Rogue Exit Node(s) Compromising Tor Security


The Onion Router (Tor) is the go-to service for those seeking more security with their online activities. The sevice has received millions of funding from diverse sources such as the American Government and continues to grow in usage for those seeking more online anonymity for various reasons. Other services are available, but Tor is considered the pinnacle. Turns out it is still able to be compromised with a little bit of work.

According to research by Josh Pitts working for Leviathan Security group, a ‘rogue’ exit node on the service has been distributing malware, all with no disruption in service to the end user. A compromised exit node has been changing downloaded files and wrapping them up in malware to infect end users systems. Current research has pointed to Russia as increasing its online (h)activities, right where this rogue node happens to be.

Josh presented his findings at the DerbyCon Security conference alongside his research that allowed him to discover the security issue with Tor, discovering issues with the node whilst researching threats to binary files that are unencrypted. He also believes the Windows update files have also been affected by the node gone rogue.

The Science Bit

google-dropbox-simply-securePitts discovered that binary files without TLS encryption are able to be tampered with during a download. With what he describes as ‘circumstantial evidence’ he created a tool to scan the 1,100 Tor exit nodes and found that only one of these nodes was patching binaries and inserting malware. However this was patching everything, so others could be doing the same thing but only to selected types as he discussed on his blog.

The node in question has been flagged by the service since DerbyCon to prevent users from being compromised. The worry, however, is that this may be a much bigger issue as around 90% of websites do not encrypt downloaded files – meaning hackers can quickly and easily launch a man in the middle (MIM) attack.

More and more websites are being compromised in some way or another and now issues with Tor? Will this stop people from using the service? Let us know your experience of using Tor on your social network of choice or in the comments below.

To Top