SecuriPi

[Jim Manley]

As at least one or two keenly-observant forum members are bound to have heard by now, some bottom-scum-suckers have demonstrated the unmitigated gall to actually steal Pi boards from Jams and other Pi-related events. Some here have actually been insensitive enough to have remarked, "So what, it's only a $35 board?", completely ignoring the fact that many have been waiting the better part of a year to receive just one board (until last week for my order, despite registering four hours into D-Day on February 29th), the ePrey $100-plus prices that certain ... let's call them "parasites" ... have extracted, the value of personally-developed software on an inserted SD card, etc.

I will just point out the (to-me) obvious fact that, in effect, the thieves have been stealing from kids, at least where the boards were made available for kids to play with and program (my situation). When it comes to crimes against humanity, if you ask any law enforcement officer for their list of the worst crimes that ne'er-do-wells can commit, stealing from kids is way up there, just below the most reprehensible violent felonies. To some citizens, it's the principle that's important, but, for those so wealthy that they're lighting fancy Cuban cigars with the paper money equivalent of the true cost of obtaining a Pi (including months of waiting, even now), I will be more than happy to accept your donations of Pi boards, or the full equivalent in funds to acquire them, for our Pi for the Pupils Project.

I think it's worthwhile to pull Pi security (which I'm calling SecuriPi) out as a separate topic since it was first noted in my lessons-learned from our Silicon Valley Jam last weekend, and others have responded that they also know of thefts. Some have posted comments about, and links to, potential means for automatically sensing when a Pi board has been disconnected from a LAN at an event. I would like to pursue that topic here, if for no other reason than the educational opportunity as a project into which kids themselves can sink their teeth. I'm not so much interested in just being showered with unproven ideas, URLs, brain-farts, and other whims of fancy, I'm looking for A Few Good Men, Women, and Children who also think that stealing from kids is a hanging offense (and I would be ecstatic to have a well-provisioned army show up), even if the hanging just means a convicted perp being suspended by their thumbs via Cat-5 cable.

A search of the forums didn't turn up anything definitive on this topic, so, we can start with the fact that every Pi has some unique characteristics, and not just a MAC address for its Ethernet port (which can be spoofed from the network perspective, as has been noted elsewhere). I don't know whether the details of this uniqueness feature and precisely where/when it's accessed are supposed to be public knowledge, so, I will wait for the Foundation folks to weigh in on whether that should be discussed here in the forums or back-channel.

As anyone who's dealt with computing security for more than five seconds knows, the two primary aspects are physical security and information security. SecuriPi will deal with the intersection of those two aspects specifically as they relate to keeping Pi boards from growing appendages and wandering off with the assistance of a bipedal cockroach. While I have no problem building on the successful work of others, I'm not interested in fixing someone else's Swiss cheese version of a Really Bad Idea. So, if there are techniques that have been accepted by organizations with some real credibility, they're candidates, even if they might need to be adapted to the unique characteristics of the Pi (which I already know can be tricky and inherently risky in introducing vulnerabilities). Ultimately, it seems like producing something that can be buried in the kernels of all releases would be a reasonable goal, even if it means earlier releases lack SecuriPi features. I believe we can detect when a Pi running an earlier release is connected to a LAN so that it can at least be updated with some level of SecuriPi and thereby receive some protection.

If the mods want to establish a SecuriPi forum, that would be appreciated, as we can use this thread as an announcement touchstone to keep the Pi Community updated on progress, and pointers to threads about specific aspects for those with expertise/interest in them. If we need to establish a back-channel means of coordination between known people for issues that are sensitive to Broadcom or the Foundation, but, would be helpful to our goals, I'm sure they will let us know via PM, e-mail, etc.

Let's wait to discuss specifics until we know what the Foundation thinks and we see what kind of talent quorum is willing to actually roll up their sleeves and contribute - kibitzers are welcome to watch, but, don't criticize anything unless you have a proven solution appropriate to the Pi in-hand. That's not to say we don't welcome input - that would be ridiculously arrogant and stupid - just don't flame someone else's work unless you have something demonstrably better that actually works. Please save the hand-waving for the opening and closing ceremonies at the Olympics

We thank you for your support and now return you to your life, already in progress ... that is all ...

