Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer's Heat May Unmask Anonymized PCs

Posted by Zonk on from the i-seee-you dept.

Virtual_Raider writes "Wired is carrying a story about a method developed by security researchers to identify computers hiding behind anonymity services. From the article: 'His victim is the Onion Router, or "Tor" — a sophisticated privacy system that lets users surf the web anonymously. Tor encrypts a user's traffic, and bounces it through multiple servers, so the final destination doesn't know where it came from. Murdoch set up a Tor network at Cambridge to test his technique, which works like this: If an attacker wants to learn the IP address of a hidden server on the Tor network, he'll suddenly request something difficult or intensive from that server. The added load will cause it to warm up.'"

28 of 146 comments (clear)

  1. Hot enough to... by Anonymous Coward · · Score: 2, Funny

    http://knuttz.net/hosted_pages/USB-Cooking-2006082 2

  2. Re:I didn't RTFA, but... by KshGoddess · · Score: 5, Informative

    the heat-up causes a shift in how much the clock drifts, and you can query time from different servers to pinpoint which one it is.

    See what reading the article gets you? A tiny nugget of useless information.

    --
    It's a little wrong to say a tomato is a vegetable. It's a lot wrong to say it's a suspension bridge.
  3. FTA: Clock Skew, not temp. by Mr.+Flibble · · Score: 5, Informative

    The temp increase is the method to cause the clock to skew as the chip heats up due to added server load. The heat itself is not detected, so the summary is very misleading. The idea is to load the server enough so that the timestamps begin to change, and these changes can be detected.

    Of course, the defense to this attack is probably something along the lines of:

    $ man nice

    --
    Try to hack my 31337 firewall!
    1. Re:FTA: Clock Skew, not temp. by jd · · Score: 5, Informative
      There are several defenses.
      • First, if the computer is sensibly cooled (ie: not by convection currents) then heating will be minimal.
      • Second, if you use a high-precision clock-chip, the chip will be tens or hundreds of times more accurate than the system time, so the drift will be entirely absorbed through the loss of accuracy.
      • Third, a defender worried about such an attack would use an oven-controlled oscillator for the clock, which means the temperature is whatever you want it to be. You can deliberately vary it to produce errors, or compensate for external temperature changes. Either way, you can be quite invisible to this method.
      • Fourth, the TOR network should be using an external time source (eg: NTP) that is not included in the TOR tunnel - ie: it's out-of-band - which means that the computers can automagically correct drift. If the computers are REALLY good, they'd correct drift on a second-order or third-order basis, rather than as a constant, so that you adapt how you read the clock to the shift in drift.


      The idea of using some sort of timing attack against such a network is interesting. There are probably better methods, though.


      One idea that springs to mind is that such P2P systems use caches. If you could generate enough requests to flood the cache system, you can force any computer to query nearby computers, where the latency will be roughly equal to the number of hops along the critical path. It then becomes similar to the game of "Black Box", where you try to map particles by throwing rays in and seeing what happens. If you have a sufficiently large latency map from a sufficiently large number of entrance points, you should be able to derive the whole of the exposed topology of the P2P network and be able to identify which of those servers carry what data.


      (Think about it. Those of us in Open Source have all done reverse engineering, we have all tried to wrest the secrets of some black box we can't see the inside of, and eventually we have all succeeded in doing so. Our interpretation may not 100% match the internals literally, but they WILL 100% match the internals logically. And in the end, that's all that matters.)

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. Re:I didn't RTFA, but... by qbwiz · · Score: 5, Informative

    You measure clock skew before, during, and after you hit the hidden service. If the change in clock skew happens at the same time you load the server, that indicates that it's probably the correct server.

    --
    Ewige Blumenkraft.
  5. Randomize the clock by Mal+Reynolds · · Score: 4, Insightful

    Randomizing the clock of systems serving Tor traffic would render this attack worthless.

    Since this and other such attacks are based on analyzing very small changes in the target system clock, even a tiny amount of randomization or pseudo randomization would be effective.

