WHY THIS MATTERS IN BRIEF
The TOR network protects the anonymity of users in the Dark Web, now researchers think it’s the perfect tool to secure the Internet of Things.
The privacy software Tor has helped everything from drug dealing marketplaces to whistleblowing websites evade surveillance on the Darknet, the shadowy under belly of the internet. Now it turns out that Tor can be applied to a far more personal form of security – keeping hackers from gaining access to your connected home.
On Wednesday, the privacy focused non profit Guardian Project, a partner of the Tor Project that maintains and develops the Tor anonymity network, announced a new technique it’s developed to apply Tor’s layers of encryption and network stealth to protecting Internet of Everything and Connected Home devices that are, increasingly, the target of choice for today’s new generation of hackers. Hacks including that include harassing infants via baby monitors and stealing your Gmail password from your fridge.
How it works
The Guardian Project turned a simple Raspberry Pi into a smart hub running open source software called HomeAssistant that acts as a Tor hidden service – the same application of Tor that obscures the location of servers running Darkweb sites. The result, says Guardian Project director Nathan Freitas, is a far stealthier and more secure way to connect your smart home to the Internet, while still keeping it safe from potential digital attacks.
“All we did was pull these pieces together to demonstrate a proof-of-concept for the role Tor can play in your home,” says Freitas, who’s also a fellow at Harvard’s Berkman Klein Center for Internet and Society.
“It’s turning your Internet of Everything hub into a hidden service.”
In fact, Freitas’ setup doesn’t merely turn your smart home hub into a normal Tor hidden service, which are usually designed to allow anyone access to a website while routing the traffic over Tor’s network of thousands of volunteer computers to prevent visitors from knowing where the computer that hosts the site is physically located. Instead, the smart home system uses a lesser-known feature of Tor called an authenticated hidden service.
Tor’s intermediary computers can’t connect to the destination computer at all without you entering a certain passcode, which Freitas describes as a “cookie.” You can still get to your baby monitor via an app or the web, but a potential hacker won’t even be able to find it.
“If you add authentication, only people with this cookie can even connect to your smart home hub,” says Freitas, “without it, Tor doesn’t even let you route to that service.”
This will make your smart home safer, but much more annoying to set up. The system requires any device you use to manage your smart home hub to run Tor and include the right code in what’s known as the Tor relay configuration file. And altering those Torrc files represents just one of the complicated steps required to set up the system. In fact the Guardian Project hasn’t even tested that configuration on iOS devices yet, preferring instead to test it only on a desktop TorBrowser and the Android Tor app Orbot.
Though it’s far less user-friendly than commercial alternatives like Samsung SmartThings, Google Home, and Apple’s Homekit, Tor Project executive director Shari Steele nonetheless calls the prototype an “early but important milestone” in using Tor to secure home devices.
“The Tor Project wants Tor privacy technology to be integrated into everyday life,” said Steele, “so that privacy and security are built in.”
And what you give up in convenience, you gain in security. Freitas points out Commercial smart home setups require you to open parts of your home firewall to allow devices to be reached remotely, or require you to trust the cloud setup of the company that ties your remote device and your home devices together. But those options can leave your gadgets open to vulnerabilities introduced by the devices’ vendors and allow them to be spotted by internet scanning tools like Shodan.
“Just having a public IP presence for anything opens up so many possibilities,” says Freitas, “if a device can be discovered, its vulnerability then depends on the manufacturer’s attention to security,” he adds.
“When you’re talking about a lightbulb from some third party OEM vendor from deepest China, you don’t want to rely on that.”
While his HomeAssistant setup is mostly just a proof-of-concept designed to demonstrate a new form security for DIY types, Freitas says he hopes it might also convince more mainstream connected gadget companies to take a similar approach, and consider integrating Tor.
“We want to introduce the idea that Tor can be used this way, and to advocate that IoE vendors adopt and innovate with it,” Freitas says.
“We’re ready to work with anyone interested in doing that.”