[Lob0426]

Though MAC spoofing is a possibility. It would still set off an alarm. A system scanning for MAC's, from a data table, would detect a MAC change as a missing device. An alarm would be sent at ANY disappearance of any device on the table. Basically the spoofing would only help them after they have already stolen the RasPi. I guess if they really were crafty they could cause one RasPi to send two MAC's and disconnect another. So you could also scan for a fixed I.P's. Just depends on how deep you want to follow the chain. Physical security would start with an inventory of devices present. A list. Next would a physical device to stop them from easily pocketing one. A case with chain would be my suggestion. Another solution would be to find a nice folding table and bolt them down in place. At least the ones you intend any public to have direct access to. They really do not need to be moving them to use them. You would also have to secure any small peripherals, so they do not walk away. Plan your layout at the venue ahead of time. Don't let equipment sit in an area that is either unobserved or could be easily blocked from view. Do not put stuff near any door. You want a person to come all the way in not just "drive by" and pick something up. The area where you intend the RasPii to be in use should be deep into the room and the center of attention. Above all you need to have trusted people cruising around and not getting involved (distracted) by what is being presented. Take turns at this job. It gets boring fast and they want to be socially interactive too. Thieves absolutely hate alert people. People with their heads up and swiveling. They will go somewhere else where the people are too busy texting, smoking and joking.

I know, a lot in there and it seems impossible to do it with only a few people, but it can be done and you can have fun too.

[Vindicator]

1.Large robust cases that can not be easily placed into even large pockets, may be the answer.
2. Display cases holding many Pi's but only accessible from one panel that is locked or alarmed and only mice and keyboard wiring out the front.

I know it sounds like a bother but may forestall any more untimely and unnecessary losses.

Evil is every where and vigilance is our only defense.

Of course there will be expenses in any solution.

[Max]

A case with chain would be my suggestion.

Problem is that all the current rPi cases are focused on easy access, are easy to open and have the SD card sticking out,.
Would be nice if someone would manufacture a standard case that is a little more theft proof.

Opened a related thread the other day (theft proof case)

[niftyhacking]

That stinks.... it stinks a lot.

Electronic solutions are difficult so some physical
welcome and sign in process makes a lot of sense.

Sign in ... number of Raspberrys -- are they marked. email --- Sign out.

We can bring masking tape and markers so it is easy
to know which one is which.

The recent jam was a bit chaotic with lots of wires,
monitors, keyboards .... power strips, wall warts...... network wires....

When someone tripped over the house network link and almost
pulled all the bits on the table it was clear that the "adults" need
to help organize things.

So a Welcome "sign in -- sign out" please clip board makes a lot
of sense to me.

The optimist in me believes that it was an honest error so a
lost and found not my gear back to here tub is in order.

[liz]

At Games Britannia we hooked up the Raspis to the necessary cables and then taped every single one of the cables down with duct tape as close to the board itself as we could; that meant that unplugging and removing the Raspi itself was a difficult and very visible job. Worked a treat. Hearty recommend.

[Lob0426]

A case with chain would be my suggestion.

Problem is that all the current rPi cases are focused on easy access, are easy to open and have the SD card sticking out,.
Would be nice if someone would manufacture a standard case that is a little more theft proof.

Opened a related thread the other day (theft proof case)

Stuff a case with thermite, they may get it, But they won't want to keep it!

@Liz: And I thought my suggestion was tacky. Yours literally was tacky.

[Vindicator]

I am thinking the original robocop were the crook get into the SUX 6000 car to steal it and he is grabbed and does the kickin chicken till he is smoking.

May be also add a PC that is running camera's for some video security (yes I know A PC at a PI jam but you could hide the sacrilegious PC).

[rurwin]

I've just found this, and it seems to be well worth a look. It wont stop a thief armed with an allen key or wire-cutters, but that should stop 99% of thefts.

RJ Lockdown Patchcord lock

It is especially nice because it only requires the organisers to have a supply of Ethernet leads; the delegates can bring their RaspPis in any or no cases and they can all be secured to at least a minimal standard.

