I've been working on some ideas about using Tor to secure "internet of things", smart devices other than phones, and other home / industrial automation infrastructure. Specifically, I think this could be a huge application for Tor Hidden Services and Onion sites configured with Hidden Service Authentication and "stealth" mode.
Earlier this year, I published some ideas on the subject here https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onio... showing how you could use Orbot and IP Camera apps to build a cloud-free Tor-secured "Dropcam" style setup.
Now, I've taken the first step to setup my own instance of Home Assistant "an open-source home automation platform running on Python 3. Track and control all devices at home and automate control. Installation in less than a minute."
Instructions on this are below. It all seems to be working well, but I would love any feedback, comments, thoughts that you might have. I would also like to ensure that any work on next-gen HS designs includes these kinds of use-cases.
*** Pull request for the new "Tor cookbook" example for Home Assistant: https://github.com/home-assistant/home-assistant.io/pull/627
***
Tor Onion Service Configuration
This is an example about how you can configure Tor to provide secure remote access to your home assitance instance as an Onion site, through Tor’s Hidden Service feature. With this enabled, you do not need to open your firewall ports or setup HTTPS to enable secure remote access.
This is useful if you want to have:
Access your HA instance remotely without opening a firewall port or setting up a VPN Don’t want to or know how to get an SSL/TLS certificate and HTTPS configuration setup Want to block attackers from even being able to access/scan your port and server at all Want to block anyone from knowing your home IP address and seeing your traffic to your HA Background and Contact
This configuration is part of an effort to apply strong cryptography technologies (like Onion Routing and End-to-End Encryption) to technology we increasingly depend on in our day to day lives. Just like when WhatsApp enabled end-to-end encryption messaging for everyone, every home automation and IoT platform should do the same, because A) the technology is all there, freely licensed and open-source and B) up to this point, all the commercial manufacturers have been doing a horrific job with security.
You can learn more about how Tor can be used to secure home automation and IoT platforms through this short set of slides on the Internet of Onion Things
This configuration was provided by @n8fr8 (github, twitter) of Guardian Project and Tor Project. You can send questions, feedback and ideas to support@guardianproject.info.
Hidden Services and Onion Sites
Tor allows clients and relays to offer hidden services. That is, you can offer a web server, SSH server, etc., without revealing your IP address to its users. In fact, because you don’t use any public address, you can run a hidden service from behind your firewall. Learn more about Hidden Services on the Tor Project website.
Onion sites are websites that run on a Tor Hidden Service node. “dot onion” sites are an IETF recognized special use domain name.
Setting up Tor on your Home Assistant
First, install Tor. On a Debain-based system, you can install the package easily:
sudo apt-get install tor
You can find more instructions for downloading and installing Tor on other platforms on the Tor Project Download Page.
Next, modify Tor’s main configuration file /etc/tor/torrc to include the following lines:
... HiddenServiceDir /var/lib/tor/homeassistant/ HiddenServicePort 80 127.0.0.1:8123 HiddenServiceAuthorizeClient stealth haremote1 ... The “sleath” entry above ensures traffic to and from your HA instance over Tor, is hidden even from other nodes on the Tor network. The “haremote1” value is a generic client name entry that you can modify as you please.
Then, restart Tor: >/etc/init.d/tor restart
Then read the new generated authentication cookie from the Tor-generated hostname file:
sudo more /var/lib/tor/homeassistant/hostname
The output of that command should look something like this, but with your own unique “dot onion” domain and authentication cookie: abcdef1234567890.onion ABCDEF1122334455667789 # client: haremote1
You are now done with the HA Tor server configuration. Make sure your HA instance is running, and now you can move to client configuration.
Tor Client Access Setup
Using this setup, you can access your HA instance over Tor from your laptop or mobile device, using Tor Browser and other software.
Add the authentication cookie to your torrc client configuration on your laptop or mobile device. Using the sample values from above, it would look like this: HidServAuth abcdef1234567890.onion ABCDEF1122334455667789
For Tor Browser on Windows, Mac or Linux, you can find the torrc file here: <tor browser install directory>/Browser/TorBrowser/Data/Tor/torrc-defaults Once you have added the entry, restart the browser, and then browse to the “dot onion” site address to connect to your HA instance.
For Orbot: Tor on Android, add it in Orbot->Menu->Settings to the “Torrc Custom Config” entry. Restart Orbot, and then use the Orfox browser app, and browse to the “dot onion” site name to access your HA instance. You can also use Orbot’s VPN mode, to enable Tor access from any application on your device, such as Tasker or Owntracks.
On iOS, we have not fully tested this yet, but you should be able to add custom torrc entries on Onion Browser, Red Onion or TOBY browsers, all available in the iTunes App Store.
Some More Advanced Ideas
With this configuration, only you can access your HA instance Onion site through Tor, and no one else. You can share the authentication cookie with multiple devices and users, or you can generate a unique one for each - up to you! If you have multiple, say for an industrial, business or corporate configuration, this would provide an easy way to revoke access to a specific user or device.
If you always access your HA instance via Tor, you can easily run this on an isolated “IoT” network segment at your install site, keeping your internal home network traffic seperate from any potentially compromised devices (like cheap “smart” lightbulbs with backdoors!).
You could also use Tor as a means to connect your HA instance to a remote device, sensor or other service that you do not want to or connect provide a direct, open IP connection to. Again, Tor provides authenticated and confidential routing (aka “privacy and encryption”) by default, without having to setup TLS/SSL or VPN. It is just important to secure IoT nodes within your network, as it is to secure remote access!
As mentioned, with Orbot on Android, you can enable a “full device” VPN mode, that allows any app you have to tunnel through Tor, even if it is not Tor or proxy aware. This means you should be able to enter your “dot onion” Onion site address into any app you want to access to your HA instance, and it should work.
On 2016-07-08 18:53, Nathan Freitas wrote:
I've been working on some ideas about using Tor to secure "internet of things", smart devices other than phones, and other home / industrial automation infrastructure. Specifically, I think this could be a huge application for Tor Hidden Services and Onion sites configured with Hidden Service Authentication and "stealth" mode.
Earlier this year, I published some ideas on the subject here https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onio... showing how you could use Orbot and IP Camera apps to build a cloud-free Tor-secured "Dropcam" style setup.
Nice! An interesting Orbot feature to have is making QR Codes of authenticated Hidden Service info so mobile devices can easily add each other to a trusted network.