How a portable travel router can put TOR web-surfing security in your pocket

Introduced at Def Con 22, a project called PORTAL aims to make it much easier to keep your Internet traffic private via the TOR network.

Most of the stories coming out the Black Hat and Def Con security conferences highlight the latest crop of horrendous security flaws discovered by hackers. But it's not all doom and gloom. There were also presentations from developers actively trying to make digital security better for all.

Consider the privacy-protecting travel router defined by the Personal Onion Router to Assure Liberty (PORTAL) project. It aims to protect personal privacy with little effort--at least once you're up and running.

Currently a DIY project that's really only appropriate for power users, PORTAL uses a travel router with modified firmware that anonymizes all Internet traffic by connecting to The Onion Router (TOR) network. While PORTAL looks difficult to build right now, the creators are aiming to make the project more accessible to users, according to Ars Technica.

Even if you're not a criminal or political dissident, there are many reasons to keep your Internet surfing habits as private as possible. For example, you may object to the data-gathering activities of the National Security Agency and other intelligence groups just on principle. The downside of using TOR, however, is that it can slow down your browsing speeds (although TOR speeds have improved in recent years).

PORTAL is the brainchild of Ryan Lackey, security engineer at CloudFlare; Marc Rogers, principal security researcher for Lookout Security; and another well known security researcher who goes by the handle The Grugq. Lackey and Rogers discussed the PORTAL project at Def Con 22. You can check out the presentation slide deck here.

Security in your pocket

Travel routers are pocket-sized battery-powered and/or wall pluggable devices that can connect either to a wireless broadband network or a local Wi-Fi network. The router then functions just like a home router, connecting multiple devices to the Internet at one time.

The idea of making a travel router do all the work of connecting to TOR gives user devices an added boost of security. By isolating all the TOR connections to a separate device that can be nearly always on, you reduce the chance of forgetting to connect via TOR to maintain anonymity. The router also doesn't contain any of your personal information, reducing the chance of exposing personally identifiable data online.

There are many projects trying to help users stay anonymous online, mostly by using the TOR network. These include PogoPlug Safeplug and the Onion Pi that turns a Raspberry Pi mini computer into a TOR router.

The difference with PORTAL is it takes advantage of of TOR's pluggable transports API. Despite being relatively anonymous, online monitors can identify which traffic is TOR traffic and which is not. Pluggable transports can help mask TOR traffic so that it looks like non-descript Internet activity.

While PORTAL is an interesting project, right now it requires users to know how to flash a portable router's firmware. The instructions for getting started also assume a higher level of knowledge than most users have. Nevertheless, if you want to try your hand at PORTAL, you can find all the details, including recommended router models, on GitHub.

If you do give PORTAL or just plain old TOR a try, remember that your Internet traffic can be exposed once you exit TOR to connect to a website. You can avoid this by forcing your PC to connect to websites using https encryption whenever possible with browser add-ons such as HTTPS Everywhere.

Join the CSO newsletter!

Error: Please check your email address.

Tags TorintrusionArs TechnicaThe Onionsecurityprivacyhacking

More about National Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts