ISACA Journal
Volume 6, 2,017 

Features 

Using Darknet Concepts for IoT Security: Tor of Things 

Mike Kuzminski, CISM, CISSP 

In today’s always-connected world, the concept of device connectivity, the Internet of Things (IoT), has already solidified. Chances are most people are probably using it somewhere in their lives whether they know it or not. A 2016 report stated that there will be 34 billion devices connected to the Internet by 2020. Of those, 24 billion will be IoT devices and the remaining 10 billion will be traditional computing devices such as smartphones, computers and tablets.1

Those who believe they own only “traditional computing devices,” not IoT devices, may need to look at their devices again. Some may remember when they thought it would be convenient and even trendy to have the refrigerator display the family calendar or have the washing machine send a notification to a phone when it is done. Does this sound familiar? How about those whose cars are equipped with OnStar telemetry and built-in car Wi-Fi? Still no? Or those with smart TVs, Amazon Alexa or any DVD player purchased recently? For anyone who owns any of these items equipped with these technologies, paraphrasing is not necessary: “All your base are belong to us!”2 Translation: One might not be as secure as one might think.

Most device owners are now part of the growing online community of people and devices connected to the Internet. Those who are not soon will be, whether they know it or not. People and their devices are connected. People can control what they do for the most part, but what about their devices? The vast majority of people have no understanding of security other than to not share their password. They understand security as a password and probably a physical badge they swipe to get into their office or parking lot. Most people have no idea how to manage or maintain those equivalent security mechanisms for their smart devices. They are, generally, at the mercy of the manufacturer of their devices to enforce security and protect them.

So, security for the devices is the responsibility of device manufacturers, correct? And if a device gets compromised, the owner can take action (legal or otherwise) to get their identity and data back off the Internet, correct?

It is not that simple. Even if device owners attempted that route, it would take significant time, money and resources to get their digital self back to normal. Also, good luck ever removing personal information once it is on the Internet or darknet. This is why companies such as LifeLock started appearing—to help provide insurance and some type of monitoring and assistance to protect digital identities.

What about those who do not think their devices will be compromised? Perhaps it is not the device per se, but the infrastructure the device links to that will be breached. Recently, there was a global cyberattack that spread across more than 74 countries and crippled some hospitals in the United Kingdom, forcing those hospitals to turn away patients.3 And even more recently, Equifax experienced a data breach affecting 143 million people in the United States.4

Right about now things are probably looking pretty bleak. Most device owners assume that their devices are protected and safeguarded, but, through a series of devices and networks, they are more exposed than ever before. The ability to make life easier and faster has outpaced the actual concern for the personal security of users and all the grief that comes with trying to untangle the web of losing their digital self. People assume they are protected, but that assumption comes at what cost? Some who have had their Social Security numbers compromised may think “So what?” Would they feel that same way if their home devices were hacked and the hackers used their geolocating and motion-sensing capabilities to determine whether they were at home or away? What about someone taking over their digital identity not only for financial fraud, but also for terrorism or any other crime? It is definitely possible and it seems more and more likely with every passing day.

If all of this were not bad enough, there are additional layers of the Internet called the darknet, dark web and deep web. In 2001, it was estimated that these layers are 400 to 500 times larger than the surface web.5 With the massive growth of the Internet since then, that number has only increased. That means the old joke “I have reached the end of the Internet” was only for the fraction that was accessible.

The darknet layer requires special tools and software to navigate. It is not accessible without them. However, the darknet is where people will most likely find their stolen and compromised data available for sale, along with every other illegal item for sale from drugs to medical records to guns and people. This layer is built upon peer-to-peer networking of computers and routing that traffic through so much ambiguity that it is nearly impossible to track. That is why so much illegal activity takes place in it. One of the configurations on which the darknet is built is what is known as a Tor network,6 which implements an onion routing protocol. Simply put, Tor software allows a user to connect to the darknet and communicate/browse this Tor layer though vast peer-to-peer connections. Security is achieved through vast obscurity and constantly changing paths, circuits and connections.

All hope seems lost.

As it turns out, the darknet may actually provide the key to a more secure IoT strategy. As part of a security experiment, the Guardian Project showed how Home Assistant (an open source home automation project),7 can be installed on a Raspberry Pi3 (a very low-cost IoT processor kit; less than US $50) and secured by applying the same concepts of security that are used in the Tor network by running it as a hidden onion service.8 In simple terms, the user is publishing a service that is hidden from other nodes on the Tor network, and only devices with the right authentication cookie are able to actually route and communicate with each other.

Traditionally, when IoT devices are used, they fall into one of two categories. In the first category, the device communicates to the manufacturer and uses its most cost-efficient infrastructure. (Security is not necessarily the number-one priority when a company is releasing an IoT device.) Additionally, in this category, the manufacturer will most likely record all data interactions, usage and private details for its own use. In the second category, the device might require users to create a firewall rule on their home router to open outside communication. Both approaches increase users’ risk and exposure.

What makes the solution of interfacing with the Tor network (e.g., the Guardian) novel and unique is that the user and that device do not directly connect to a centralized manufacturer’s server to communicate or open rules on a home router to accept direct communication. Therefore, the manufacturer cannot track a person’s usage or data. This also addresses the issue of depending on the manufacturer’s security compliance and any security vulnerabilities it may have in terms of where users’ data are stored. Also, users are not opening holes/ports on their local firewall and allowing people to attempt to port scan their home infrastructure and compromise their secured environment.

