As a Quicker and More Private Alternative to Tor Emerges, Should We Be Concerned Over the Potential Applications Cybercrime Will Find for HORNET?

High-speed Onion Routing at the Network Layer (HORNET) is the promise of high-speed, 93 Gbps, encrypted, anonymized browsing. Remind you of Tor? It’s not so far off from The Onion Router, and it even relies on the same core concepts that Tor’s inventors implemented. In terms of the anonymizers available nowadays, Tor is by far the most popular free option, lending Internet users the ability to keep their identities and communications concealed from prying eyes.

Obviously, Tor is also very popular among cybercriminals and their circles, the most infamous of all being Silk Road, an online marketplace for illegal drugs and services that was operated as a Tor hidden service. Hidden service means that connections are only accepted from other Tor nodes, essentially keeping the communication even more private. In May 2015, Silk Road was exposed, and its founder, Ross Ulbricht, was sentenced to life in prison for his role in running it. But Silk Road was neither the first nor last of its kind, and it’s definitely not the only one out there. Cybercriminals are avid users of Tor because it lends them the ability to conceal their misdoings from law enforcement agencies, security researchers and hostile peers.

One thing that cybercriminals aim to do and find challenging is the routing of real-time criminal activity through an anonymizer. This would allow them to commit their crimes under a cloak of anonymity with the sort of obfuscation that would effectively hide their whereabouts and the sourcing of fraudulent wire transfers or other illicit online transactions. The biggest hindrance? Tor and similar services such as I2P are simply too slow! The encryption-decryption schemes that take place inside these large networks slow things down quite a bit on the Internet, and this latency is what keeps cybercriminals from being able to abuse anonymizers in an even larger variety of illegitimate activities than they already do.


Now HORNET has entered the anonymizing arena. A new player that’s still not publicly available, HORNET was developed on the same ideas that gave rise to Tor, conceptualized by five scientists from Zurich- and London-based universities. What this team has created is the basis for a new anonymizing network that is much like Tor, only more secure and, supposedly, much, much faster. While the current Dark Web mostly consists of Tor and I2P nodes that are being used for anonymizing Internet traffic, content and sources, HORNET promises to deliver “Internet-scale anonymous communication.”

Are you wondering what “more secure” would mean within this context? Well, it means more private. The founders claim it will have double the encryption that Tor has and run much more quickly. Just like Tor, HORNET encrypts encapsulated network requests, with each layer being decrypted by the nodes passing the traffic along to the next one, along with instructions on the data’s route and destination. Unlike Tor, HORNET uses two different onion protocols for protecting the anonymity of requests to the open Internet. It also features a modified version of Tor’s public rendezvous point (RP) scheme for communications carried out in the hidden service mode.

As for the main feature that sets HORNET apart — speed — the researchers have measured speeds of 93 Gbps when they tested HORNET between their universities in Switzerland and the U.K.

Behind this high-speed anonymizing power, HORNET’s founders indicate it uses source-selected paths and shared keys between routers to support the anonymity of communications. This means that while data is not encrypted as often as it is inside the Tor network, it still remains highly anonymized. And since there are less encryption-decryption occurrences, the entire delivery is faster and much closer to real time.

This is indeed exciting news, and many people who care about their privacy are going to be much happier about being able to use faster Internet at last. Think about activists, people who live under oppressing regimes, journalists in foreign countries, whistleblowers and your average next door neighbor who just wishes to keep his business away from dragnet surveillance or third-party monitoring — they could all benefit from such a service.

HORNET, like other anonymizers before it, is an inherently legitimate network. What we should be thinking about at the same time is that security and integrity have to be built into it right from the get-go rather than bolted on as an afterthought.

Cybercrime Loves Anonymity

If I could name one factor that helps cybercriminals feel more comfortable committing online crimes, it is by far the ability to remain unknown. It’s no wonder anonymizing tools and techniques are and always have been an important part of how criminals handle themselves online.

