The Internet of Onions
The tension between convenience and security is age-old, but it has, perhaps, never been as acutely felt as it is in debates about the Internet of Things (IoT). Smart devices for monitoring and controlling household and industrial appliances are cheap and near-ubiquitous. But the cheapness and the near-ubiquity of the commercial IoT products on the market both come at the cost of exposing one's devices and home network to eavesdroppers and remote servers. A Tor developer recently undertook an effort to increase IoT security by routing device traffic through the Tor network. While the work is, so far, available only in a single free-software IoT platform, the developers are hoping it will spread.
Tor developer Nathan Freitas, who is also Executive Director of the Guardian Project, undertook the the development and testing of Tor-transport support for the open-source home-automation program Home Assistant. On July 20, Freitas explained the project in a blog post.
Home invasions
In brief, Home Assistant is a Python-based tool that provides a single web interface for a wide range of individual IoT devices. Freitas's contribution is a network configuration that routes Home Assistant's web interface over a Tor Hidden Service (so that it can only be accessed by a Tor-enabled browser via a special .onion domain name).
In a demonstration video [YouTube], Freitas calls attention to two separate concerns about commercial IoT devices. The first is that many expect to have direct access to the Internet, often for an HTTP connection to a remote service, and the installation instructions advise users to enable access by simply opening up ports on their firewall (if, indeed, they have one to begin with).
The risk is that attackers can easily scan for the signatures known-to-be-insecure IoT products, log them, and access the devices at will. This is rather dangerous, when one considers that IP-based video cameras, climate controls, door locks, and other sensitive devices are exposed in this manner.
The second concern is that many products enable device operation solely through a remote web server controlled by the manufacturer; the addresses of these servers may even be hard-coded into the device's software. For the curious, Matthew Garrett has recently taken to writing in-depth reviews of such products on Amazon.com, with both informative and frightening results.
Some privacy-conscious users may understandably regard the second concern as the more serious one, since pervasive data logging and user tracking could be taking place at the remote server (not to mention the fact that the device could fail to function without an Internet connection). For many others, however, the first risk is greater. Stories of webcam and baby-monitor exploits are already commonplace; as more device classes go online, one can only expect further attacks. As a result, securing access to the web interfaces of IoT devices has been the initial focus of Freitas's effort.
Hiding the route
Merely routing the web interface over Tor goes a long way to protect users from the eavesdropping concern, but if the device's front end is reachable through its .onion address, it can still be detected and scanned on the Tor network, as the 2013 paper Trawling for Tor Hidden Services [PDF] explains. The technique described in the paper involves running a large set of Tor relay nodes that secretly log the appearance of hidden service nodes. Although the distributed-consensus model Tor employs makes it difficult for any attacker to shut out the legitimate relays (another possible attack), a well-funded attacker could certainly monitor the availability of hidden services over time and hone in on their locations using traffic correlation.
The solution is to enable a little-known "stealth" authorization option in the service's configuration. Setting the HiddenServiceAuthorizeClient to stealth on the server causes Tor to generate a random authorization key pair, so that the public key can be copied to each device that should be allowed to access the service.
From that point on, the nodes in the Tor network provide additional security beyond what would be achievable with (say) a standard HTTP cookie, blocking connection requests from clients without the proper credentials by reporting that the requested server is unroutable.
This is possible because Tor hidden services announce their presence to the network by publishing a service descriptor that normally includes the address of an "introduction point" node. The service descriptors are tracked in Hidden Service Directory nodes within the Tor network. Other Tor relay nodes then know how to establish a circuit to the service by looking up the introduction point, even though those relays cannot peek beyond the introduction point to find where the service originates.
In stealth mode, however, the introduction-point portion of the service descriptor is encrypted with the private key from the authorization key pair; authorized clients will be able to decrypt the descriptor field because they possess the corresponding key, but other clients will not. Attempts by unauthorized clients to connect to the introduction-point node listed in the service descriptor will fail as being unreachable, making the result indistinguishable from a hidden server that has simply gone offline.
There is no limit to the number of authorization keys a server can use, so each client can use a unique key and the keys can be replaced as frequently as desired. Services are also allowed to publish fake service descriptors to further obfuscate connection points from eavesdroppers and trawlers.
Secure all the things
In an email, Freitas noted that there are two challenges to adding Tor support to a project like Home Assistant. The first is that the program's network layer has to be able to work using an .onion address—which, evidently, breaks many assumptions about host-name formatting and lookup.
The second is that the code dealing with the IoT devices themselves is prone to unintended connection leakage. For example, he said, "with Home Assistant there are a lot of outbound connections that it relies on for access to public data that we also want to tunnel through Tor." As is the case with HTTPS support, he added, fixing this is typically a matter of finding developers willing to make sure the Tor routing works. "If we can build a 'LetsOnion' type script to make that easier," he said, "we will."