How does this work? The concept is based upon the Tor peer-to-peer networking circuits and hidden services. To help visualize this communication concept, imagine the Newton’s cradle, also known as Newton’s balls or the executive ball clicker. For those unfamiliar with it, Newton’s cradle is a desktop toy, essentially, where a metal ball swings on one side and hits a row of stationary balls. The force moves through the balls then swings the last ball on the other side out and back in, to repeat the pattern in the reverse direction.

If the left side of a Newton’s cradle is a user’s own mobile device, and the right side is an IoT device, the communication starts by initially swinging the ball on the left and then releasing it. When the ball swings back, it hits the ball next to it. That ball then directs the force to the next, and so on. Each ball can be thought of as a peer in the network, and the force is the communication the user wishes to be private. The communication/force moves from one ball to the next and on through, until it finally moves its way to the last ball—the IoT device. Conversely, the IoT device/ball swings out and returns to hit the ball it was previously sitting next to, and communication flows back to the originator. None of the balls in the device know the final end point or the originator of the communication. They just send the data to the next one in line.

Now think of these balls in terms of an entire population of available balls, and the path (Tor calls it “circuits”) is nonlinear and being created/torn down dynamically. This example shows a partial glimpse of the vast peer-to-peer communication capabilities that exist when using Tor along with the hidden services.

While there are drawbacks to this solution, namely speed and dependency on each peer node to relay information, the concept here is to visualize how a new possible approach to security could be architected for IoT devices. While security evolution may not go down this exact path, it does provide an interesting new approach that may foster new ideas and innovation around the next generation of secure communication and privacy. A city or building could potentially use this Tor concept to shield the underlying devices in it. The city or building would be using the Tor concept as the current darknet uses it—but for good instead of criminal purposes.

Alternatively, residential consumers could purchase an IoT device, such as a motion sensor/alarm system, and have it send push notifications securely to end points such as a phone, without hitting the manufacturer’s infrastructure (or their own for that matter). Ideally, upon purchasing a Tor IoT device, part of installing it on a home network would be to have it set up a hidden service on a new type of residential Tor home router for consumers, which would abstract all the Tor nuances and configuration. The Tor IoT device would then be able to secure the communications through the hidden services with the Tor home router and communicate via the Tor network to limit anyone else from intercepting those notifications or sensitive data about the owner. Users may not be too concerned about notification getting out if they are home or not, but what about videos of themselves and their family if they have home security cameras or an Amazon Echo Show (Amazon Echo/Alexa with video capabilities)?

Providing an additional level of security through Tor hidden services seems to be a potential change of approach by adding more security to IoT devices. It could take a feature that is a critical part of the anonymous darknet and apply it to help evolve present-day security to limit cyberattacks and IoT vulnerabilities.

Security experts are now trying to change the discussion from it being not a matter of if one will be hacked, but when. Many users do not have the time or education to provide defense through in-depth security around all aspects of their lives and devices. Users are counting on device manufacturers to help protect them. The US government has also taken note, and the US Senate Commerce Committee recently approved the Developing Innovation and Growing the Internet of Things (DIGIT) Act, which has a goal of creating a working group to focus on security, privacy and other IoT issues.9 Additionally, Japan’s Internal Affairs and Communications Ministry plans to create a security certification mark for IoT devices and will be introducing it in 2018.10

As consumers of these IoT devices, it’s also up to users to help drive security forward. They need to be situationally aware of the devices they are using and keep pressing the industry forward by demanding higher security offerings and actually endorsing and purchasing those products over less secure alternatives.

Author’s Note

The research and recommendations provided herein represent my personal opinions based upon experience and subject matter expertise and are not representative of current or past employers.

Endnotes

1 BI Intelligence, “Here’s How the Internet of Things Will Explode by 2020,” Business Insider, 31 August 2016, www.businessinsider.com/iot-ecosystem-internet-of-things-forecasts-and-business-opportunities-2016-2
2 Internet meme; http://knowyourmeme.com/memes/all-your-base-are-belong-to-us
3 Fox News, “Cyber Attack Spreads Across 74 Countries; Some UK Hospitals Crippled,” Fox News Tech, 12 May 2017, www.foxnews.com/tech/2017/05/12/cyber-attack-spreads-across-74-countries-some-uk-hospitals-crippled.html
4 Goodin, D.; “Equifax Website Hack Exposes Data for ~143 Million US Consumers,” Ars Technica, 7 September 2017, https://arstechnica.com/information-technology/2017/09/equifax-website-hack-exposes-data-for-143-million-us-consumers/
5 Bergman, M.; “The Deep Web: Surfacing Hidden Value,” Taking License, vol. 7, iss. 1, August 2001, https://quod.lib.umich.edu/j/jep/3336451.0007.104?view=text;rgn=main
6 Tor Project, www.torproject.org
7 Home Assistant, “Tor Onion Service Configuration,” https://home-assistant.io/docs/ecosystem/tor/
8 Freitas, N.; Using Tor to Securely Access To Your Home Network of “Things,” 20 July 2016, https://www.youtube.com/watch?v=j2yT-0rmgDA
9 Zurier, S.; “No Clear Policy,” SC Magazine, March 2017, https://media.scmagazine.com/documents/287/0317_digital_edition_71636.pdf
10 The Japan News/Yomiuri, “Japan to Rate Home Devices on Cyber-Attack Vulnerabilities,” Standard-Examiner, 8 May 2017, www.standard.net/World/2017/05/08/Japan-to-rate-home-devices-on-cyber-attack-vulnerabilities

Mike Kuzminski, CISM, CISSP
Has a background in software development and information technology infrastructure and an avid interest in security. Currently he works for Johnson Controls International PLC as an engineering manager and leads the professional services group.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.