UPDATE: Researcher claims to identify Tor users by mouse movements

Researcher develops proof-of-concept to identify Tor users by their mouse movements.
Researcher develops proof-of-concept to identify Tor users by their mouse movements.

A Barcelona-based security researcher has developed a proof-of-concept that he claims can identify Tor users based how they move their mice.

Researcher Jose Carlos Norte has developed a series of fingerprinting methods based on JavaScript that measure time, mouse wheel movements, mouse speed movements, CPU benchmarks and getClientRects, according to a Mar. 6 post on the researcher's site.

Norte said if a website is able to generate a unique fingerprint that identifies each user that enters the page then it is possible to track a user's activity and correlate visits with that user.

“Every user moves the mouse in a unique way,” Norte told Vice's Motherboard in an online chat. “If you can observe those movements in enough pages the user visits outside of Tor, you can create a unique fingerprint for that user,” he said. Norte recommended users disable JavaScript to avoid being fingerprinted.

Security researcher Lukasz Olejnik told Motherboard he doubted Norte's findings and said a threat actor would need much more information, such as acceleration, angle of curvature, curvature distance, and other data, to uniquely fingerprint a user.

It appears that developers are looking into the issue based on two official bug reports that mention Norte's exploits. 

Co-founder of the Tor Project Roger Dingledine said in comments emailed to SCMagazine.com it's great to see more research into fingerprinting attacks, which continue to gain importance as unscrupulous advertisers try to track users on the web. 

"The time-based fingerprinting ideas we're talking about here underscore the progress that Tor Browser has made on closing down all of the easy tracking avenues," Dingledine said. "The trick now is to close down the 'noisier' (less precise) tracking avenues while still maintaining usability," he added. 

UPDATE: This story has been updated to include comments from Roger Dingledine, co-founder of the Tor Project.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS