Using bitcoin over the anonymity network Tor leaves users at greater risk of having their identities revealed, according to academics at the University of Luxembourg.
If that seemingly paradoxical finding isn't enough to scare privacy-loving bitcoiners, the researchers also determined that an attack could be mounted on an "economy" budget of just $2,500 a month.
Such an attack could expose the identity of a bitcoin and Tor user, and allow the attacker to meddle with the victim's transactions, they said.
Ivan Pustogarov, one of the two researchers working on the issue, explained:
"The problem here is with anonymity. When people are connecting through Tor, they are expecting to have a higher level of anonymity ... it does provide some level of anonymity, but it is not that hard to break this."
The attack is laid out in a paper titled, Bitcoin Over Tor Isn't A Good Idea, written by Pustogarov, a doctoral student at CryptoLUX, the University of Luxembourg's cryptology research group, and Alex Biryukov, an associate professor who leads the group.
Pustogarov said the paper is to be submitted for peer-review to be presented at a cryptography and information security conference.
'Virtual bitcoin reality'
The sort of manipulation described by the authors is known as a 'man-in-the-middle' attack (MitM) and, if successful, could reveal a user's IP address, which can be used to locate the user, and allow an attacker to 'glue', or correlate, the transactions performed by that user from different bitcoin addresses.
The paper states:
"A low-resource attacker can gain full control of information flows between all users who chose to use bitcoin over Tor. In particular the attacker can link together user's transactions regardless of pseudonyms used ... and a totally virtual bitcoin reality can be created for such ... users."
As a result, a victim would also be at the attacker's mercy regarding information about his transactions, since they would be able to delay or discard a victim's transactions or blocks.
In an extreme scenario, a bad actor could even dupe a victim into thinking they had received bitcoin when in fact they had not (a so-called 'double-spending attack'), Pustogarov said.
This sort of attack would have ramifications for privacy-seeking merchants, on dark web markets, for instance. A dark web merchant would also be at risk of being outed by rival businesses or disgruntled customers by such an attack.
Despite the MitM's ability to compromise a victim's privacy, it would not, however, be able to steal a victim's funds. Their wallet and transactions are safe, even if the attack was successfully mounted, the researcher confirmed, adding:
"The wallets are safe; bitcoins cannot be stolen. The attack is not that great."
How the attack works
Pustogarov and Biryukov dreamed up the attack by focusing on a little-known aspect of the bitcoin protocol, its built-in protection against a denial of service attack (DoS). To protect themselves, bitcoin servers award points to clients that send them problematic transactions. When a client racks up 100 points, the server bans it for 24 hours.
In an earlier paper, also focused on anonymity risks on the bitcoin network, the authors described a way to exploit this DoS protection to prevent Tor from being used to connect to the bitcoin network.
They explained that, when a Tor user connects to the bitcoin network, his or her IP address is not revealed. Instead, the bitcoin server sees the address of the connected Tor 'exit node', a type of server. As a result, an attacker could send enough bad transactions over Tor to get all the exit nodes banned by the bitcoin network.
The authors build on that approach in their current paper. They say that a smart attacker could set up a number of bitcoin servers and Tor exit nodes before exploiting the DoS protection system to ban other Tor exit nodes from the bitcoin network.
When a victim uses Tor to connect to the bitcoin network, he will be left with only the attacker's bitcoin servers to connect to, since he has been banned by all other servers. The attacker is now in control of all the information relayed to the user.
Pustogarov and Biryukov estimate that the attack can be mounted for between $2,500 and $7,200 a month. This range would be required to guarantee sufficient bandwidth and/or multiple IP addresses for the attacks.
At the lower limit, an attacker could control a significant portion of Tor exit node bandwidth, allowing him to direct a victim to a malicious bitcoin server. With this amount of bandwidth, a victim would take under three minutes, on average, before connecting to a bitcoin server controlled by an attacker, Pustogarov said.
Detection and fixes
There is some good news, however. Pustogarov noted that such an attack could be monitored fairly easily, by creating a program to check the percentage of Tor exit nodes banned by the bitcoin network at any given time, explaining:
"If somebody decides to monitor if this attack is being carried out, he will be able to detect it immediately."
The paper also outlines some ways of countering the attack, although they all require fundamental changes to the bitcoin protocol. The DoS protection system could be changed so that it only runs on half of all servers, by random selection, at any given time, for example.
The use of Tor to increase anonymity with other applications has also proved problematic in some cases. For instance, earlier research showed that using BitTorrent, the popular decentralised file-sharing protocol, over Tor resulted in IP addresses getting leaked.
"Tor is not a panacea ... and not all applications are anonymised equally well when combined with Tor," the paper states.
Pustogarov is optimistic that continued research will dispel myths around the levels of anonymity afforded by the digital currency:
"Right now, users and researchers are starting to understand more about anonymity of bitcoin. When I heard about black markets like Silk Road that were using bitcoin, I had the impression that bitcoin is anonymous."
Anonymity image via Shutterstock