Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer's Heat May Unmask Anonymized PCs

Posted by Zonk on from the i-seee-you dept.

Virtual_Raider writes "Wired is carrying a story about a method developed by security researchers to identify computers hiding behind anonymity services. From the article: 'His victim is the Onion Router, or "Tor" — a sophisticated privacy system that lets users surf the web anonymously. Tor encrypts a user's traffic, and bounces it through multiple servers, so the final destination doesn't know where it came from. Murdoch set up a Tor network at Cambridge to test his technique, which works like this: If an attacker wants to learn the IP address of a hidden server on the Tor network, he'll suddenly request something difficult or intensive from that server. The added load will cause it to warm up.'"

7 of 146 comments (clear)

  1. Re:I didn't RTFA, but... by KshGoddess · · Score: 5, Informative

    the heat-up causes a shift in how much the clock drifts, and you can query time from different servers to pinpoint which one it is.

    See what reading the article gets you? A tiny nugget of useless information.

    --
    It's a little wrong to say a tomato is a vegetable. It's a lot wrong to say it's a suspension bridge.
  2. FTA: Clock Skew, not temp. by Mr.+Flibble · · Score: 5, Informative

    The temp increase is the method to cause the clock to skew as the chip heats up due to added server load. The heat itself is not detected, so the summary is very misleading. The idea is to load the server enough so that the timestamps begin to change, and these changes can be detected.

    Of course, the defense to this attack is probably something along the lines of:

    $ man nice

    --
    Try to hack my 31337 firewall!
    1. Re:FTA: Clock Skew, not temp. by jd · · Score: 5, Informative
      There are several defenses.
      • First, if the computer is sensibly cooled (ie: not by convection currents) then heating will be minimal.
      • Second, if you use a high-precision clock-chip, the chip will be tens or hundreds of times more accurate than the system time, so the drift will be entirely absorbed through the loss of accuracy.
      • Third, a defender worried about such an attack would use an oven-controlled oscillator for the clock, which means the temperature is whatever you want it to be. You can deliberately vary it to produce errors, or compensate for external temperature changes. Either way, you can be quite invisible to this method.
      • Fourth, the TOR network should be using an external time source (eg: NTP) that is not included in the TOR tunnel - ie: it's out-of-band - which means that the computers can automagically correct drift. If the computers are REALLY good, they'd correct drift on a second-order or third-order basis, rather than as a constant, so that you adapt how you read the clock to the shift in drift.


      The idea of using some sort of timing attack against such a network is interesting. There are probably better methods, though.


      One idea that springs to mind is that such P2P systems use caches. If you could generate enough requests to flood the cache system, you can force any computer to query nearby computers, where the latency will be roughly equal to the number of hops along the critical path. It then becomes similar to the game of "Black Box", where you try to map particles by throwing rays in and seeing what happens. If you have a sufficiently large latency map from a sufficiently large number of entrance points, you should be able to derive the whole of the exposed topology of the P2P network and be able to identify which of those servers carry what data.


      (Think about it. Those of us in Open Source have all done reverse engineering, we have all tried to wrest the secrets of some black box we can't see the inside of, and eventually we have all succeeded in doing so. Our interpretation may not 100% match the internals literally, but they WILL 100% match the internals logically. And in the end, that's all that matters.)

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. Re:I didn't RTFA, but... by qbwiz · · Score: 5, Informative

    You measure clock skew before, during, and after you hit the hidden service. If the change in clock skew happens at the same time you load the server, that indicates that it's probably the correct server.

    --
    Ewige Blumenkraft.
  4. Re:I didn't RTFA, but... by Barny · · Score: 5, Insightful

    Close, but no cigar.

    His software lets you pinpoint servers in the anon TOR network, good trick, but ultimately useless (since its the users computer you are trying to find).

    Of course the other problem is "giving it a heavy load" define heavy load? is it just a little more than usual? or does it mean you have to heat board (he goes off system clock, maintained by a frequency crystal on the MB), most data centres I would think would be fairly efficient at routing even high heat loads out of enclosures and away from the machine.

    And then, whoever he does this to can sue him for DoSing their machine, if they can prove (and its not overly difficult) that heat damages computer parts, he can be nabbed for wilful destruction of property as well, since his whole exercise heats the machine for no other reason than locating it.

    Then of course, the only way to "heat up" said computer is to do it through the TOR api, which i am guessing most anon servers are built to handle very well (since that would be their primary task).

    Oh, and this of course neglects to take into account that your TOR requests may be handled by many many servers in a cluster, each one heating and skewing at different rates...

    Ok, its late on a Saturday afternoon and I can poke that many holes in his trick (even if only one is at all real), gimme a good 2-3 hours with some energy drinks in me and I can find more I am sure ^_^

    If he can prove it works (and successfully do something usefull with it) in the real world, then it would be a better story.

    --
    ...
    /me sighs
  5. Re:I didn't RTFA, but... by Hooya · · Score: 5, Funny

    consider the parent posters ID: 25287
    consider your id: 223197

    then, consider the fact that you found "You must be new here" a novel response - at least novel enough for you to use it. let me just say, *You* must be new here. :P

    P.S. i hope the recursive irony - including my ID and the parent posters ID - is self evident. no need for recursive "*You* must be new here" replies. please think of the children.

    P.P.S. i don't really think recursion is the right word. but the fact that an 'older' user is declared 'new' by a newer user on each child post should lead to a division by zero, a black hole, or at least a bazzarro world somewhere... or it might just be my bed time.

  6. Re:I didn't RTFA, but... by johnw · · Score: 5, Funny

    You must be new here...