Researchers have found a way to harvest unencrypted Tor network data from exit nodes and piece them together.
Deloitte Canada researchers, Adam Podgorski and Milind Bhargava have also claimed to be able to obtain personally identifiable information (PII) of mobile users.
The irony is that Tor is an anonymising software and network, and allows traffic to travel through numerous different networks to an exit point, with the aim of hiding where the traffic originated from.
Many users choose to install a Tor browser onto their mobile devices, however the issue lies with mobile applications installing Tor without the user’s knowledge, thus putting them in risk.
The researchers explained that the source of traffic happens to be from both iOS (5%) and Android (95%) systems, originating from applications that have taken Orbot code and implemented their solution.
One probable reason as to why mobile developers are utilising Tor is because they are assuming that Tor traffic is automatically encrypted.
“There appears to be a fundamental misunderstanding about what Tor is, with some mobile developers assuming using Tor protects HTTP (unencrypted) traffic from being seen,” Podgorski said.
The exit nodes the researchers had intentionally set up, prevented browsers from utilising encrypted versions of websites, thus forcing devices to use regular HTTP. Therefore, the data is coming to exit nodes with encryption, and it is for this reason that the researchers were able to see user data.
All of which could be used to “build a robust profile of an individual,” Podgorski warned.
The researchers have chosen not to disclose the names of the apps, the OEMs and advertisers that are responsible for the data leaks.
“About four months ago we reached out to everyone impacted by these insecure apps,” Bhargava said. “We still haven’t heard back from any of them.”
By harvesting the PII from Tor exit nodes, the data the researchers were able to collect included GPS coordinates, web addresses, keystrokes, browsing habits, OEM, IMEi numbers, IMSI numbers and phone numbers.
“Like a puzzle, all we had to do was associate all the same IMEI and IMSI numbers together to create a single user profile,” Podgorski said.
The researchers were asked how users can protect themselves, to which they responded stating that currently at this time there is nothing a user can do.
“We’re pretty sure what we found breaches GDPR on multiple levels,” said Podgorski at the SecTor security conference in Toronto. “But the issue is that governments can’t enforce the law if they’re not aware.”
The post #Privacy: Researchers have devised a method to scoop unencrypted Tor network traffic data appeared first on PrivSec Report.