A Quick, Simple Guide to Tor and the Internet of Things (So Far)

by ailanthus | July 20, 2016

"The Internet of Things" is the remote control and networking of everyday devices ranging from a family's lawn sprinkler or babycam to a corporation's entire HVAC system.

Tor Project contributor Nathan Freitas, Executive Director of The Guardian Project, has developed a new way to use Tor's anonymous onion services to protect the "Internet of Things." The new system, while experimental, is also scalable.

The system uses Home Assistant, a free, open-source platform built on Python, that can run on Raspberry Pi and other devices. It easily can be set up to control and network people’s “Internet of Things” —home security systems, toasters, thermostats, smart lightbulbs, weather sensors and other household appliances. The new "Tor Onion Service Configuration" setup is available on their website.

"The Tor Project wants Tor privacy technology to be integrated into everyday life so that people don't have to log on to it—their privacy and security are built in. Nathan's work with Home Assistant is an early but important milestone," said Shari Steele, Tor's Executive Director.

The great danger with the "Internet of Things" (or IoT) is the opportunity for surveillance--for an individual hacker or a state actor to accumulate, store, and exploit very private information against individuals or companies.

These attacks are far from hypothetical: We've read about the ability for an attacker to see and speak to a baby through a babycam or hack and control a car. Attackers stole 40 million credit card numbers after they hacked into a national retailer's HVAC system and used it to reach their computer system and their customers.

Tor has developed a way to build a buffer of privacy between the baby and the Internet--so that the baby (or the HVAC system) is never exposed to the open Internet at all. Instead of a hackable, single point of failure, attackers must contend with the global network of thousands of Tor nodes.

"Too many 'Things' in our homes, at our hospitals, in our businesses and throughout our lives are exposed to the public Internet without the ability to protect their communication. Tor provides this, for free, with real-world hard ended, open-source software and strong, state of the art cryptography," said Nathan Freitas, Executive Director of the Guardian Project.

“Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.”

--"DON'T PANIC," Berkman Klein Center's report on encryption
https://cyber.law.harvard.edu/pubrelease/dont-panic/

More Information:

• Guardian Project video explaining the Tor/Home Assistant system: https://www.youtube.com/watch?v=j2yT-0rmgDA

• Guardian Project's easy-to-understand slides:
https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%2…

• Home Assistant page on setting up Tor:
https://home-assistant.io/cookbook/tor_configuration/

Comments

Please note that the comment area below has been archived.

July 21, 2016

Permalink

Here is another article on this valuable initiative:

https://theintercept.com/2016/07/20/tor-could-protect-your-smart-fridge…
Tor Could Protect Your Smart Fridge From Spies and Hackers
Jenna McLaughlin
20 Jul 2016

> There’s a growing fear that the exploding internet of things — from baby cams to pacemakers — could be a goldmine for spies and criminal hackers, allowing them access to all kinds of personal photos, videos, audio recordings, and other data. It’s a concern bolstered by remarks from top national security officials.

Some Tor users have been calling for Tor Project and like-minded human rights and civil liberties advocacy groups to pressure EU politicians and tech industry leaders* to engineer incentives aimed at growing a privacy industry. This might be a lost cause in the US, but I think some politicians in countries like Germany would be receptive.

In particular, some Tor users have been calling for inexpensive but reliable devices which can help consumers verify that their own devices are behaving well. For example, someone might want to check that their smart phone has not been surreptitiously "hot-miked" (remotely turned in an audio bug which transmits your IRL conversations to a government agency, even though the phone appears to be "turned off".

Or someone might want to verify that they really have disabled geolocation services on their WiFi devices. Journalists reporting from active war zones have been successfully targeted by hostile governments for assassination by drone/air strike. This is the exactly the scenario which a pair of gifted security researchers are working to prevent:

https://theintercept.com/2016/07/21/edward-snowdens-new-research-aims-t…
Edward Snowden’s New Research Aims to Keep Smartphones from Betraying Their Owners
Micah Lee
21 Jul 2016

> In early 2012, Marie Colvin, an acclaimed international journalist from New York, entered the besieged city of Homs, Syria while reporting for London’s Sunday Times. She wrote of a difficult journey involving “a smugglers’ route, which I promised not to reveal, climbing over walls in the dark and slipping into muddy trenches.” Despite the covert approach, Syrian forces still managed to get to Colvin; under orders to “kill any journalist that set foot on Syrian soil,” they bombed the makeshift media center she was working in, killing her and one other journalist, and injuring two others.

Unfortunately, the site which published their paper is blocking Tor!

https://www.pubpub.org/pub/direct-radio-introspection

* Tech industry leaders: presumably not including anti-democracy billionaire Peter Thiel, cofounder of Palantir (one of the authoritarian-enabling firms which conspired in a disinformation/disruption scheme targeting journalist Glenn Greenwald, US high school students in Seattle, and others):

https://www.theguardian.com/technology/2016/jul/21/peter-thiel-republic…
Donald Trump, Peter Thiel and the death of democracy
Ben Tarnoff
21 Jul 2016