    1. Re:Randomize the clock by Baricom · · Score: 2, Informative

      Other potential solutions include preventing machines from reporting local time (through HTTP? - I'm not clear the attacker learns the time in the first place; neither TCP nor IP have time information in the headers, it seems) or preventing hidden servers from talking on the public Internet.

      For most hidden services, either should be feasible. Timing doesn't seem that important anyway, given the inherent latency of the Tor network.

    2. Re:Randomize the clock by KermodeBear · · Score: 4, Insightful

      What about always using 100% of your CPU? I run the BOINC client for the Rosetta@HOME project and tell it to crunch as much data as it can with idle CPU time. It is ALWAYS up and running. So, if I have this running on a machine that also uses Tor then the "create extra CPU load" method would fail.

      --
      Love sees no species.
    3. Re:Randomize the clock by Anonymous Coward · · Score: 2, Insightful

      What has priority got to do with it?

      Why would heavy processing by TOR make the CPU run hotter than heavy processing by $SOME_APP ? It's still just heavy processing, CPU at 100% usage.

    4. Re:Randomize the clock by sjmurdoch · · Score: 2, Insightful

      Have a look at this blog posting for why adding random noise will not prevent the attack. Essentially, random noise doesn't change the average skew, since the computer doesn't have an independent reference clock. By taking a moving average over time, the noise can be detected and removed.

      --
      Steven Murdoch.
      web: http://www.cl.cam.ac.uk/users/sjm217/
    5. Re:Randomize the clock by mysidia · · Score: 2, Insightful

      RFC1323 is not part of tcp/ip. It is an optional extension that some systems could choose to implement. A system does not have to implement these options. Leave RFC1323 options turned off at the operating system level, and you won't reveal information about the system time keeping in that manner.

      However, there is a possibility the TOR and other applications themselves reveal the timestamp, say the applications ordinarily include it in messages passed from one peer to another (or from server to client), then it may also be possible for a probe to inquire with various network services running on the machine and thereby obtain the system time.

  6. Fix it with NTP? by Kadin2048 · · Score: 4, Interesting

    Not that I think this sort of thing is really going to become anything more than an interesting proof-of-concept anytime soon, but couldn't you combat this by having a local NTP server for your server farm, and then setting the servers to update from that server at frequent intervals (say every 5 sec or so)? It would waste cycles on the machines and generate some extra load on the network, but it would keep the clocks from ever drifting far, and it would narrow the window in which you'd be able to detect drift to something pretty small.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:Fix it with NTP? by Splab · · Score: 4, Insightful

      The article is very low on information on how he proposes to locate a computer. Yes clock skew would help, but you need to locate the machine somehow. And on top of that he thinks that more traffic equals higher load on the cpu. This isn't necessarily true, in a closed environment you might be able to do it, but on a global scale I can't see how this would help you unless you got global knowledge of the network, and if you do, sybil attack is a lot easier to do.

      One must remember TOR doesn't guarantee strong anonymity, for that you need something like Herbivore.

    2. Re:Fix it with NTP? by tlund · · Score: 2, Insightful

      The 1kHz clock driving the TCP timestamps in Linux is not NTP corrected. You should probably read his paper.

    3. Re:Fix it with NTP? by lky · · Score: 2, Informative

      While Herbivore sounds interesting, don't forget to mention its limitations as well.

      In the Herbivore documentation, you will find this PDF: Eluding Carnivores: File Sharing with Strong Anonymity

      From which we learn that: The system consists of approximately 27,000 lines of Java and C code, 2,000 of which comprise the GUI for anonymous filesharing and a helper application for k-anonymous chat while the rest form the core system. (Section 5: Performance)

      So Herbivore provides anonymity for filesharing and chat. That is all it can do in its current implementation.

      On the other hand, Tor works with any IP based protocol and can be integrated into the applications that a user currently uses.

      The second weakness of Herbivore is that it is not ready for distribution yet. The only code available is if you request to be part of the initial rollout by non-anonymous email. Herbivore Download Page

      Tor is not only available for download, it is in current use.

