The leading dark net marketplace “Agora” has been taken offline citing vulnerabilities in the TOR network that leave users of the site at risk. This development is significant; not least because Agora is a longstanding marketplace, launched in 2013, that has thus far evaded the attempts of law enforcement worldwide to shut it down. In particular it was untouched by the success (albeit exaggerated) of October 2014’s “Operation Onymous”.
The closure was communicated by a PGP signed message. The core of the message is that:
Recently research had come [sic] that shed some light on vulnerabilities in Tor Hidden Services protocol which could help to deanonymize server locations. Most of the new and previously known methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources. We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement. Additionally, we have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again, however this is only a temporary solution.
At this point, while we don't have a solution ready it would be unsafe to keep our users using the service, since they would be in jeopardy. Thus, and to our great sadness we have to take the market offline for a while, until we can develop a better solution. This is the best course of action for everyone involved.
It seems likely that the research referred to is this paper from July 2015 which details how traffic on the TOR network could be traced. MIT’s press release relating to the research provides a helpful description of the findings. Essentially, were the NSA or another interested party to host nodes on the TOR network, those nodes would be able to gather information passed through them and allow the attacker to piece it together in a traffic analysis that show what services a user was accessing with 88% accuracy.
In this way, the attacker could potentially identify the location of the host of a darknet site. Of course the allocation of guards is random, so the process would involve some luck, but the more nodes on the network the attacker has, the higher their chances. The idea that the NSA and others have been operating nodes on the TOR network is nothing new; it surfaced last year in relation to the Silk Road 2.0 arrests and indeed it would seem to be the obvious starting place for any attempt on TOR.
An excellent summary of the issues raised was published at the Torproject blog who downplays the impact of the research. The high degree of success claimed by the paper must be mitigated by the point made by Arma at Torproject that even a 2.9% failure rate could give rise to a vast number of false positive hits. If this vulnerability has been used by the authorities, it could well give rise to false accusations against those using TOR for legitimate purposes.
Despite that, the information gained from exploiting the vulnerability would most likely be used as “intelligence” and a foundation upon which to apply for search warrants, and thus as a basis to obtain more reliable and admissible evidence upon which to prosecute.
It appears that this vulnerability could be fixed or at least mitigated in two ways. Firstly, the network could include additional dummy packets of information sent at random to mask the real packets and make the traffic analysis much harder if not impossible. Secondly, if the number of nodes was increased it would make the chances of an attacker node being allocated as a guard much less likely. One way of achieving that might be to incorporate a system whereby all TOR users also operated as a node on the network. Neither of those are necessary ideal solutions; the “padding” of the network may slow it down and forcing users to act as nodes would limit the ability of those with slower bandwith to reliably use the network.
Notwithstanding the limitations of the vulnerability described above, it has clearly spooked the operators of Agora sufficiently to have them shut the site down whilst they implement a fix. Perhaps it is that safety first attitude that has allowed Agora to survive whilst other competitors have been closed down.
Finally, this isn’t the first vulnerability found in TOR - a talk scheduled to take place at the Black Hat security conference in Las Vegas in July 2014 was titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget." and promised to reveal vulnerabilities in the network. The talk was mysteriously pulled at the last minute and the research has not been published.
Cartwright King have a national team of cybercrime lawyers. Please contact us using the enquiry form below for further information.