Computer's Heat May Unmask Anonymized PCs

Virtual_Raider writes "Wired is carrying a story about a method developed by security researchers to identify computers hiding behind anonymity services. From the article: 'His victim is the Onion Router, or "Tor" — a sophisticated privacy system that lets users surf the web anonymously. Tor encrypts a user's traffic, and bounces it through multiple servers, so the final destination doesn't know where it came from. Murdoch set up a Tor network at Cambridge to test his technique, which works like this: If an attacker wants to learn the IP address of a hidden server on the Tor network, he'll suddenly request something difficult or intensive from that server. The added load will cause it to warm up.'"

Randomize the clock

[Mal+Reynolds]

Randomizing the clock of systems serving Tor traffic would render this attack worthless.

Since this and other such attacks are based on analyzing very small changes in the target system clock, even a tiny amount of randomization or pseudo randomization would be effective.

Re:Randomize the clock

[KermodeBear]

What about always using 100% of your CPU? I run the BOINC client for the Rosetta@HOME project and tell it to crunch as much data as it can with idle CPU time. It is ALWAYS up and running. So, if I have this running on a machine that also uses Tor then the "create extra CPU load" method would fail.

Re:Randomize the clock

[evilviper]

So, if I have this running on a machine that also uses Tor then the "create extra CPU load" method would fail.

Not necessarily.

If you have your CPU-intensive app running at a low priority, and TOR running at a higher priority, then your CPU will become slightly hotter when TOR is doing heavy processing.

It may make it much harder to detect than it already is, but there you go.

Re:Randomize the clock

What has priority got to do with it?

Why would heavy processing by TOR make the CPU run hotter than heavy processing by $SOME_APP ? It's still just heavy processing, CPU at 100% usage.

Re:Randomize the clock

[sjmurdoch]

Have a look at this blog posting for why adding random noise will not prevent the attack. Essentially, random noise doesn't change the average skew, since the computer doesn't have an independent reference clock. By taking a moving average over time, the noise can be detected and removed.

Re:Randomize the clock

[mysidia]

RFC1323 is not part of tcp/ip. It is an optional extension that some systems could choose to implement. A system does not have to implement these options. Leave RFC1323 options turned off at the operating system level, and you won't reveal information about the system time keeping in that manner.

However, there is a possibility the TOR and other applications themselves reveal the timestamp, say the applications ordinarily include it in messages passed from one peer to another (or from server to client), then it may also be possible for a probe to inquire with various network services running on the machine and thereby obtain the system time.

Re:I didn't RTFA, but...

[Barny]

Close, but no cigar.

His software lets you pinpoint servers in the anon TOR network, good trick, but ultimately useless (since its the users computer you are trying to find).

Of course the other problem is "giving it a heavy load" define heavy load? is it just a little more than usual? or does it mean you have to heat board (he goes off system clock, maintained by a frequency crystal on the MB), most data centres I would think would be fairly efficient at routing even high heat loads out of enclosures and away from the machine.

And then, whoever he does this to can sue him for DoSing their machine, if they can prove (and its not overly difficult) that heat damages computer parts, he can be nabbed for wilful destruction of property as well, since his whole exercise heats the machine for no other reason than locating it.

Then of course, the only way to "heat up" said computer is to do it through the TOR api, which i am guessing most anon servers are built to handle very well (since that would be their primary task).

Oh, and this of course neglects to take into account that your TOR requests may be handled by many many servers in a cluster, each one heating and skewing at different rates...

Ok, its late on a Saturday afternoon and I can poke that many holes in his trick (even if only one is at all real), gimme a good 2-3 hours with some energy drinks in me and I can find more I am sure ^_^

If he can prove it works (and successfully do something usefull with it) in the real world, then it would be a better story.

Re:I didn't RTFA, but...

The word you're looking for is induction.

Re:Fix it with NTP?

[Splab]

The article is very low on information on how he proposes to locate a computer. Yes clock skew would help, but you need to locate the machine somehow. And on top of that he thinks that more traffic equals higher load on the cpu. This isn't necessarily true, in a closed environment you might be able to do it, but on a global scale I can't see how this would help you unless you got global knowledge of the network, and if you do, sybil attack is a lot easier to do.

One must remember TOR doesn't guarantee strong anonymity, for that you need something like Herbivore.

Re:I didn't RTFA, but...

Close, but no cigar. His software lets you pinpoint servers in the anon TOR network, good trick, but ultimately useless (since its the users computer you are trying to find). A foolish statement. Tor offers the facility of hidden servers, or receiver anonymity. Some servers wish to remain anoymous. In other words it is _not_ the user we are interested in for this attack.

Of course the other problem is "giving it a heavy load" define heavy load? is it just a little more than usual? or does it mean you have to heat board (he goes off system clock, maintained by a frequency crystal on the MB), most data centres I would think would be fairly efficient at routing even high heat loads out of enclosures and away from the machine. Did you read the paper ? Again, obviously not. The clock skew is present even without the temperature affect, however minor changes in temperature do offer additional clock skew. The range of temperature causing skew is under 2 degrees.

And then, whoever he does this to can sue him for DoSing their machine, if they can prove (and its not overly difficult) that heat damages computer parts, he can be nabbed for wilful destruction of property as well, since his whole exercise heats the machine for no other reason than locating it. An fine point, outstanding. Except we don't know who the person is, they are using Tor. Sender anonymity, it's great.

Then of course, the only way to "heat up" said computer is to do it through the TOR api, which i am guessing most anon servers are built to handle very well (since that would be their primary task). No this is not the case, as in fact most 'anon servers' or tor onion routers are not built for Tor. Tor is an additional feature run on these machines, there are very few core tor routers, solely dedicated to tor. And of course by merely routing a number of streams, doing exactly what the application was designed to do, the temperature will build up.

Oh, and this of course neglects to take into account that your TOR requests may be handled by many many servers in a cluster, each one heating and skewing at different rates... There is no support in Tor at the moment for load balancing, if that is what you are implying.

Ok, its late on a Saturday afternoon and I can poke that many holes in his trick (even if only one is at all real), gimme a good 2-3 hours with some energy drinks in me and I can find more I am sure ^_^ If he can prove it works (and successfully do something usefull with it) in the real world, then it would be a better story. Read the paper and inform yourself. http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotorn ot.pdf

Simple Defense

[Cbs228]

Since date and time information isn't included in TCP/IP packets, this kind of attack won't work for all services. Assuming that the "hidden servers" in question are HTTP servers, there is a rather simple workaround: simply disable sending the "Date" header. This can probably be accomplished with mod_headers in Apache, but I've never tried using it myself. Oddly enough, the server would still be standards compliant. Obviously, servers that leak the current time by some other means would still be vulnerable.

A simpler, less precise attack of this nature would simply be to continuously ping the suspected server via both Tor and the public internet. If they (reproducibly) fail at the same time (and we could launch a denial-of-service attack to make it fail), they're probably the same machine. Attacks of this nature might even be able to confirm if a hidden server is on the same network as another computer.... But any of these attacks require someone to suspect you of running the server in the first place—and if they do, you probably have bigger problems to worry about.

The bottom line is, as Tor's manual clearly indicates, having a hidden server machine accessible from both Tor and the internet is a bad thing. Operators of hidden services should use a dedicated machine and block all incoming traffic (on all TCP and UDP ports) that is not via Tor.

Re:Fix it with NTP?

[tlund]

The 1kHz clock driving the TCP timestamps in Linux is not NTP corrected. You should probably read his paper.