A security researcher intercepted thousands of private e-mail messages sent by foreign embassies and human rights groups around the world by turning portions of the Tor internet anonymity service into his own private listening post.
A little over a week ago, Swedish computer security consultant Dan Egerstad posted the user names and passwords for 100 e-mail accounts used by the victims, but didn't say how he obtained them. He revealed Friday that he intercepted the information by hosting five Tor exit nodes placed in different locations on the internet as a research project.
Tor is a sophisticated privacy tool designed to prevent tracking of where a web user surfs on the internet and with whom a user communicates. It's endorsed by the Electronic Frontier Foundation and other civil liberties groups as a method for whistleblowers and human-rights workers to communicate with journalists, among other uses.
It's also used by law enforcement and other government agencies to visit websites anonymously to read content and gather intelligence without exposing their identity to a website owner.
But Egerstad says that many who use Tor mistakenly believe it is an end-to-end encryption tool. As a result, they aren't taking the precautions they need to take to protect their web activity.
He believes others are likely exploiting this oversight as well.
"I am absolutely positive that I am not the only one to figure this out," Egerstad says. "I'm pretty sure there are governments doing the exact same thing. There's probably a reason why people are volunteering to set up a node."
Victims of Egerstad's research project included embassies belonging to Australia, Japan, Iran, India and Russia. Egerstad also found accounts belonging to the foreign ministry of Iran, the United Kingdom's visa office in Nepal and the Defence Research and Development Organization in India's Ministry of Defence.
In addition, Egerstad was able to read correspondence belonging to the Indian ambassador to China, various politicians in Hong Kong, workers in the Dalai Lama's liaison office and several human-rights groups in Hong Kong.
Egerstad says it wasn't just e-mail that was exposed but instant messages passed internally between workers and any other web traffic that crossed the network. Among the data he initially collected was e-mail from an Australian embassy worker with the subject line referring to an "Australian military plan."
"It kind of shocked me," he says.
Tor has hundreds of thousands of users around the world, according to its developers. The largest numbers of users are in the United States, the European Union and China.
Tor works by using servers donated by volunteers around the world to bounce traffic around en route to its destination. Traffic is encrypted through most of that route, and routed over a random path each time a person uses it.
Under Tor's architecture, administrators at the entry point can identify the user's IP address, but can't read the content of the user's correspondence or know its final destination. Each node in the network thereafter only knows the node from which it received the traffic, and it peels off a layer of encryption to reveal the next node to which it must forward the connection. (Tor stands for "The Onion Router.")
But Tor has a known weakness: The last node through which traffic passes in the network has to decrypt the communication before delivering it to its final destination. Someone operating that node can see the communication passing through this server.
The Tor website includes a diagram showing that the last leg of traffic is not encrypted, and also warns users that "the guy running the exit node can read the bytes that come in and out of there." But Egerstad says that most users appear to have missed or ignored this information.
Unless they're surfing to a website protected with SSL encryption, or use encryption software like PGP, all of their e-mail content, instant messages, surfing and other web activity is potentially exposed to any eavesdropper who owns a Tor server. This amounts to a lot of eavesdroppers -- the software currently lists about 1,600 nodes in the Tor network.
Egerstad discovered the problem about two months ago when he signed up five servers he owns in Sweden, the United States and Asia to be Tor nodes, and started peeking at the traffic. He was surprised to discover that 95 percent of the traffic that passed through his Tor nodes was not encrypted.
Even more surprising was the number of embassies and other government agencies that were using Tor, and using it incorrectly.
That prompted Egerstad to narrow his search to e-mail correspondence with a focus on government agencies. He wrote a script to search for .gov domains and keywords such as "embassy," "war" and "military," and focused on sniffing port-25 traffic, the port through which e-mail passes.
He collected between 200 and 250 accounts belonging to embassies and government agencies that were sending passwords and the content of correspondence in the clear. None of them belonged to U.S. embassies or government agencies.
Among the data he found in the correspondence was a spreadsheet listing passport numbers and personal information about the passport holders, as well as sensitive details about meetings and activities among government officials.
Egerstad contacted one account holder about his vulnerability but was ignored, he says. So on Aug. 30 he posted 100 of the accounts and passwords online to get the word out, but kept largely mum about how he'd obtained the information.
Since posting the data, he says only one victim has contacted him to find out what they were doing wrong and learn how to fix it: Iran. In addition to Iran's Ministry of Foreign Affairs, the country's embassies in Ghana, Kenya, Oman and Tunisia were swept up by Egerstad's experimental surveillance.
Shava Nerad, the development director for the nonprofit group that supports Tor, admits the group needs to produce better documentation for users to make the risks of the system clearer. But she adds that people in high-risk environments, such as embassies, should understand those risks already and should be encrypting their communication on their own.
"If you're in a position like that handling sensitive data and you're working for the government," she says, "it is irresponsible to send that data unencrypted. They should institute practices that educate their users and ensure the privacy of the data by going through encrypted VPNs."
Egerstad says he has shut down his Tor nodes.