Moving forward, Freitas said he hopes to work on adding Tor support to openHAB and similar open-source home-automation systems. In the meantime, however, he said that users can route individual apps over Tor using the Guardian Project's Orbot proxy for Android. By default, most consumer IoT devices are paired with a one-shot app (one for each brand of light bulb, one for the thermostat, one for the security cameras, etc.). Orbot can tunnel these apps to a Tor endpoint running in the user's home; the result is not as good as complete anonymity, perhaps, but it is certainly superior to trusting the Internet unconditionally. Developers, of course, can also build Tor-routing functionality into the app directly—the Guardian Project's Netcipher library is designed for that purpose.
The one remaining piece of the IoT puzzle is what to do about devices that rely on maintaining a connection to a remote web server in order to function. Some such devices can still function with only a LAN connection, which can in turn be routed over Tor. Others, however, fail to function if they cannot "phone home." At that point, the only solution may be to avoid the device in question. Freitas said he was investigating which IoT devices work in LAN-only mode and will try to ensure that they can function when routed over Tor.
But which devices go into the home will ultimately remain the user's
choice. The security-versus-convenience trade-off has attracted a
fair amount of attention from highly technical users, but it remains
to be seen whether or not the industry as a whole will ever care.
Freitas said he hopes that the Guardian Project's IoT work can
demonstrate that the steps required to secure this class of device are
small and easy to take, if one is interested in the goal.
| Index entries for this article | |
|---|---|
| Security | Embedded systems |
| Security | Internet/Tor |
Posted Aug 7, 2016 20:17 UTC (Sun)
by mhumpula (guest, #108642)
[Link] (14 responses)
Posted Aug 8, 2016 3:56 UTC (Mon)
by lakeland (guest, #1157)
[Link]
The remotes that came with the garage have to be kept charged while I'm already managing that with my phone. Also the range of the remote is perhaps 10 meters, while I can connect over the internet from anywhere.
I get a notification if I forget to close the garage.
My phone beeps when the garage is opened which means my wife is home (and visa versa for her).
Posted Aug 8, 2016 4:52 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (8 responses)
Posted Aug 8, 2016 10:24 UTC (Mon)
by mhumpula (guest, #108642)
[Link] (7 responses)
Posted Aug 8, 2016 11:22 UTC (Mon)
by pizza (subscriber, #46)
[Link]
Posted Aug 8, 2016 13:04 UTC (Mon)
by johannbg (guest, #65743)
[Link] (4 responses)
Now whether they choose to sacrifice their own privacy for perceived convenience is another story + IoT also increases the risk of obesity since it removes one exercise out of people lives which involves them having to stand up from the couch to flip the switch on the wall etc.
Posted Aug 8, 2016 13:19 UTC (Mon)
by micka (subscriber, #38720)
[Link] (1 responses)
If this exercise is not in the *noise* of physical activity, then we're all already screwed.
Posted Aug 8, 2016 13:30 UTC (Mon)
by johannbg (guest, #65743)
[Link]
Posted Aug 8, 2016 13:27 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (1 responses)
"No savings" is strongly dependent on your house and location; in my location, it takes about 2 hours of heating off before I start to save money (heating from the temperature my house cools to after 2 hours to the 20 ºC I set on the thermostat uses less energy than sustaining 20 ºC continuously, because the rate at which the house cools is partly controlled by the temperature difference to outside).
Posted Aug 8, 2016 15:15 UTC (Mon)
by johannbg (guest, #65743)
[Link]
Posted Aug 8, 2016 17:36 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Aug 8, 2016 12:35 UTC (Mon)
by tao (subscriber, #17563)
[Link] (2 responses)
One thing I'd love to have is temperature sensors in my fridges and freezer -- if the temperature starts rising in either
Posted Aug 8, 2016 14:16 UTC (Mon)
by hummassa (subscriber, #307)
[Link] (1 responses)
Well, temperature rising in the fridge would indicate (99% of the times) power failure... so, unless your home's internet has a good no-break (or your sensor is of the logging type) this is not very useful.
Anyway, in the last 20 years I had *one* instance of power failure that spoiled the food in the fridge, and the excess water on the frozen goods was a dead giveaway...
Posted Aug 8, 2016 16:58 UTC (Mon)
by johannbg (guest, #65743)
[Link]
Stupid for end users ( next time you would put trash in the can you would literally notice it was full and you would have to empty the trash can ) but apply the same idea on a larger scale it becomes very practical/profitable for corporates
Posted Aug 9, 2016 21:02 UTC (Tue)
by st (guest, #96477)
[Link]
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
The Internet of Onions
in the sauna though. That way I vegetate in front of the TV or computer until the sauna had heated.
of those there's an obvious risk for at best spoiled food, at worst food poisoning.
The Internet of Onions
The Internet of Onions
etc.
The Internet of Onions