The growing use of bitcoin as a means of payment has come together with the need for greater security surrounding transactions on the blockchain. While bitcoin comes together with some levels of anonymity, given the permanent record that is the blockchain, the levels of anonymity provided by the bitcoin protocol are considered to be low.
This encourages bitcoin users to look for higher levels of anonymity through what are called anonymizers. Tor is an example of an anonymizer. However according to a paper published by two researchers at the University of Luxembourg, Alex Biryukov and Ivan Pustogarov, it is possible to initiate a man-in-the-middle attack. An attacker can gain access to all of a bitcoin user’s transactions irrespective of the pseudonyms used; however, even this attack does not reveal a user's private keys, it just negates the anonymity granted by using Tor.
Recent findings about the bitcoin protocol would seem to suggest that privacy is not a complete given. Specifically, a Bitcoin transaction's privacy is beset by two problems. One, it is possible for an attacker to link transactions from the IP address of the user by studying connectivity and traffic of the peers. Two, it is also possible to link the bitcoin user’s pseudonyms and transactions in the blockchain through graph and transaction flow analysis.
Use of Tor to Achieve Anonymity
To counter the possibility of these attacks, various methods have been used. One of them involves bitcoin mixing that breaks connections between the transaction graph. However, even with bitcoin mixing there are shortcomings since IP addresses could still leak through the cracks. The other method of countering attacks is through the use of Tor as has been previously mentioned. Tor is a method of providing anonymity over an internet connection. It is based on a concept called onion routing and telescoping path-building design.
Using Tor, when an internet user wants to go online, but conceal his IP address from the server, he can use what are called Tor relays. Tor relays consist of three parts: guard, middle and exit. These three build a circuit and negotiate keys that would be used by the user in encrypting his information at the point of sending the information. As the message travels through the circuit, each relay strips of its layer of encryption such that the message arrives at the final destination in its original form, and each party knows only the previous and the next hop.
Since millions of such messages are being sent over the Tor relays each minute, it becomes necessary to have some form of order on the relays. The list of all Tor relays is assembled and distributed in a document called the Consensus Document by nine Tor authorities. For the purposes of traffic balancing, the bandwidth of each relay is measured and reported. A user chooses relays for circuits proportional to their consensus bandwidth. Each relay is identified by its ID that is an SHA-1 hash of its public key. Simply put an SHA-1 hash is a standard and an algorithm that is used in encryption.
Also read: Bitcoin Wallet Security Best Practise
Executing the Attack on Tor
By combining subtle details of Tor and the Bitcoin protocol, it is possible to execute a man-in-the-middle attack. This can be done through getting bitcoin users to choose the attacker’s exit nodes or bitcoin peers, rather than using the P2P network. The attacker can then control the blocks and transactions that the user is aware of, and secondly the user does not get the level of anonymity that they may require.
The attack relies on bitcoin’s anti-DoS protection, Tor’s stream management policy and the fact that connections between Bitcoin peers are not authenticated. There are four steps to executing a man-in-the-middle attack over Tor, which will now be discussed in the following paragraphs.
The first step involves injecting Bitcoin peers over the Tor network. Bitcoin has a limitation of one peer per IP address. The attacker obtains a large number of IP addresses which is easy to do since he can rent multiple IP addresses. The easiest way would be to rent out IP addresses on a per hour basis. At this stage of the attack, it is difficult to detect anything since the IP addresses will not be involved in abusive activity such as spam or denial-of-service also known as DoS.
The second step involves advertising malicious peers. The attacker wants his Bitcoin peers to be chosen as regularly and frequently as possible by Bitcoin clients. To make that possible the attacker advertises the addresses of her peers as frequently as possible which also allows him to inject less malicious peers. Unless there is special monitoring, it is also difficult to detect any suspicious activity at this stage.
In the third stage, the attacker would inject some number of medium-bandwidth Tor Exit relays. In order to get an Exit flag from Tor authorities, an attacker’s Exit node should allow an outgoing connection to any two ports out of three ports 80, 443 and 6667. However, the attacker would want to route all connections to port 8333. The attacker would then provide incorrect information in the descriptor so as to get the Tor Exit flag while in reality providing access to port 8333 only. The attacker could even go further and dynamically change the exit policy of her relays so that only connections to specific Bitcoin peers are allowed.
Finally, the attacker builds a circuit through a non-attacker’s Bitcoin peer or exit node that sends malformed message to the chosen bitcoin peer. This causes a denial of service for 24 hours effectively disabling other clients from using the same peer or Exit node. In this way, the attacker can disable several Bitcoin peers and Exit nodes, and route all messages to either one of the attacker’s peers or establish a circuit through the attacker’s Exit node.
To use an example, imagine running in a race that has multiple forks in the road together with hundreds or thousands of runners. Unbeknown to you, some of the runners are robbers waiting to kidnap and steal from you. As you get to the forks in the road, you find direction arrows that point you to the wrong direction, again unknown to you. You keep running up to a point that you discover that you are alone on the road and out of nowhere robbers take you hostage and steal everything that you have. The example illustrates what an attacker can do on Tor.
Also read: Bitcoin Core 0.9.1 Security Update
Countermeasures to a Tor Attack
One possible countermeasure would be to relax the reputation-based DoS protection. Each Bitcoin peer would have a random variable which would decide whether to turn On or Off the DoS mechanism with a probability of 1 out of 2. As a result, the attacker might only be able to DoS at most half of the network, but he would not be able to ban any relays or VPNs from all of the Bitcoin peers. Another countermeasure would be to encrypt and authenticate Bitcoin traffic. This would prevent even opportunistic man-in-the-middle attacks.
Finally, Bitcoin developers can maintain and distribute a safe and stable list of onion addresses. Users who would like to stay anonymous would choose at least one address from such a list thus taking the responsibility of preventing man-in-the-middle attacks into their hands. The list that exists at present is out-of-date and may need a review.
What do you think about the Bitcoin over Tor vulnerability? Comment below!
Images from Shutterstock.