Internet of 'Hidden' Things: How to Build a Confidential IOT Network using TOR & Docker Containers

Recently, I conducted a Workshop at the India Electronics Week - EFYCON 2018 held at KTPO, Bangalore. This session was focussed on sensitising the audience about how we can leverage the anonymity & containerisation benefits of TOR & Docker technologies respectively to address the security & privacy challenges in IOT Businesses and stop Surveillance Capitalism.

There were several Live Demos on how to build an Internet of 'Hidden' Things by creating confidential, authenticated and anonymous IOT Applications using TOR Hidden Services amalgamated with Docker Containers. The demos showed that these 'Hidden' Things/Devices can even hide the fact they exist at all, if you don’t know the necessary cookie. One can neither crawl nor probe your IOT device through the Internet while your device uses the Onion Authentication feature of TOR Hidden Services. The workshop also covered the dark-side of using Internet of Hidden Things in future.

Here's the digest of the presentation.

1. Introduction to TOR Hidden Services (HS)
 - HS Rendezvous Protocol
 - Analysis of hiddenness of HSs

2. Introduction to Docker Containers
 - Virtualization vs Containerization
 - Security Advantages of using Docker Containers

3. Dark-Side of Internet of Things
 - Smart Devices: bridging the gap between Digital threats & Physical threats
 - Recent Hacks: Jeep Cherokee, Mattel's Wi-fi Hello Barbie, Mirai DDoS Botnet
 - Era of Ubiquitous Surveillance: Data being the new Oil of 21st century
 - Security vs Privacy vs Anonymity: Importance of Trust in IOT Privacy

4. Need for Internet of 'Hidden' Things
 - Security by Obscurity vs Security by Design
 - Achieving Privacy with Hidden IOT Devices
 - Leveraging the anonymity & containerisation benefits of TOR & Docker in IOT
 - How hidden & anonymous IOT Devices can stop Surveillance Capitalism

5. Live Demos:- Hosting Tor Hidden Service in seconds with Docker Containers
 - Pushing hidden containers to Linux-based IOT devices for hiding them
 - Connecting anonymously to hidden IOT devices with proper authentication

6. Dark-Side of Internet of Hidden Things
 - How hidden IOT devices can be exploited for malicious purposes

7. Discussion & Takeaways
 - Conclusion & Futuristic Thoughts.


Below is the presentation material for the delivered session.

Demystifying the Dark-Side of Internet of Things (IOT): A Journey through Security & Privacy Challenges

Recently, I spoke at the India Electronics Week - EFYCON 2018 held at KTPO, Bangalore. The talk focussed on sensitising the audience about the paradigm shift that is required for securing IOT Businesses where Proprietary protocols, indigenous hardware & air-gapped networks are not just enough in the era of Industry 4.0. The talk also presented a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security with respect to IOT.

Here’s the digest of the presentation.

Why is everything getting Smart with the advent of IOT? 
 Sensors or Cloud or M2M.
 How is IOT bridging the gap between Digital threats and Physical threats?

Top recent IOT Hacks: 
 Chrysler's Jeep Cherokee,
 Mattel's Wi-fi Hello Barbie.

Eavesdropping through microphones of Smart Dolls, Smart Teddy Bears & Smart TVs.
 What if the smart doll teaches offensive things to your kid.

Exploitable Smart Refrigerators, Smart Thermostats, Smart Insulin Pumps. 
 How Smart TVs have been hacked & infected by malware
 for automated Ad Clicks and Cryptocurrency mining.

IOT Ransomeware is now reality. 
 How much someone would be willing to pay to remove ransomware from a Smart Pacemaker?

Denial of Service (DOS) attacks on & through IOT devices. 
 How hackers can turn a Smart Fridge into a spam-bot?

Why can't we make smart devices smart enough to be secure? 
 The IOT Security Challenges:
 Resource Constraints, STRIDE Threat vectors.

Security vs Privacy vs Anonymity. 
 Importance of Trust in IOT Privacy.
 Security by Obscurity vs Security by Design:
 Proprietary protocols, indigenous hardware & air-gapped networks.

Security can not be an afterthought. 
 It has to considered & implemented in all of stages of IOT Business:
 Planning, Design, Implementation, Verification, Validation, Deployment & Operations.

IOT Business Model needs to change.
 Earlier we used to Build product, Ship them &
 forget about them until we had to Service them,
 but now we have to Ship & Remember.


Below is the presentation material of the delivered talk.

Are TOR Hidden Services really hidden? Demystifying HS Directory surveillance by injecting Decoys inside TOR!

