[guardian-dev] Fwd: Using Tor Stealth HS with a home automation server

Fri Jul 8 12:53:22 EDT 2016

----- Original message -----
From: Nathan Freitas <nathan at freitas.net>
To: tor-dev at lists.torproject.org
Subject: Using Tor Stealth HS with a home automation server
Date: Fri, 08 Jul 2016 12:53:09 -0400

I've been working on some ideas about using Tor to secure "internet of
things", smart devices other than phones, and other home / industrial
automation infrastructure. Specifically, I think this could be a huge
application for Tor Hidden Services and Onion sites configured with
Hidden Service Authentication and "stealth" mode. 

Earlier this year, I published some ideas on the subject here
https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onion%20Things.pdf
showing how you could use Orbot and IP Camera apps to build a cloud-free
Tor-secured "Dropcam" style setup.

Now, I've taken the first step to setup my own instance of Home
Assistant "an open-source home automation platform running on Python 3.
Track and control all devices at home and automate control. Installation
in less than a minute."

Instructions on this are below. It all seems to be working well, but I
would love any feedback, comments, thoughts that you might have. I would
also like to ensure that any work on next-gen HS designs includes these
kinds of use-cases.

***
Pull request for the new "Tor cookbook" example for Home Assistant:
https://github.com/home-assistant/home-assistant.io/pull/627

***

Tor Onion Service Configuration

This is an example about how you can configure Tor to provide secure
remote access to your home assitance instance as an Onion site, through
Tor’s Hidden Service feature. With this enabled, you do not need to open
your firewall ports or setup HTTPS to enable secure remote access.

This is useful if you want to have:

Access your HA instance remotely without opening a firewall port or
setting up a VPN
Don’t want to or know how to get an SSL/TLS certificate and HTTPS
configuration setup
Want to block attackers from even being able to access/scan your port
and server at all
Want to block anyone from knowing your home IP address and seeing your
traffic to your HA
Background and Contact

This configuration is part of an effort to apply strong cryptography
technologies (like Onion Routing and End-to-End Encryption) to
technology we increasingly depend on in our day to day lives. Just like
when WhatsApp enabled end-to-end encryption messaging for everyone,
every home automation and IoT platform should do the same, because A)
the technology is all there, freely licensed and open-source and B) up
to this point, all the commercial manufacturers have been doing a
horrific job with security.

You can learn more about how Tor can be used to secure home automation
and IoT platforms through this short set of slides on the Internet of
Onion Things

This configuration was provided by @n8fr8 (github, twitter) of Guardian
Project and Tor Project. You can send questions, feedback and ideas to
support at guardianproject.info.

Hidden Services and Onion Sites

Tor allows clients and relays to offer hidden services. That is, you can
offer a web server, SSH server, etc., without revealing your IP address
to its users. In fact, because you don’t use any public address, you can
run a hidden service from behind your firewall. Learn more about Hidden
Services on the Tor Project website.

Onion sites are websites that run on a Tor Hidden Service node. “dot
onion” sites are an IETF recognized special use domain name.

Setting up Tor on your Home Assistant

First, install Tor. On a Debain-based system, you can install the
package easily:
> sudo apt-get install tor

You can find more instructions for downloading and installing Tor on
other platforms on the Tor Project Download Page.

Next, modify Tor’s main configuration file /etc/tor/torrc to include the
following lines:

...
HiddenServiceDir /var/lib/tor/homeassistant/
HiddenServicePort 80 127.0.0.1:8123
HiddenServiceAuthorizeClient stealth haremote1
...
The “sleath” entry above ensures traffic to and from your HA instance
over Tor, is hidden even from other nodes on the Tor network. The
“haremote1” value is a generic client name entry that you can modify as
you please.

Then, restart Tor: >/etc/init.d/tor restart

Then read the new generated authentication cookie from the Tor-generated
hostname file:
> sudo more /var/lib/tor/homeassistant/hostname

The output of that command should look something like this, but with
your own unique “dot onion” domain and authentication cookie:
abcdef1234567890.onion ABCDEF1122334455667789 # client: haremote1

You are now done with the HA Tor server configuration. Make sure your HA
instance is running, and now you can move to client configuration.

Tor Client Access Setup

Using this setup, you can access your HA instance over Tor from your
laptop or mobile device, using Tor Browser and other software.

Add the authentication cookie to your torrc client configuration on your
laptop or mobile device. Using the sample values from above, it would
look like this:
HidServAuth abcdef1234567890.onion ABCDEF1122334455667789

For Tor Browser on Windows, Mac or Linux, you can find the torrc file
here:
<tor browser install
directory>/Browser/TorBrowser/Data/Tor/torrc-defaults
Once you have added the entry, restart the browser, and then browse to
the “dot onion” site address to connect to your HA instance.

For Orbot: Tor on Android, add it in Orbot->Menu->Settings to the “Torrc
Custom Config” entry. Restart Orbot, and then use the Orfox browser app,
and browse to the “dot onion” site name to access your HA instance. You
can also use Orbot’s VPN mode, to enable Tor access from any application
on your device, such as Tasker or Owntracks.

On iOS, we have not fully tested this yet, but you should be able to add
custom torrc entries on Onion Browser, Red Onion or TOBY browsers, all
available in the iTunes App Store.

Some More Advanced Ideas

With this configuration, only you can access your HA instance Onion site
through Tor, and no one else. You can share the authentication cookie
with multiple devices and users, or you can generate a unique one for
each - up to you! If you have multiple, say for an industrial, business
or corporate configuration, this would provide an easy way to revoke
access to a specific user or device.

If you always access your HA instance via Tor, you can easily run this
on an isolated “IoT” network segment at your install site, keeping your
internal home network traffic seperate from any potentially compromised
devices (like cheap “smart” lightbulbs with backdoors!).

You could also use Tor as a means to connect your HA instance to a
remote device, sensor or other service that you do not want to or
connect provide a direct, open IP connection to. Again, Tor provides
authenticated and confidential routing (aka “privacy and encryption”) by
default, without having to setup TLS/SSL or VPN. It is just important to
secure IoT nodes within your network, as it is to secure remote access!

As mentioned, with Orbot on Android, you can enable a “full device” VPN
mode, that allows any app you have to tunnel through Tor, even if it is
not Tor or proxy aware. This means you should be able to enter your “dot
onion” Onion site address into any app you want to access to your HA
instance, and it should work.

-- 
  Nathan of Guardian
  nathan at guardianproject.info