> What Trump offers Thiel isn’t just an excuse to be contrary and politically incorrect. Trump gives Thiel something far more valuable: a way to fulfill his long-held ambition of saving capitalism from democracy. In a 2009 essay called The Education of a Libertarian, Thiel declared that capitalism and democracy had become incompatible. Since 1920, he argued, the creation of the welfare state and “the extension of the franchise to women” had made the American political system more responsive to more people – and therefore more hostile to capitalism. Capitalism is not “popular with the crowd”, Thiel observed, and this means that as democracy expands, the masses demand greater concessions from capitalists in the form of redistribution and regulation. The solution was obvious: less democracy. But in 2009, Thiel despaired of achieving this goal within the realm of politics. How could you possibly build a successful political movement for less democracy?
>
> Fast forward two years, when the country was still slowly digging its way out of the financial crisis. In 2011, Thiel told George Packer that the mood of emergency made him “weirdly hopeful”. The “failure of the establishment” had become too obvious to ignore, and this created an opportunity for something radically new, “something outside the establishment”, to take root. Now, in 2016, Thiel has finally found a politician capable of seizing that opportunity: a disruptor-in-chief who will destroy a dying system and build a better one in its place. Trump isn’t just a flamethrower for torching a rotten establishment, however – he’s the fulfillment of Thiel’s desire to build a successful political movement for less democracy.
> ...
> For Thiel, a smaller, more easily manipulated mob is preferable to a bigger one. If democracy can’t be eliminated, at least it can be shrunk through authoritarianism. A strongman like Trump, by exploiting the racial hatred and economic rage of one group of Americans, would work to delegitimize and disempower other groups of Americans. He would discipline what Thiel calls “the unthinking demos”: the democratic public that constrains capitalism.
> ...
> Thiel’s preferred political future isn’t hard to picture. The government shoulders the research costs for capitalists but makes no demands and sets no conditions. An authoritarian leader uses racial anger to set one portion of the population against another, and cracks down on those he sees as alien or illegitimate. The state becomes even more responsive to the needs of capitalists and even less responsive to the needs of workers and citizens. What Thiel calls the “oxymoron” of “capitalist democracy” is resolved – by jettisoning democracy.
> ...
> A Trumpist state could do much to soothe the crisis of capitalism: it could pour public dollars into discovering the next lucrative technology for the private sector while holding the line against the redistributive clamor of a rising millennial majority. Thiel has a history of making bets that pay off big. With Trump, he may have made another.

nice article but :
a) trump do wants an us country for exclusively true usa (not fake) residents for increasing economy & work.
b) democracy is real, alive, and will be certainly stronger with trump than with hillary.
c) It is proven (since few months,years) that capitalism cannot work (marx wrote it 1 century ago yet).
d) using words_falses arguments_ which have non-sens , the article does not convince.
e) democracy & economy are 2 different sciences , nothing to compare, nothing to tie ,nothing to oppose : trump/thiel cannot be responsible of the lack of education or culture of the readers of your article.
* democracy means your power as one individual is the same as everyone (and not one vs the others) ; economy means your power as one individual is the same as the others (and not the others against one).
That you do not like someone and write it aggressively , i can understand and accept it but , have you met the persons you wrote about ?

July 22, 2016

Permalink

Actually this question has been posted many times but everyone gives the same answer which is generally WRONG.

Q: why do I get "connection is not secure" when using Onion on about 70-80% of places I go? And more importantly how do I fix it?!?!?!

My clock is right. Have checked it 3 times.
I'm using TOR v6.0.2 with TotalVPN. v2.43
Conversely Tixati shows no problems.

You want a log? Then kindly tell my how to do it.

YES THE SITES ARE UP NOT DOWN which is the answer I keep getting and one rejected by tons of users.

Help please - DNC

TotalVPN = bad rumour:reputation | see bestvpn.com for a better choice
> why do I get "connection is not secure" when using Onion on about 70-80%
* look at your settings carefully and if an address is unsafe it is not coming from tor but from the admins of these sites obviously !

> Q: why do I get "connection is not secure" when using Onion on about 70-80% of places I go?

Difficult to say, without more detail.

"Onion"? That usually would refer to using hidden services, but I assume you meant "Tor browser". If so, as I understand it, you are using Tor Browser and when you surf the web, you often see a warning that your connection is not secure.

Could this be the standard warning that the website to which you are currently connected is not using https? Depending on what kind of sites you visit, and in what part of the world, that might be common, assuming you are visiting sites with an ordinary url (i.e. not onion service sites, aka "dark web sites").

If the warnings you see refer to indications that a PKI certificate is invalid, that is more worrisome, but could still be innocuous. People often forget to renew them with their Certificate Authority, and at least one clueless government actually blew up their own PKI by blocking their own CA, so that no-one who visits government websites can verify their authenticity, and even sees warnings about possible attempted malicious redirections.

> the answer I keep getting

Where?

> DNC

Presumably not the notoriously hackable US Democratic National Committee?

To be sure, that DNC would have been wise to use Tor (properly). Same could be said of almost any political party, because politicians, current/former/prospective government officials, network engineers, corporate executives (especially health insurance, banking, education, and defense), journalists, activists, and advocacy groups have always been prime targets for cyberespionage by all advanced nations with well-funded intelligence agencies.

July 22, 2016

Permalink

Wow!

July 23, 2016

Permalink

I don't thing accessing IoT from tor would be any more safer than without using tor. They were not designed with security and privacy in mind. They might have not-yet-patched security bugs.

July 25, 2016

Permalink

I fear that IOT endpoint security is so bad that tor transport won't make a big difference. Unfortunately :-(

July 30, 2016

Permalink

Of course it WILL be more secure! All you need is SECURE onion hs address! Now you already have secure tcp PORT (one of 64k) number.
Alas government can decide to restrict your rights to connunicate secure with your home appliances.