Yesterday the Tor Project issued an advisory describing a large-scale identification attack on Tor hidden services. The attack started on January 30 and ended when Tor ejected the attackers on July 4. It appears that this attack was the subject of a Black Hat talk that was canceled abruptly.
These attacks raise serious questions about research ethics and institutional responsibilities.
Let’s review the timeline as we know it (all dates in 2014):
- 30 January: 115 new machines join the Tor network as relays, carrying out an ongoing, novel identification attack against Tor hidden services.
- 18 February – 4 April: Researchers at CERT (part of the Software Engineering Institute at Carnegie Mellon University) submit a presentation proposal to Black Hat, proposing to discuss a new identification attack on Tor.
- sometime March – May: Tor Project learns of the research and seeks information from the researchers, who decline to give details.
- early June: Black Hat accepts the presentation and posts an abstract of the research, referencing the vulnerability and saying the researchers had carried out the attack in the wild.
- late June: The researchers give the Tor Project a few hints about the attack but do not reveal details.
- 4 July: Tor Project discovers the ongoing attack, ejects the attacking relays from the Tor network, and starts developing a software fix to prevent the attack. The discovery was aided by some hints that the Tor team was able to extract from the researchers.
- 21 July: Black Hat announces cancellation of the scheduled presentation, saying that “the materials that he would be speaking about have not yet approved by CMU/SEI for public release.”
- 30 July: Tor Project releases a software update to fix the vulnerability, along with a detailed technical discussion of the attack. Tor Project is still unsure as to whether the attacks they saw were carried out by the CERT researchers, though this seems likely given the similarities between the attacks and the researchers’ presentation abstract.
This story raises some serious questions of research ethics. I’m hard pressed to think of previous examples where legitimate researchers carried out a large scale attack lasting for months that aimed to undermine the security of real users. That in itself is ethically problematic at least. The waters get even darker when we consider the data that the researchers might have gathered—data that would undermine the security of Tor users. Did the researchers gather and keep this data? With whom have they shared it? If they still have it, what are they doing to protect it? CERT, SEI, and CMU are not talking.
The role of CERT in this story deserves special attention. CERT was set up in the aftermath of the Morris Worm as a clearinghouse for vulnerability information. The purpose of CERT was to (1) prevent attacks by (2) channeling vulnerability information to vendors and eventually (3) informing the public. Yet here, CERT staff (1) carried out a large-scale, long-lasting attack while (2) withholding vulnerability information from the vendor, and now, even after the vulnerability has been fixed, (3) withholding the same information from the public.
So CERT has some explaining to do. While they’re at it, they ought to explain what their researchers did, what data was collected and when, and who has the data now. It’s too late to cover up what happened; now it’s time for CERT to give us some answers.
[Post updated, 31 July 2014 at 6:45pm EDT, to correct two details in the timeline (number of servers and date of first hints from the researchers). Thanks to the Tor Project for pointing these out.]