A Brief History of Government Surveillance Targeting TOR
By Laurence Edwards
Preface:
Over the past week, Paradigm has been covering a series of topics related to United States National Security Agency (NSA) Surveillance programs exposed by the 2013 documents leaked by Edward Snowden. These leaks revealed a series of NSA and Government Communications Headquarters (GHQ) operations to breach The Onion Router’s security. This article will examine the relationships between intelligence agencies and the Onion Router, colloquially known as Tor. We will be delving into the history of Tor, what it is, how security agencies tried to undermine it, and why.
This article was researched in conjunction with AK Media, which is a partner organization of Paradigm Intel. AKM originally conceived the research project and performed the sourcing for the Snowden Files and explanations of technical concepts and calculations. AKM will be releasing a production on broader issues related to US government surveillance. Thank you to AK Media for working on this project.
What is TOR?
The Onion Router is a security-focused web browser that is best known as the browser that allows you to access the Deep Web. In 1995 due to concerns about internet privacy Tor was conceived by David Goldschlag, Mike Reed, and Paul Syverson, Two students at Massachusetts Institute of Technology, and an employee at the US Naval Research Lab. Throughout the early 2000s, the trio developed Tor in several forms. After several public releases, and after the project grew, Tor became an official non-profit called The Tor Project. Due to this, Tor is a public volunteer service, allowing anyone to open Tor servers provided they have the capacity.
Tor functions by employing a three-layered node system. The first node is a server, which connects your IP to Tor. The second node transmits information, such as search queries, to the third node. The third node connects directly to receiving servers, such as a website. Because each node can only access the node directly preceding or succeeding it, Tor creates a wall, preventing the user’s personal information from being exposed. Nodes are randomized; anyone can operate one, and each node exists in a different country to minimize the chances of someone owning the same node.
Due to the anonymous nature of Tor, despite the strides it made in internet privacy technology, Tor was also utilized as a place to house illegal content on the developing internet. Due to cases of Tor being used as a tool to hide information from law enforcement and the public, Tor gained the notice of several government agencies. Specifically the NSA and its British counterpart, GCHQ.
Government Surveillance efforts:
After the NSA took an interest in Tor, intelligence analysts began looking for methods to breach its privacy services. According to The Guardian, the NSA launched a proof-of-concept attack against Tor. Because anyone can make nodes, the NSA began operating nodes of their own. Their goal, in theory, was to operate enough nodes that they could reasonably gather information on Tor users passively. However, there is no evidence that the NSA ever continued this project. Despite that, rumors still spread among the internet that up to 90% of Tor servers could be run by the NSA.
Because the Tor browser is based on Firefox, the NSA initially used a vulnerability in a browser bundle that affected Firefox. This method allowed the NSA to track Tor users by tracking E4X, an extension that provides native support for the Extensible Markup Language, or XML scripts. However, this method was unintentionally patched by Mozilla after they updated Firefox and removed E4X.
The NSA then created a project called EGOTISTICALGIRAFFE. This project uses partnerships with US telecommunication corporations under four main programs: Stormbrew, Fairview, Oakstar, and Blarney, to fingerprint HTTP requests from the Tor network. These fingerprints were then sorted into Xkeyscore, an NSA data query tool used to fingerprint and query information en masse. With this information, the NSA used a secondary program called “FoxAcid” to remotely infect Tor users when they visited specific sites.
A system known as Quantum used the aforementioned partnerships with telecommunication agencies to place NSA servers throughout the NSA backbone. This way, whenever someone using Tor attempted to access a website that had been running an NSA server, the Tor user would be redirected to their original destination through an NSA server “infecting” the Tor user. Once these users were infected, the NSA could match their HTTP searches with their virtual fingerprint. This type of attack is known as a man-in-the-middle attack, or MTM. Regarding this situation, The Onion Project posted on their blog, “What we do know is that if someone can watch the entire Internet all at once, they can watch traffic enter and exit. This likely de-anonymizes the Tor user.” This is precisely the method the NSA attempted to employ.
In addition to this, the NSA and GCHQ created a joint project dubbed REMATION II. This project had the intent of setting up NSA servers to conduct MTM attacks on Tor users over commonly used sites such as Amazon. By doing this, the NSA and GCHQ intended to cast a wide net. across the internet, attempting to monitor some TOR users.
Credit: The Guardian
During this time, GCHQ created its own anti-tor project. NEWTONSCRADLE being a codeword for GCHQ Tor nodes. GCHQ sought to establish Tor nodes as well, and to fulfill this desire, GCHQ created a system called QuickAnt authorized under Flying Pig. This is another MTM using a similar method to EGOTISTICALGIRAFFE.
Perhaps the most shocking part of this information is the fact that MTM attacks were intended to be directly on services such as Google, Amazon. Although the projects to break Tor were likely never employed en masse, attempts at targeting Tor users were made on massive public sites. This clearly shows the intent of this infrastructure was towards mass indiscriminate surveillance, specifically targeting a service that sought to provide the populace shelter from that very monitoring.
Conclusion:
The NSA and GCHQ have, despite their efforts, seemingly not broken Tor’s security. Both organizations have undoubtedly invested significant resources into attempts to breach Tor’s privacy. The NSA and GCHQ worked in unison to monitor the use of Tor using a variety of methods, just on a minimal scale of targets. However, it is important to note that projects such as NEWTONSCRADLE are still very much a possibility.
The public has, even through these leaks, no idea how many people the Tor projects actually monitored, as no information was included in any of the leaked Snowden files. Public uncertainty is a recurring theme in this case and due to this lack of public knowledge on the topic, the public also has no concept of the operations being run now.
Despite the fact that there is little evidence to suggest Tor is compromised on a large scale, it’s important to realize that if you can effectively monitor the entire internet, Tor won’t matter. If any given entity can gather data on everyone, and if both the point where someone connects to Tor and the requests Tor makes are logged by the same entity, there will no longer be anonymity online. Which is a much larger threat than Tor itself being compromised.
Credits:
Writers:
Laurence Edwards, Paradigm Board Member
Editors:
Laurence Edwards, Paradigm Board Member
Aaron C.Z. Arnold, Paradigm Board Member
AK, CEO of AK Media
Research:
Laurence Edwards, Paradigm Board Member
AK, CEO of AK Media
For inquiries, I can be contacted at laurenceedwards40@gmail.com.