There’s a growing fear that the exploding internet of things — from baby cams to pacemakers — could be a goldmine for spies and criminal hackers, allowing them access to all kinds of personal photos, videos, audio recordings, and other data. It’s a concern bolstered by remarks from top national security officials.
But protecting homes from digital invaders doesn’t have to be difficult, argues Nathan Freitas, director of The Guardian Project, which brings together software developers and activists.
He teamed up with the developers of a simple open source platform that can track and control internet-connected devices throughout the home. Called Home Assistant, the software can be configured to incorporate strong security that already exists: the Tor Project’s anonymous browsing services.
Here’s how it works: You log in to your computer or phone through a Tor browser — basically an anonymized version of the internet you normally use. Tor will bounce the signal across the world, making it impossible to know from where exactly you’re connecting. Then, you connect to your device at home through Tor’s hidden onion service. “Nobody knows who you are connecting to or what you are seeing except you,” reads a slideshow explaining the concept on Github, an open software development hosting service.
Tor is preferable, the presentation suggests, to connecting through the open internet, which often doesn’t have encryption or other protections and is easily hackable. It’s also better than connecting to a cloud service, which can store and sometimes share or monetize the information you share (though some cloud services are more private than others and can include strong encryption so the hosting company can’t access the content stored there).
“We’ve seen time and time again, from all of the early devices out there, be it cars, cameras, or fridges …they’re making the same mistakes with security that apps have done, that web browsers have done,” Freitas said in an interview with The Intercept. “There’s no transport security” beyond “setting a password.”
Freitas said he realized that Tor’s features, which are often used for SecureDrop or other whistleblowing applications, could be used by anyone. “What if everyone had it in their homes and that only they could connect to it,” he said.
He compared the incorporation of Tor — free, secure, and partially funded by the U.S. government — to WhatsApp and other apps that integrate Open Whisper System’s end-to-end encryption into their code, protecting mobile phone users and their conversations from hackers and surveillance. “With the internet of things, it’s the same thing,” he said. “You want to be able to connect. You shouldn’t have to trade off that desire with the idea that someone will be monitoring you.”
The test was limited to the partnership with Home Assistant, which controls in-home devices, and doesn’t demonstrate exactly how the same system will be applied to more complex internet-connected devices like cars, however.
Tor has bandwidth restrictions because it relies on other computers to “donate” bandwidth to bounce signals around the world, so home devices might run more slowly, depending on the service. A baby camera needs a lot of bandwidth, so connecting to Tor might make it challenging for in-home systems to do more than stream choppy video, such as sending notifications when movement is detected — a popular feature in some home-surveillance systems. For things like adjusting a home thermostat, the lag would probably be less. And the trade-off of having a more secure baby monitor might be preferable, even if the connection is slow.
If vendors consider incorporating Tor into their products, they’ll also have to consider how the software might be updated when the Tor Project pushes security patches, or else it will remain vulnerable when bugs are discovered.
The proof of concept project isn’t in the product phase, says Freitas — but maybe someday it can be installed in home systems. “Our goal is to show this can work and hopefully advocate towards commercial product vendors,” he said.