The other possibility would be to have a supply of over-sized transparent-topped cases, say 8 inches square with cable holes in the sides and Kensington security slots. The RaspPi would hang on the cables without any fixings required, so it could also have any or no case. You could make that very secure. Maybe you could offer the delegates the choice, with them signing a disclaimer if they chose the less secure options.

[alexeames]

I like the Duct tape idea. Another possibility might be cases with pillars to which a chain or cable could be attached. A bit like this one...

Attach chain to pillar circled in red. Watch out for the capacitor though ;) You could also use the one by the ethernet port.

Pi.jpg (48.79 KiB) Viewed 6597 times

[Jim Manley]

Stuff a case with thermite, they may get it, But they won't want to keep it!

OOOOOH!!! YESSSSS!!! We had a slab of thermite on top of every piece of crypto gear in our intel comm center in Japan (hundreds of them) all rigged to ignite by running down each rack aisle and pulling a cable on each side routed through all of the igniter rings. We got to test the thermite for "educational" purposes once a quarter and used the opportunity to smelt aluminum hard disk platters (the really big washing-machine sized DEC RP-04 and RP-06 sized! ).

@Liz: And I thought my suggestion was tacky. Yours literally was tacky.

HA!

[AndrewS]

I've just found this, and it seems to be well worth a look. It wont stop a thief armed with an allen key or wire-cutters, but that should stop 99% of thefts.
RJ Lockdown Patchcord lock

Looks like that wouldn't work on ethernet cables that have a broken locking tab?
Nice simple idea though

[markb]

Why not use a bit of common sense when leaving a Pi out in public until they become easily available?

[AndrewS]

A search of the forums didn't turn up anything definitive on this topic, so, we can start with the fact that every Pi has some unique characteristics, and not just a MAC address for its Ethernet port (which can be spoofed from the network perspective, as has been noted elsewhere). I don't know whether the details of this uniqueness feature and precisely where/when it's accessed are supposed to be public knowledge, so, I will wait for the Foundation folks to weigh in on whether that should be discussed here in the forums or back-channel.

Apart from the GPU-firmware (which gets loaded from a SD card, so is definitely non-unique), everything about the RPi is deliberately very open, and AFAIK there's no "secret back-channel" parts. The only unique thing for each RPi is it's serial number, viewable via

Code: Select all

cat /proc/cpuinfo

I'm not usually a tinfoil-hat wearer, but I'd hate to see some non-essential "security feature" included into every Raspi kernel - I don't want RPF turning into Big Brother

And just to prove I'm not a useless whinger I did some searching and found http://www.backtrack-linux.org/forums/s ... php?t=1866 - looks like it'd be fairly easy to alter monitor.sh to also run a (different) command (e.g. use GPIO to sound a buzzer / flash lights) on an exisiting-MAC-disappearing event as well as a new-MAC-appearing event.
Or if you prefer Python to bash, https://www.google.co.uk/search?q=python+arp+scan has some interesting-looking links.

[Rabjerg]

I threw together a simple design, using a 3mm aluminum plate, some cutting and bending.
And you have a "theft proof" and cooled case.
This is the base design, then you can add stuff like a eye for a big chain and a badger, or screw some covers to the base plate to cover the usb's in case you want those secure.

https://www.dropbox.com/s/dhz3c1916dmeoy2/securipi.png
https://www.dropbox.com/s/c4jmz8rn8v2xzti/securipi2.png
https://www.dropbox.com/s/cnp76hi90m7scl9/securipi3.png

The pink layer, is a layer of heat-conducting-electrical-insulating-rubber.
The Pi is pressed down on the Soc and Lan chip, making the case double as cooling.

If people like it, ill optimize the design over the weekend, and make a prototype next week, if its any good, then i will release the source.

[rurwin]

Looks like that wouldn't work on ethernet cables that have a broken locking tab?

That's true, but my idea was that the organisers supply cables. Otherwise you'll just lose the locks instead.

Why not use a bit of common sense when leaving a Pi out in public until they become easily available?

