By Kim Zetter
A security researcher intercepted thousands of private e-mail messages
sent by foreign embassies and human rights groups around the world by
turning portions of the Tor internet anonymity service into his own
private listening post.
A little over a week ago, Swedish computer security consultant Dan
Egerstad posted the user names and passwords for 100 e-mail accounts
used by the victims, but didn't say how he obtained them. He revealed
Friday that he intercepted the information by hosting five Tor exit
nodes placed in different locations on the internet as a research
Tor is a sophisticated privacy tool designed to prevent tracking of
where a web user surfs on the internet and with whom a user
communicates. It's endorsed by the Electronic Frontier Foundation and
other civil liberties groups as a method for whistleblowers and
human-rights workers to communicate with journalists, among other uses.
It's also used by law enforcement and other government agencies to visit
websites anonymously to read content and gather intelligence without
exposing their identity to a website owner.
But Egerstad says that many who use Tor mistakenly believe it is an
end-to-end encryption tool. As a result, they aren't taking the
precautions they need to take to protect their web activity.
He believes others are likely exploiting this oversight as well.
"I am absolutely positive that I am not the only one to figure this
out," Egerstad says. "I'm pretty sure there are governments doing the
exact same thing. There's probably a reason why people are volunteering
to set up a node."
Victims of Egerstad's research project included embassies belonging to
Australia, Japan, Iran, India and Russia. Egerstad also found accounts
belonging to the foreign ministry of Iran, the United Kingdom's visa
office in Nepal and the Defence Research and Development Organization in
India's Ministry of Defence.
In addition, Egerstad was able to read correspondence belonging to the
Indian ambassador to China, various politicians in Hong Kong, workers in
the Dalai Lama's liaison office and several human-rights groups in Hong
Egerstad says it wasn't just e-mail that was exposed but instant
messages passed internally between workers and any other web traffic
that crossed the network. Among the data he initially collected was
e-mail from an Australian embassy worker with the subject line referring
to an "Australian military plan."
"It kind of shocked me," he says.
Tor has hundreds of thousands of users around the world, according to
its developers. The largest numbers of users are in the United States,
the European Union and China.
Tor works by using servers donated by volunteers around the world to
bounce traffic around en route to its destination. Traffic is encrypted
through most of that route, and routed over a random path each time a
person uses it.
Under Tor's architecture, administrators at the entry point can identify
the user's IP address, but can't read the content of the user's
correspondence or know its final destination. Each node in the network
thereafter only knows the node from which it received the traffic, and
it peels off a layer of encryption to reveal the next node to which it
must forward the connection. (Tor stands for "The Onion Router.")
But Tor has a known weakness: The last node through which traffic passes
in the network has to decrypt the communication before delivering it to
its final destination. Someone operating that node can see the
communication passing through this server.
The Tor website includes a diagram showing that the last leg of traffic
is not encrypted, and also warns users that "the guy running the exit
node can read the bytes that come in and out of there." But Egerstad
says that most users appear to have missed or ignored this information.
Unless they're surfing to a website protected with SSL encryption, or
use encryption software like PGP, all of their e-mail content, instant
messages, surfing and other web activity is potentially exposed to any
eavesdropper who owns a Tor server. This amounts to a lot of
eavesdroppers -- the software currently lists about 1,600 nodes in the
Egerstad discovered the problem about two months ago when he signed up
five servers he owns in Sweden, the United States and Asia to be Tor
nodes, and started peeking at the traffic. He was surprised to discover
that 95 percent of the traffic that passed through his Tor nodes was not
Even more surprising was the number of embassies and other government
agencies that were using Tor, and using it incorrectly.
That prompted Egerstad to narrow his search to e-mail correspondence
with a focus on government agencies. He wrote a script to search for
.gov domains and keywords such as "embassy," "war" and "military," and
focused on sniffing port-25 traffic, the port through which e-mail
He collected between 200 and 250 accounts belonging to embassies and
government agencies that were sending passwords and the content of
correspondence in the clear. None of them belonged to U.S. embassies or
Among the data he found in the correspondence was a spreadsheet listing
passport numbers and personal information about the passport holders, as
well as sensitive details about meetings and activities among government
Egerstad contacted one account holder about his vulnerability but was
ignored, he says. So on Aug. 30 he posted 100 of the accounts and
passwords online to get the word out, but kept largely mum about how
he'd obtained the information.
Since posting the data, he says only one victim has contacted him to
find out what they were doing wrong and learn how to fix it: Iran. In
addition to Iran's Ministry of Foreign Affairs, the country's embassies
in Ghana, Kenya, Oman and Tunisia were swept up by Egerstad's
Shava Nerad, the development director for the nonprofit group that
supports Tor, admits the group needs to produce better documentation for
users to make the risks of the system clearer. But she adds that people
in high-risk environments, such as embassies, should understand those
risks already and should be encrypting their communication on their own.
"If you're in a position like that handling sensitive data and you're
working for the government," she says, "it is irresponsible to send that
data unencrypted. They should institute practices that educate their
users and ensure the privacy of the data by going through encrypted
Egerstad says he has shut down his Tor nodes.
Visit the InfoSec News Bookstore