Organizers of the Black Hat security conference that’s scheduled to take place next month in Las Vegas announced that a presentation detailing how the Tor network’s users can be de-anonymized has been cancelled.
Michael McCord and Alexander Volynkin, both researchers at Carnegie Mellon University’s CERT, should have held a talk titled “Have to be the NSA to Break Tor: Deanonymizing Users on a Budget.” The abstract of the presentation, which has been removed from the official Black Hat website, revealed that the researchers have found a way to break the anonymity network by “exploiting fundamental flaws in Tor design and implementation.” The experts claim to be able to identify the IP addresses of Tor users and even uncover the location of hidden services with an investment of less than $3,000.
“In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months,” the researchers said in the abstract of their presentation.
However, according to the event’s organizers, they had to remove the briefing from their schedule after the legal counsel for the Software Engineering Institute (SEI) and Carnegie Mellon University informed them that “Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet approved by CMU/SEI for public release.”
Roger Dingledine, one of the original developers of the Tor Project, clarified on Monday that the organization doesn’t have anything to do with the decision to cancel the talk.
“We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made,” Dingledine said. “In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat Webpage.”
Dingledine also took the opportunity to encourage researchers who find vulnerabilities in Tor to disclose them responsibly.
“Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with,” he explained.
About the Author: Eduard Kovacs is a reporter for SecurityWeek