The dark web can solve all our Internet of Things security issues

August 10, 2016 Facebook Twitter LinkedIn Google+ Uncategorized


The dark web can solve all our IoT security issues


Tor has everything we need to make IoT more secure, Nathan Freitas tells Jeremy Coward. But the dark web has a massive public perception issue that must be dealt with first.

The first thing you should know about Guardian Project founder Nathan Freitas is that he was, and in many ways still is, extremely sceptical about the future of the internet of things.

For one thing, he finds the idea of spending his life at home surrounded by connected technologies repellent, despite working with technology on a day-to-day basis – or rather, because he works with technology on a day-to-day basis.

“I had very little interest in the internet of things until quite recently,” he tells me, “when the work of Professor Susan Crawford, at the Berkman Klein Center where I’m a fellow, made me rethink things.”

One step away from Lord of the Flies

“One of the things she focuses on is the development of smart cities,” he continues. “Cities building technology and sensors into their infrastructure, into the fabric of their world, to better improve the lives of their citizens. I really believe in this idea; I recognise the potential benefits, but at the same time it makes me incredibly nervous.

“I lived in New York through 9/11, and the major blackout in 2003 that knocked out power for almost two days. I’ve had a glimpse of what a cyberattack that takes out the infrastructure of an entire city might look like. It’s deeply disturbing – we’re one step from Lord of the Flies.”

Nathan Freitas has a rich history in developing technological solutions to counter security issues. A keen participant in the ‘Free Tibet’ movement, he’s spent a lot of time helping activists in their struggles against Chinese hackers who’ve hindered the progress of the movement through monitoring communications and stealing their data.

He since founded Guardian Project in 2009, to further investigate how security can be improved on Android and mobile phones. With this newfound interest in IoT, he quickly recognised how the solutions he and his team had been working on could be applied to our connected homes and cities of the future.

Before long, he’d come across what he sees as a quick, cheap and viable security solution to put our IoT security concerns to rest – one that’s painfully obvious, given the amount of distress these issues have caused the worldwide IoT community over the past few years.

Long live Tor, long live the dark web

Currently connected products being manufactured for the smart home are very rarely, if ever, secure. They favour public IP addresses and forge connections without any robust encryption in place.

Freitas lambasts these products for using proprietary security solutions that are slow and difficult to update, connecting to their own cloud servers which he says are often hosted in China. Meanwhile, Tor is open-source, with the people behind the software reacting to hacks and rolling out updates frequently and at a rapid pace.

NathanFreitasThis is a key infrastructure for the internet and must be seen as such, not just an abhorrent thing used by miscreants.
– Nathan Freitas, Founder, Guardian Project

“By way of a solution, I was looking for something that was simple to put together,” he begins, “something approachable. So Casey [his summer intern] and I bought a Raspberry Pi kit from a local electronics store, Home Assistant [an open-source home automation platform] and a camera.”

As Nathan says in his video demonstration (see below), the camera needs to be accessible remotely. The device’s instructions suggest making a hole in your firewall in order to do this – generally not a great idea.

“So we installed Tor,” he tells me, “and configured the hidden services Tor provides. Through one easy modification to the configuration, we were able to run the connection from the camera to external devices through the dark web via Tor. This means not only is the traffic protected, hiding the origin and exit points, but it also authenticates every single client that uses the connection.”

The same can be done with every conceivable smart home device, from your baby monitor to your garage door. This methodology could also theoretically be applied to every connection used when operating a smart city.

I asked Nathan if this security solution stood any chance of being rolled out on a mass, commercial level.

“It’s not a turnkey, out-of-the-box solution,” he responds, “but we’ve demonstrated how easy it is to integrate with smart devices. There’s no reason it couldn’t be invisibly added to a smart home product without the end-user having to do anything. Tor is completely freely licensed and open-source, so cost isn’t event an issue.

“Now we’re asking: can we automate this, and how well will it work with other open-source technologies?

“Ideally we need a much larger organisation or manufacturer in IoT to consider embedding Tor into their products. Facebook has become the first major social media network to embrace Tor and onion routing – maybe the Intels and CoreComms of this world will do the same. And if an emerging IoT hub such as Apple does so, all the better.”

Four steps to make your smart devices secure (it’s that easy!)

  1. Buy your smart device and home automation platform
  2. Buy a Raspberry Pi
  3. Install Tor (it’s free)
  4. Run your smart device’s connection through Tor’s hidden services

It’s not just about buying drugs and hiring assassins

Nathan Freitas has long been involved with attempts to broaden the relevance of Tor and driving awareness beyond the current community that uses it. And that’s proper awareness, not just media scaremongering about dealing drugs and acquiring contract killers on Silk Road.

As he puts it, “it’s clearly not just for people engaged in illicit activities. This is a key infrastructure for the internet and must be seen as such, not just an abhorrent thing used by miscreants.”

The Guardian Project team consists of between 10 and 25 people depending on the time of year and projects being worked on. It’s largely funded through a series of grants and donations from a series of private and public benefactors which includes Google.

10 million individuals use Guardian Project’s own apps; through tech adopted by the likes of Facebook and WeChat, Nathan says their work now reaches hundreds of millions of users. Guardian Project works closely with Tor Project, with Tor often distributing Guardian apps as Tor apps.

Like it or not, the majority of organisations, media outlets and organisations do not like the dark web – it’s hard to think of network or community that’s less trusted globally. But when asked if there are any ethical quandaries to using Tor and the dark web for projects like these, Nathan says none whatsoever.

“Tor has already done great stuff across communities worldwide, from human rights activists to librarians,” he laughs. “Tor’s not that different from the usual internet – some use it solely for crime, others are fundamentally good people committing the occasional crime. Our job is partly to ensure the wealth of positive uses for Tor are continuously promoted.”

So does using the dark web to connect IoT devices pose its own security issues, given it’s seen as a lawless, ‘Wild West’ kind of environment?

“The internet itself is already highly lawless. Use the general internet, and you’ll see your traffic pass through 25 to 30 other computers all of which could log it, redirect it or return false data. Most people just cross their fingers and hope that nothing goes wrong.

“When using Tor, you trust the mathematics behind it – the code is the law. It provides secure routing and authentication that can’t be manipulated. Tor shouldn’t be trusted because it’s perfect, but because it’s already demonstrated its ability to respond very quickly to hacks and issues.”

So why has the US Supreme Court recently approved a rule change meaning that simply using Tor will be grounds for a warrant, with hints online that the public use of Tor may be made illegal altogether?

Nathan is quick to jump on the hypocrisy of this. The US government and navy still invest heavily in Tor, funding projects and keeping a keen eye on its potential applications. Even the US government isn’t blind to the benefits of the dark web.

Related articles

“There’s a deep misconception that use of Tor is an instant flag for criminal activity,” he concludes, “which is terrible for its progress and uptake. The matter might just come down to big companies, like Facebook, paving the way for Tor, and improving its reputation among the public by proving its benefits and integrating it with their services.”

As far as Nathan Freitas is concerned, Tor is the best potential solution proposed so far that might prevent the inevitable IoT security crisis that’s been widely forecasted. And I must say, his argument is pretty damn convincing.

Let us know what you think. Could Tor and the dark web provide the ultimate solution to our IoT security concerns? Is the use of this solution en masse feasible, or is there a better alternative out there?

IoT Security Summit 2016

[Image: Flickr – Surian Soosay]