodes that have been running so long that they have earned the 'Guard'-flag also sniff traffic. We can also see that not all uses the logins but rather just visiting the website, this indicates that they are sniffing but does not use the provided logins. So by using Tor you are drawing attention to your site."

Tor is widely used to provide free encrypted communications across the internet, and architected to ensure privacy and security. It was originally developed by the US Naval Research Laboratory for defence purposes, but was spun out as a non-profit project in 2002 supported by the Electronic Frontier Foundation.