      The third weakness of Herbivore is that it requires that a client application be run on the users system. If your system is ever confiscated and examined by the authorities, this can be judged to be evidence of potential wrong doing resulting in further examination (if you don't believe this is possible, just read: PGP Ruled as Relevant For Criminal Case). A secondary weakness of the client is that it will limit the operating systems that Herbivore will run on to those systems that support Java and that Herbivore has been developed for (I2P has the same problem).

      On the other hand, Tor can be used by simply configuring the users application to use a known Tor entry point as a proxy server. This configuration can be removed when the user is done, leaving little or no tracks. In this way, Tor can be used by any system that supports TCP/IP and SSL.

      And the fourth and last weakness I will mention is that since Herbivore has not been released yet, it has not undergone extensive peer review and testing. On the other hand, the reason we are aware of Tors weaknesses is because it has been released, tested and peer reviewed. As we've learned from many cryptographic systems, you should not trust them until this peer review is complete and any/all weaknesses are known (which is why Tor has the disclaimer that it should not be fully trusted yet).

      While Herbivore may provide strong anonymity, in no way is it a replacement for a general anonymity tool like Tor. On the other hand the more tools we have, the better. So I look forward to testing Herbivore when it becomes available.

  7. Re:I didn't RTFA, but... by Arethan · · Score: 4, Funny

    According to TFA, no. Now maybe you want to R it. You must be new here...
  8. Re:Trivial Solution by Bios_Hakr · · Score: 2, Informative

    I picture this attack being used as part of an ongoing investigation. They have a target and they just need some pattern analysis to secure the warrant. Over a month-long investigation, they could glean a lot of info by throwing up very specific requests and seeing if your hard drive springs to life or your CPU spikes.

    In most cases, the wouldn't even need to be near your house. A well-positioned amp-meter with remote sensing could tell you if the CPU suddenly needed more power.

    --
    I'd rather you do it wrong, than for me to have to do it at all.
  9. Re:I didn't RTFA, but... by Barny · · Score: 5, Insightful

    Close, but no cigar.

    His software lets you pinpoint servers in the anon TOR network, good trick, but ultimately useless (since its the users computer you are trying to find).

    Of course the other problem is "giving it a heavy load" define heavy load? is it just a little more than usual? or does it mean you have to heat board (he goes off system clock, maintained by a frequency crystal on the MB), most data centres I would think would be fairly efficient at routing even high heat loads out of enclosures and away from the machine.

    And then, whoever he does this to can sue him for DoSing their machine, if they can prove (and its not overly difficult) that heat damages computer parts, he can be nabbed for wilful destruction of property as well, since his whole exercise heats the machine for no other reason than locating it.

    Then of course, the only way to "heat up" said computer is to do it through the TOR api, which i am guessing most anon servers are built to handle very well (since that would be their primary task).

    Oh, and this of course neglects to take into account that your TOR requests may be handled by many many servers in a cluster, each one heating and skewing at different rates...

    Ok, its late on a Saturday afternoon and I can poke that many holes in his trick (even if only one is at all real), gimme a good 2-3 hours with some energy drinks in me and I can find more I am sure ^_^

    If he can prove it works (and successfully do something usefull with it) in the real world, then it would be a better story.

    --
    ...
    /me sighs
  10. Re:I didn't RTFA, but... by Hooya · · Score: 5, Funny

    consider the parent posters ID: 25287
    consider your id: 223197

    then, consider the fact that you found "You must be new here" a novel response - at least novel enough for you to use it. let me just say, *You* must be new here. :P

    P.S. i hope the recursive irony - including my ID and the parent posters ID - is self evident. no need for recursive "*You* must be new here" replies. please think of the children.

    P.P.S. i don't really think recursion is the right word. but the fact that an 'older' user is declared 'new' by a newer user on each child post should lead to a division by zero, a black hole, or at least a bazzarro world somewhere... or it might just be my bed time.

