How to secure B2C IoT devices with Tor Network

Most IoT devices are fundamentally broken. They allow access via the internet by connecting with a central server on the internet, most likely in China. This is a security nightmare not to mention unreliable, speaking from experience.

The solution in the b2c domain is to make it distributed. Each IoT device should be a Tor node and host a secure Tor server which can then be connected from anywhere without compromising security or being reliant on China.

The device can be registered by exposing their address via QR code. The mobile client will just need a QR code scanner which is trivial to add.

Tor anonymity adds to the security as IoT devices cannot be discovered in the wild by scanning for vulnerabilities.

Tor is failure resistant and suitable for this kind of communication of small data. The latency is not an issue for most applications.

The only potential downside is the Tor client footprint which can be reduced with custom light-weight implementation.

To summarize, your data does not go to Chinese servers and the address cannot be detected en masse for vulnerability scanning. We can even make the ports random for added security. The address and port combination is known only to select clients, exposed through QR code etc., and connection goes through Tor so even it cannot be detected by a man-in-the-middle attack.

The other big deal is that there is no single point of failure. Tor is very failure resistant.