Security conscious people want to protect their assets as best they can at a price that doesn't break the bank. Some are reluctant to add video cameras to their home because so many camera providers require a connection to "the cloud". Who would seriously want a stranger to have access to their home cameras? Some security conscious folks have opted to purchase cheaper, non-cloud dependent DVR camera systems but are reluctant to place a NAT forward on their firewall because, as we know from experience, any device placed on the open internet long enough will eventually be found, scanned and compromised. That six digit pin code on the cheap DVR camera system will be brute forced in short order. So what to do? In this post I hope to address the needs of a particular type of security conscious individual that has these requirements:
1.Ability to have a home/business Camera DVR system that does not send content to a cloud provider.
2.Ability to leverage cheaper home/business camera DVR systems.
3.Ability to view DVR cameras over an encrypted internet channel.
4.Ability to hide the location of the DVR system from prying eyes.
5.Ability to view cameras from a Windows client, Macintosh client and Android Phone. (Sorry Apple fans, Apple phones won’t currently work with my solution below because they don’t officially allow TOR proxy on their phones.)
Many folks I speak to want to access their cameras remotely, but don’t want others to pry into their privacy. A VPN on the home gateway has been one possible solution in the past, but it has its own set of drawbacks. Instructions to setup VPN gateways are easily found online for many different VPN hardware providers. My single biggest concern with VPN hardware providers, is what happens when the firmware becomes outdated and the hardware manufacturer won't update it in a timely manner or not at all. When a manufacturer will no longer update the firmware, folks are left with only one option, buy a newer device. There is also the hassle of setting up VPN credentials and having to login to a VPN just to look at your cameras, which can become tiresome over time.
A better solution is to setup your DVR as a destination point using TOR as a Hidden Services proxy with an authentication cookie. What is TOR hidden service? What is an authentication cookie? For details see https://www.torproject.org/about/overview.html.en for an explanation of how TOR works and how it is normally used. For an explanation of TOR Hidden Services see: https://www.torproject.org/docs/hidden-services.html.en . A lesser known feature of TOR hidden services allows for an extra layer of security to make hidden services inaccessible unless the client has a special piece of information. See: https://www.torproject.org/docs/tor-manual.html.en and look at HiddenServiceAuthorizeClient section.
At a high level, TOR tries to mask your physical location and make you as anonymous as possible. When someone wants to host a service privately, a TOR hidden service allows for a TCP/UDP port to be served on the TOR network. For example, a journalist may setup a file transfer service to anonymously transfer information out of an oppressive regime. With a normal TOR hidden service, TOR will not completely mask your physical location from a highly dedicated adversary, since an addressable onion site and open port can be probed and your TCP/UDP service may eventually be compromised with clues to your physical location. But a little feature in TOR hidden services allows users to make their hidden service discoverable only to clients which possess an authentication cookie. This authentication cookie is provided during the TOR hidden service address lookup request; a TOR client will not be able to rendezvous with the hidden service without the cookie. By utilizing TOR hidden services and an authentication cookie, the authorized user will be the only person who will find and access the camera on the TOR network. Here is how it works at a high level with details below.
1. A user configures their camera DVR behind their firewall as usual with an ip address, for example 192.168.0.10. The user performs the normal DVR setup and shares the DVR port on their local area network on port 8181. This camera DVR becomes accessible to computers in the home network on 192.168.0.10:8181
2. Next, a machine on the local area network is used to host a TOR proxy, let's call it TORVR. Let's use a raspberry pi in this example. A raspberry pi would have TOR installed and a TOR hidden service configuration is added that points incoming traffic requesting port 8181 to forward traffic to port 8181 on ip address 192.168.0.10.
3. The configuration on the TORVR computer would specify a secret TOR hidden address and cookie. When TOR is launched on the TOR proxy, it will automatically create the onion address/cookie pair information.
4. The client that will be accessing the cameras must also have TOR installed with an edit made to its torrc configuration file to include the cookie associated with the TORVR's onion address.
5. When the TOR client opens a browser connection to the TORVR site, for example http://abcdefghijklmnop.onion:8181, the TOR client takes care of finding the site by providing the cookie during TOR hidden service lookup. The Tor browser will provide anonymized traffic access to the user’s home cameras without revealing to any intermediaries where your home base is located. This location anonymity is very useful when you are in another country or at a security conference and don't want folks to sniff your traffic and easily find out whereabouts your home is. Remember that the only reason your TOR hidden site was able to be connected to was because you had the authentication cookie. Anyone else trying to access http://abcdefghijklmnop.onion:8181 would not be able to find the onion site, let alone connect to it on port 8181. Other users without the authentication cookie for your TOR specific onion hidden service will be unable to find your host. If the address can't be found and the port can't be probed for either pin brute forcing or vulnerability scanning, then your cameras are yours alone to use.
6. Last thing, when TOR software gets upgraded, you can upgrade. You are not dependent on one hardware manufacturer. No need to keep upgrading hardware unnecessarily.
How to technically configure a TOR Hidden Service with Authentication Cookie requirement on a Raspberry Pi
The Raspberry Pi will act as a TOR hidden service proxy. This configuration will setup a port 8181 forward to the internal DVR IP and port number.
1. Setup a raspberry pi computer with your favorite Raspberry pi distribution. Doesn't really matter which one. This has been tested on Raspberry Pi 2, 3 and Zero W, as well as Ubuntu on AMD64 system.
2. Install TOR on your raspberry pi
a.apt-get install tor
3. Edit file /etc/tor/torrc
a.Add "HiddenServiceDir /home/debian-tor/hidden_service/" and save # This specifies that the tor keys will be stored in /home/debian-tor/keydir
b.Add "HiddenServicePort 8181 192.168.0.10:8181" and save # This assumes your internal DVR system is on 192.168.0.10 and using port 8181
c.Add "HiddenServiceAuthorizeClient stealth user1" and save # this will specify that TOR should create a private cookie so that only those who possess the cookie will be able to find and interact with the TORDVR Hidden Service.
4. Added lines should look like this:
HiddenServicePort 8181 192.168.0.10:8181
HiddenServiceAuthorizeClient stealth user1
5. On the Raspberry pi start tor
a.sudo service tor start
6. Look in the /home/debian-tor/hidden_service/ directory and you will find a file named hostname
7. Copy the contents of hostname for use in your tor client torrc file.
a.The content in file /home/debian-tor/hidden_service/hostname will look similar to this:
i. abcdefghijklmnop.onion a+abcdefg+123456789abcd # client: user1
8. See TOR browser configuration instructions below.
How to configure your Microsoft Windows based TOR Browser to see your TORDVR Hidden Service with an Authentication Cookie
1.Tor browser will need to be configured to pass the cookie specified in line 6.a.i above abcdefghijklmnop.onion a+abcdefg+123456789abcd
2.Go to the location where you placed your Windows Tor Browser folder and navigate to:
a.Go to directory: \Tor Browser\Browser\TorBrowser\Data\Tor
3.Edit torrc file
a.Add "HidServAuth abcdefghijklmnop.onion a+abcdefg+123456789abcd" and save # do not include the quotes.
4. Run Tor Browser and type http://abcdefghijklmnop.onion:8181 to see your DVRs web camera on your internal computer 192.168.0.10:8181
How to configure your Android Device to access your TORDVR Onion Address
1.Go to Google Play Store and install Orbot: Proxy for Tor
2.Open Orbot:Proxy for Tor
3.Click settings button on top right hand side.
4.Click on Hidden Services
5.Click on Client Cookies
6.Click Bottom right hand button to add a client cookie
7.Enter values for the onion site "abcdefghijklmnop.onion" and client cookie "a+abcdefg+123456789abcd". Omit the quotes. Click Save
8.Your Orbot app should look like this:
9.Restart Orbot for the changes to take effect.
10.Click on Orfox
11.Browse to http://abcdefghijklmnop.onion:8181
Congratulations! You can now access your camera over an encrypted network from anywhere with strong authentication.
So now you have access to your home private IP based DVR system without the use of NAT on your gateway firewall and without exposing the port to the entire internet 24/7. The port 8181 is not capable of being probed, so no random scan will find your cameras open to the internet. I've included this detailed post for cameras, but there are plenty of other great uses for TOR. I've used this hidden service for other services I don't want to leave open to the general internet. What will you come up with? Share on this post. Stay tuned for my next post on using TOR to enhance security of other home devices and services.