Internet privacy and security course
About translation
Previous Next

Chapter 70

Timing attack. How the special services deanonymize the users of messengers

Imagine a situation that you are an employee of a special service and your task is to detect a particularly dangerous criminal who is engaged in blackmailing and who appears on the network periodically with the only purpose of data transmission. For criminal activity they have a separate laptop, from which they “cut out” a microphone, speakers and a camera, which is a reasonable decision, given that the speakers also know how to listen over.

They use Tails as the operating system, although for maximum anonymity it would be worth taking Whonix. Anyway, all the traffic goes through Tor, they do not trust the VPN, and they still need to work on the Darknet Tor.

For communication, they use Jabber with PGP-encryption, they could install Telegram, but this is a representative of the old school criminals. Even if you have access to the Jabber server, you can only get encrypted data and Tor's IP addresses, which is useless information.

The criminal works on the principle of "the silence is gold", they neither will say too much, nor will open a link or a file. It is only known that they are supposed to be in the same country as you are. It would seem that there is no chance to establish their identity, but this is an illusion, it is possible to identify one despite all the measures they take.

The described case is ideal for the application of timing attack on the messenger. The first thing you need is a program that will track and record all the user’s logging in and out. They appeared on the network, the system immediately marked the time, once they left, the system recorded the exit time.

Now you have a log of their activity for a few days, it’s time to use the OSA system (operational search activities). Such systems are at the disposal of the special services of most countries, in Russia it is SORM. You need to find out who has connected to the Tor network in your country in these time intervals +/- 5 minutes.

We know that the target that needs to be deanonymized connected on 04/22/2018 at 11:07 and logged out at 12:30. At the same time points (+/- 5 minutes) in the country 3,000 people connected to the Tor network and disconnected from it. We take these 3000 and see which of them re-connected at 14:17 and disconnected at 16:54, how do you think how many people will remain?

Thus, step by step, the circle is narrowed and in the end you will be able to detect the place of access to the criminal's network. The more often they enter the network and the less other users at this time are, the faster the timing attack will work out.

What can prevent the timing attack

The constant change of network access points makes such an attack meaningless. If the target changes the exit points periodically, this may make it difficult to search, but it is in advance an acceptable option and it is not able to confuse the system.

We hope that our readers do not belong to the wanted criminals and they will not have to wander from one cafe with public Wi-Fi to another. However, the second advice against timing attacks is to take advantage of everyone. It is about disabling the transfer of information on the status at the messenger level or about adjusting a permanent “offline” status. Most instant messengers provide one of these possibilities.

 

Tip

If your messenger can hide information about your status, hide this information.

An additional tool to protect against timing attacks can be the way to stop switching on the messenger along with the connection to the network. As you can understand from the description of the attack, the time of logging in ang out to the network and getting a connection and moving offline in the messenger can be checked. The error is allowed, but it should not be very large.

If the target of the attack connects to Tor and only after an hour starts the messenger, it will be very difficult to connect the network entrance and status in the messenger. In addition, timing attacks are absolutely useless against the anonymous Bitmessage messenger.

Previous
5202
Next