That's precisely what this thread is about... How we can apply common sense to leaving a Pi out in public. Obviously we cannot leave it out without protecting it, so what protection can we easily and cheaply apply without defeating the purpose of leaving it out in the first place.

I'm not usually a tinfoil-hat wearer, but I'd hate to see some non-essential "security feature" included into every Raspi kernel - I don't want RPF turning into Big Brother

But it would be your RaspPi you would be including the feature on.

I can see the possibility of including a program on all RaspPis that responded to a local server and identified itself. That would be useful for finding your RaspPi in a DHCP environment and if it was standardised on the distro then it could be depended on and it wouldn't take any bandwidth or CPU resources and the privacy concerns are very minor. It could then be used to keep track of connected devices at Jams.

There is another possibility. If your RaspPi emailed you every time it was booted, then if anyone stole it, the first time they plugged it into a network it would give you a solid evidence trail by way of the email header. All you need is a free account somewhere that allows SMTP access, for example Googlemail. That wouldn't work if it was standardised, because the thief would probably know enough to disable it before connecting to a network, but it would work well on an individual basis. Of course, if they don't boot from your SD card then there's nothing you can do unless its on absolutely every distro, and even then they can get around it if they know enough.

[alexeames]

There is another possibility. If your RaspPi emailed you every time it was booted, then if anyone stole it, the first time they plugged it into a network it would give you a solid evidence trail by way of the email header. All you need is a free account somewhere that allows SMTP access, for example Googlemail. That wouldn't work if it was standardised, because the thief would probably know enough to disable it before connecting to a network, but it would work well on an individual basis.

You mean we are to start spamming ourselves?

That's actually a pretty good idea. Would that enable you to capture the user's IP address? That would make a nice little programming task for someone.

It might make you inclined to leave you Pi on though, to avoid all the extra emails.

[rurwin]

The email headers contain a record of all of the machines that it traveled through, like this:

Received: by 10.76.112.174 with SMTP id ir14csp55412oab; Mon, 16 Jul 2012 03:29:49 -0700 (PDT)
Received: by 10.66.89.168 with SMTP id bp8mr21647376pab.50.1342434588809; Mon, 16 Jul 2012 03:29:48 -0700 (PDT)
Return-Path: <fred@fred.plus.com>
Received: from avasout02.plus.net (avasout02.plus.net. [212.159.14.17]) by mx.google.com with ESMTP id hw8si27658316pbc.326.2012.07.16.03.29.45; Mon, 16 Jul 2012 03:29:48 -0700 (PDT)
Received-SPF: neutral (google.com: 212.159.14.17 is neither permitted nor denied by best guess record for domain of fred@fred.plus.com) client-ip=212.159.14.17;
Authentication-Results: mx.google.com; spf=neutral (google.com: 212.159.14.17 is neither permitted nor denied by best guess record for domain of fred@fred.plus.com) smtp.mail=fred@fred.plus.com
Received: from Fred([91.125.163.198]) by avasout02 with smtp id ayVJ1j0054JSPTP01yVjsC; Mon, 16 Jul 2012 11:29:45 +0100

That's a real header, but I've changed the name and IP address. I've underlined the originating IP address.

[Robert_M]

As far as the physical security issue:

When I first saw the Pibow, I imagined how it might be possible to replace the bottom layer for something larger - originally thinking in terms of an adjacent breadboard for project prototyping. But it would also seem that replacing it with a larger plate would make it possible to affix to a table with bolts. Or, even have several Pi's affixed in a row to the same over-sized bottom layer.

But as for deep software/technical solutions, I got nuthin' to offer, except for the steam coming out of my ears at people who would actually stoop so low as to steal an R-Pi.

[khh]

The best solution would probably be to make a battery-powered beeper and have it beep unless it's given power on a particular GPIO pin. Then have a program in the Pi turn off that pin when ethernet is disconnected.

That way your Raspberry will start squealing if someone disconnects the ethernet, the power or the beeper, with the added benefit of immediately knowing where the affected pi is. Only way to foil the beeper would be to cut the wire to the speaker or battery but this could be circumvented by making a simple, wooden cabinet.