It’s also easy to understand that if Tor is attractive in that regard, then a faster, double-encrypted version of it will be twice as interesting to cybercriminals, offering them that x factor they have been hoping for: an anonymizer fast enough for real-time online fraud.

Nowadays, when cybercriminals attack online banking customers with banking Trojans, they can use their own devices, which is when they opt to go with some sort of anonymizer. In those cases, they must initiate the login and transaction from a node that conceals their true IP address and the data it exchanged with the bank.

But what cybercriminals shy away from is using anonymizers in scenarios where the fraud requires real-time interaction with victims, such as via webinjections and when they must use a one-time, time-based password. The latency of anonymized browsing prevents the criminal from leveraging it efficiently, and they have to come up with other creative means to keep their true IP hidden, usually by proxying their activity through the victim’s own machine.

Another thing fraudsters would like to do but avoid using anonymizers for is remote access to their victims’ machines using a RAT, VNC or poisoned TeamViewer malware. Here, too, adding more sluggishness to the already slower operation is not a preferred route.

The inevitable question is will HORNET solve these latency issues so well that it unintentionally enables criminals by removing barriers? Will it allow criminals to abuse HORNET’s capabilities for their real-time fraud scenarios, affording them higher speed and added privacy they did not have with Tor, I2P and the like?

Wait, Do These Anonymizers Really Hide Criminals?

Do anonymizers really hide criminals? The short reply is yes. But, like many things in life, it depends. The longer reply is that, just like anything, anonymizers can be attacked in a variety of ways, which can strip its users of the anonymity they enjoy inside the network.

If you’re thinking the government also surveils anonymizing networks, then you’d be correct. Law enforcement must expose people at the origin of certain types of activity in order to prosecute them for their crimes. Some have claimed that it’s also possible to be under surveillance after just expressing interest in anonymizing networks. The anonymizers we know today are not 100 percent bulletproof in the sense that they do not fully conceal everyone from everything.

Here, too, another question arises: In those cases where criminals are hiding via anonymizing services or public safety is at risk, will law enforcement be able to decrypt the doubled obfuscation that HORNET will implement? Or when terrorists use these networks to conceal their nefarious activity, will a stronger and speedier anonymizer not hinder national security?

And while not as critical in terms of human lives, will it mean that cybercriminals will be safe inside HORNET and make banks and everyday users pay for privacy with their hard-earned cash?

What’s Next?

So far, HORNET is still in testing and is not a fully public network scaled to millions of users. Not even the founders of HORNET know how it will behave once the number of users grows considerably. Yes, the current protocol might be capable of 93 Gbps, but once the network is up, the speed is also subject to exit nodes and internal hosts. The main issue with Tor being notoriously slow is that the exit nodes are swamped with connections and bandwidth is starved. Whether HORNET has a true fix for this problem remains to be seen. One thing is certain, however: HORNET will be very popular in its initial phases because that’s when it will be at its fastest.

The questions I bring to you are part of my thoughts on the matter, from the cybercrime prevention and risk assessment points of view. I think we should be asking these questions as soon as new technology advances emerge for the sake of preparation and intelligent response, not after we see the first organization hit.

At this point, the recommended action is to keep an eye out for what’s to come and also to examine internally how your organization detects and communicates with anonymizer nodes. Then, keeping in mind that your indicators may see a change once HORNET goes into the next phase, define the ways your organization will recognize connections with such nodes and treat the communications they source.

This is applicable to any and all organizations, but it carries more immediate implications for service providers that must accurately identify online users, especially those that rely on IP addresses and HTTP referrers. Financial services, online wallets, online gaming, government and military resources are especially risk-averse in this case. They should use adapted security solutions that can identify connections from anonymizer nodes and properly alert security teams when the risk of access or transactions rises.

more from Threat Intelligence

A Response Guide for New NSA and CISA Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading.  Many of the vulnerabilities in the report are not new. Instead, the report…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…