  11. Re:I didn't RTFA, but... by Tweaker_Phreaker · · Score: 2, Informative

    Read what you just said. Skew is a distortion of measurement. In normal operation there is no distortion, only when the crystal is heated. So by definition there is only one possible value for the skew and it's the change from before to after the crystal has been heated.

  12. utterly useless? by pavera · · Score: 3, Interesting

    Ok, so if I am using Tor, presumably I've got clients behind these servers.... so according to the article, he can detect a server? What good does that do him? That doesn't identify *MY* machine the client which is actually doing the browsing. So, he can see which server is running Tor... couldn't he just portscan to find that out?

    1. Re:utterly useless? by Anonymous Coward · · Score: 2, Informative

      TFS mentioned "servers" and then jumped to "hidden servers".

      Hidden services are something different than a Tor user. A hidden server is reachable via some hostname in the .onion TLD and provides services like HTTP, just like in the non-Tor network. It's basically an anonymous server instead of an anonymous client.

  13. Re:I didn't RTFA, but... by Toba82 · · Score: 3, Funny

    You must be new here.

    Everyone knows that no number of P.P.P.P.P.P.P.S.s that you can add will prevent SOMEONE from posting this very comment.

    --
    I pretend to know more than I really do by mooching off google and wikipedia.
  14. Re:I didn't RTFA, but... by Tweaker_Phreaker · · Score: 2, Interesting

    Yes but that's not the skew he's measuring. He's only measuring the skew caused by heating the crystal.

  15. Re:I didn't RTFA, but... by johnw · · Score: 5, Funny

    You must be new here...

  16. Re:I didn't RTFA, but... by steveoc · · Score: 3, Funny

    You must be ....

    awww .. forget it.

  17. Simple Defense by Cbs228 · · Score: 4, Insightful

    Since date and time information isn't included in TCP/IP packets, this kind of attack won't work for all services. Assuming that the "hidden servers" in question are HTTP servers, there is a rather simple workaround: simply disable sending the "Date" header. This can probably be accomplished with mod_headers in Apache, but I've never tried using it myself. Oddly enough, the server would still be standards compliant. Obviously, servers that leak the current time by some other means would still be vulnerable.

    A simpler, less precise attack of this nature would simply be to continuously ping the suspected server via both Tor and the public internet. If they (reproducibly) fail at the same time (and we could launch a denial-of-service attack to make it fail), they're probably the same machine. Attacks of this nature might even be able to confirm if a hidden server is on the same network as another computer.... But any of these attacks require someone to suspect you of running the server in the first place—and if they do, you probably have bigger problems to worry about.

    The bottom line is, as Tor's manual clearly indicates, having a hidden server machine accessible from both Tor and the internet is a bad thing. Operators of hidden services should use a dedicated machine and block all incoming traffic (on all TCP and UDP ports) that is not via Tor.

    --
    At our school, we don't earn a degree when we graduate—we earn pi/180 radians
  18. Use NTP to defend against all clock skew attacks by Terje+Mathisen · · Score: 4, Interesting

    This theoretical attack is based on using (previously covered on /.) clock skew to identify systems.

    The correct defense is the same as the last time:

    a) Make sure that there is no system clock skew, by running Network Time Protocol (NTP) on all servers.

    b) Make sure that all externally visible timestamps are based on the system clock.

    Part (b) is the only difficult step, since many current IP stacks use a private counter/clock instead of the system clock, presumably to reduce the overhead of providing timestamps. I know that Linus T have discussed using user-level library code to provide microsecond resolution (or better) timestamps, with very low overhead:

    The library code can just query the cpu/system timer, multiply by the current scale factor (which depends on things like dynamically variable cpu clock frequency), and add the base time which was stored by the OS on the last HW clock interrupt: Total runtime, including call/return overhead can be below 100 clock cycles, which is fast enough to use it everywhere timestamps are needed:

    BTW, I wrote asm code to do exactly this inside Novell's NetWare OS a little over 10 years ago. In NetWare these timestamps were used by the Packet Burst algorithms which optimized packet transmission rates.

    Terje

    --
    "almost all programming can be viewed as an exercise in caching"