This actually sounds like a fun project... I think I'll make me one of these.

[AndrewS]

I'm not usually a tinfoil-hat wearer, but I'd hate to see some non-essential "security feature" included into every Raspi kernel - I don't want RPF turning into Big Brother

But it would be your RaspPi you would be including the feature on.

I'd have no problem if this was an optional software program that the user could choose to add to their Pi themselves. I was referring to the bit where Jim said "Ultimately, it seems like producing something that can be buried in the kernels of all releases would be a reasonable goal, even if it means earlier releases lack SecuriPi features."

[bredman]

I've just found this, and it seems to be well worth a look. It wont stop a thief armed with an allen key or wire-cutters, but that should stop 99% of thefts.

RJ Lockdown Patchcord lock

This could be easily done by putting a cable tie around the Ethernet jack, just under the locking tab. This is an old trick used by IT support departments to stop idiots from unplugging cables.

It won't stop anybody with a knife or snips, but it would stop the opportunistic thief. Note that you would only need to lock the RPi end of the cable, it is a little difficult to put an RPi in your pocket if there is an Ethernet cable hanging out of it.

There is an inherent problem with a network-based solution where a central computer checks if any other computer is disconnected. This is known in the industry as a heartbeat monitor. Heartbeat monitors tend to give false alarms if there is any problem with a network connection. You would get lots of alarms if something disrupted the network or if the RPi restarted. After an hour in a typical jam environment, everybody would be sick of the inevitable alarms.

[alexeames]

I'd have no problem if this was an optional software program that the user could choose to add to their Pi themselves. I was referring to the bit where Jim said "Ultimately, it seems like producing something that can be buried in the kernels of all releases would be a reasonable goal, even if it means earlier releases lack SecuriPi features."

I suspect he suggests this because anything we put on there could be removed simply by switching SD cards. If EVERY distro contained this "feature", changing the card would be ineffective.
I don't like it either though Andrew. Raspi seems the antithesis of Big Brother.

As regards rurwin's suggestion, I've cooked up a little python script to implement that, and believe it or not, it works. Using rc.local to dump the output of...

Code: Select all

cat /proc/cpuinfo

and

Code: Select all

sudo ifconfig

into a file and then run the script to send the data in an email, using a gmail account, to myself on startup. I don't think I'll be using it, just did it for fun really.

It gets you the mac address, serial number and the ip address of the internet connection though.

[lewmur]

There is another possibility. If your RaspPi emailed you every time it was booted, then if anyone stole it, the first time they plugged it into a network it would give you a solid evidence trail by way of the email header. All you need is a free account somewhere that allows SMTP access, for example Googlemail. That wouldn't work if it was standardised, because the thief would probably know enough to disable it before connecting to a network, but it would work well on an individual basis.

You mean we are to start spamming ourselves?

That's actually a pretty good idea. Would that enable you to capture the user's IP address? That would make a nice little programming task for someone.

It might make you inclined to leave you Pi on though, to avoid all the extra emails.

That's assuming the theif is an idiot. All it would take to avoid any protection software like that would be to erase and re-image the SD Card prior to booting it the first time.

I think what people are talking about here is something to set off an alarm when a Pi is removed from the network at public events. Personally, my solution would be an "event app" supplied to each Pi participant, furnished by the event sponsor, that would "phone home" to the sponsor with unique ID, every so often. In order for the participent to remove their Pi without setting off an alarm, they'd have to get prior permission of some sort from the sponsor. The "event app" would be written specifically for each event and not given out until the event itself so no one would be able to "hack" it ahead of time.

[Burngate]

...Personally, my solution would be an "event app" supplied to each Pi participant, furnished by the event sponsor, that would "phone home" to the sponsor with unique ID, every so often. In order for the participent to remove their Pi without setting off an alarm, they'd have to get prior permission of some sort from the sponsor. The "event app" would be written specifically for each event and not given out until the event itself so no one would be able to "hack" it ahead of time.

That app would have to be very carefully written.
I'm thinking of RiscOS, or someone's bare-metal Pi, without Linux.