Recently, I spoke at the C0C0N X Security & Hacking Conference 2017 held at Le Meridien, Kochi. The talk focussed on the 'Hiddenness' of TOR Hidden Services specific to the detection of HS Directory Surveillance by injecting Decoys or Honeypots inside the TOR network. Here’s the digest of the presentation.

What is TOR?
The Onion Router – Gateway to Anonymity
How TOR works?
Establishing the Circuit
Directory Authorities - The Gatekeepers of TOR

Introduction to TOR Hidden Services (HS)
Why run a TOR HS? - Sneak peek into HS features
How TOR HS works? - HS Rendezvous Protocol

Analysis of hiddenness of TOR HSs 
Research Hypothesis - Are TOR HS really Hidden?
The HS Honeypot Approach
Setting up the Onion Decoy Project

Live Demo
Hosting Tor Hidden Service in seconds with Docker Containers
How to setup Honeypots (aka Onion Decoys) inside TOR Network
Live probing of Onion Decoys to detect intrusions by attackers

Results of the Onion Decoy Experiment 
Private Hidden Services are not really hidden

Conclusion & Takeaways
Everything can be a Honeypot, if you don’t know it fully
The more you hide, The more somebody wants to know why


The Source Code of the Onion Decoy Project is available at https://github.com/OnionDecoy


Below is the presentation for the delivered talk.

How the next Edward Snowden should access Internet for maintaining privacy? - Rethink VPN & TOR

In the present era of Mass Surveillance by intelligence agencies like NSA, GCHQ & RAW, you should know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route is in the hands of some electronic system whose reach is unlimited, but whose safeguards are questionable. This amount of metadata collected about you is more than enough to create simulations of you and predict your behaviour in any given circumstance. It involves a systematic interference with individual’s right to privacy in terms of subjection to significant indiscrimination, monitoring and censorship. Hence, Privacy & Anonymity are rising concerns among informed citizens, journalists, whistleblowers and Edward Snowdens of the world. 

When it comes to technology, privacy and anonymity enthusiasts extensively use encrypted proxy services like VPN & TOR Anonymity network to hide their identities & activities online. But let’s understand how useful & worthy they are, what are the differences and how can we leverage the potential of both.

VPN is faster than TOR, and is suitable for P2P downloading. The major downside however (and reason VPN is said to provide privacy rather than anonymity) is that it requires your trust the VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.

On the contrary, TOR is much slower because of the built-in Onion Routing, is often blocked by websites, and is unsuitable for P2P, but it does not require your truston anybody, and is therefore much more secure & truly anonymous.

Interestingly, VPN & TOR can be clubbed and used together in order to provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside, however, of doing so combines the speed hit of both technologies, making connections more secure but slow. It is also important to understand the difference between connecting VPN to TOR and connecting TOR to VPN for accessing the Internet. Order Matters!

Dark-Side of Internet of Things (IOT): Security & Privacy Challenges

Recently, I was invited to deliver a talk at the Global IOT Conclave held at The Chancery Pavilion, Bangalore. The talk focussed on the Dark-Side of Internet of Things specific to Security & Privacy Challenges in IOT. Here’s the digest of the presentation.

• Why is everything getting Smart with the advent of IOT?  Sensors or Cloud or M2M.
• IOT is bridging the gap between the Physical world & the Digital world and how Digital threats are becoming Physical threats?
• Top IOT Hacks: Chrysler's Jeep Cherokee, Mattel's Wi-fi Hello Barbie.
• Eavesdropping through microphones of Smart Dolls, Smart Teddy Bears & Smart TVs. What if the smart doll teaches offensive things to your kid.
• Exploitable Smart Refrigerators, Smart Thermostats, Smart Insulin Pumps. How Smart TVs have been hacked & infected by malware for automated Ad Clicks and Cryptocurrency mining.
• IOT Ransomeware is now reality. How much someone would be willing to pay to remove ransomware from a Smart Pacemaker?
• Denial of Service (DOS) attacks on & through IOT devices. How hackers can turn a Smart Fridge into a spam-bot?
• Why can't we make smart devices smart enough to be secure? The IOT Security Challenges: Resource Constraints, STRIDE Threat vectors.
• Security vs Privacy vs Anonymity. Importance of Trust in IOT Privacy.
• Security by Obscurity vs Security by Design: Proprietary protocols, indigenous hardware & air-gapped networks.
• Security can not be an afterthought. It has to considered & implemented in all of stages of IOT Business: Planning, Design, Implementation, Verification, Validation, Deployment & Operations.
• IOT Business Model needs to change. Earlier we used to Build product, Ship them & forget about them until we had to Service them, but now we have to Ship & Remember.

Below is the presentation for the delivered talk.