User avatar
jbeale
Posts: 3360
Joined: Tue Nov 22, 2011 11:51 pm
Contact: Website

USB networking for secure file sharing

Mon Aug 13, 2018 4:42 pm

I know it is possible to read a shared folder on a Windows PC from a remote Pi over the network using SAMBA. I understand the RPi Model A+ and also the Zero and Zero+W can work in "USB Gadget" mode (eg. USB device, not host). Also that there exist drivers to make it possible to do TCP/IP over USB as if the USB connection was a regular Ethernet connection.

Let's say I want to have a shared folder on a Windows PC, and I want to plug in a USB device to that PC that once connected can all by itself, login with a (previously setup) user account on the Windows PC to access the shared folder. But I also care about security and I don't want just anyone on the regular ethernet or wifi LAN, or the larger internet to have any way in. So it seems like having no normal ethernet or wifi connection, and permitting only this type of TCP/IP-over-USB connection would increase security by requiring an attacker to not only know the login credentials, but be physically present to plug in their USB device.

Does this idea make sense, or am I forgetting something obvious?

There's a separate question about whether it is possible to make a Windows PC completely refuse to deal with any USB device except for one specific authorized RPi-as-USB-Gadget, but I think that is more of a Windows-specific question.

User avatar
thagrol
Posts: 853
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: USB networking for secure file sharing

Tue Aug 14, 2018 7:15 pm

I'm sure someone else will jump in if/where I'm wrong...

It's theroitically possible but...
  • The USB ethernet gadget appears on both the Pi and the PC as a normal ethernet device so anything you can do over ethernet can be done over this connection.
  • It depends on whether your windows PC can be setup to share on only one of it's network interfaces rather than all of them.
  • If you don't use network sharing or bridging on the PC only it will be able to access, or even see the Pi.
  • Without the above the Pi won't be able to access the rest of your network or the internet.
  • The Pi can act as either a USB device or as a USB host, it can't do both at the same time. So you can't connect a keyboard and mouse while it's acting as a USB ethernet device.
So, possible? Yes. Easy to set up? Probably not. Useful? Depends on what you're trying to achieve.
Note to self: don't feed the trolls
If you believe "L'enfer, c'est les autres" (Hell is other people) have you considered that it may be of your own making?

ejolson
Posts: 1888
Joined: Tue Mar 18, 2014 11:47 am

Re: USB networking for secure file sharing

Tue Aug 14, 2018 7:49 pm

thagrol wrote:
Tue Aug 14, 2018 7:15 pm
[*]Without the above the Pi won't be able to access the rest of your network or the internet.
If you use a Pi Zero W, then it is not necessary to bridge or forward the Ethernet gadget. Instead, you can set up the Zero W to reach the Internet through WiFi and only use the gadget for sharing files with the PC. A reasonably complete description (without the filesharing) of setting a Pi Zero W up in this way may be found in my post on creating a Mathematica dongle.

User avatar
thagrol
Posts: 853
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: USB networking for secure file sharing

Tue Aug 14, 2018 8:00 pm

Indeed, or add an ethernet port via SPI. Not sure how that fits the OP's security aim though.
Note to self: don't feed the trolls
If you believe "L'enfer, c'est les autres" (Hell is other people) have you considered that it may be of your own making?

ejolson
Posts: 1888
Joined: Tue Mar 18, 2014 11:47 am

Re: USB networking for secure file sharing

Tue Aug 14, 2018 8:57 pm

thagrol wrote:
Tue Aug 14, 2018 8:00 pm
Indeed, or add an ethernet port via SPI. Not sure how that fits the OP's security aim though.
I think keeping all Internet traffic off the Ethernet gadget by using additional network devices would increase security.

Of course the effectiveness of any such measure is in the details. Experimenting at home is a good way to learn the details because there are are fewer chances of getting fired when things go wrong.

gkaiseril
Posts: 443
Joined: Mon Aug 08, 2016 9:27 pm
Location: Chicago, IL

Re: USB networking for secure file sharing

Tue Aug 14, 2018 9:27 pm

For the Pi Zero and Zero W there is the Ethernet Hub and USB Hub w/ Micro USB OTG Connector.

I would expect that SSH and SFTP should be sufficient for most people unless one does not want to use a wireless network.

ejolson
Posts: 1888
Joined: Tue Mar 18, 2014 11:47 am

Re: USB networking for secure file sharing

Tue Aug 14, 2018 10:57 pm

gkaiseril wrote:
Tue Aug 14, 2018 9:27 pm
For the Pi Zero and Zero W there is the Ethernet Hub and USB Hub w/ Micro USB OTG Connector.

I would expect that SSH and SFTP should be sufficient for most people unless one does not want to use a wireless network.
While it can be done if both systems are running Linux, I'm not sure it's possible to tunnel a Samba CIFS share from a Windows PC over SSH to a Pi.

Maybe a remote filesystem could be mounted directly using SSHFS or SFTP skipping the CIFS share, if a suitable server for Windows were found. Do you know how to mount a Windows filesystem onto a Pi using SSH?

User avatar
thagrol
Posts: 853
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: USB networking for secure file sharing

Wed Aug 15, 2018 12:10 am

gkaiseril wrote:
Tue Aug 14, 2018 9:27 pm
For the Pi Zero and Zero W there is the Ethernet Hub and USB Hub w/ Micro USB OTG Connector.

I would expect that SSH and SFTP should be sufficient for most people unless one does not want to use a wireless network.
But using that prevent the pi working as a USB gadget so doesn't fit the OP's requirement

Edit:
And as for
I would expect that SSH and SFTP should be sufficient for most people unless one does not want to use a wireless network.
If FTP were "sufficient for most people" (SFTP builds on FTP by adding an SSH tunnel) we wouldn't have samba/cifs, NFS, etc at all let alone have them be actively maintained.

And WiFi is irrelevant. That's the physical layer, SSH & SFTP require a TCP/IP network, that can be WiFi, ethernet, bluetooth, serial (PPP/SLIP), carrier pigeon, ... The OP wants a closed network between Pi and PC, ethernet via USB gadget mode provides that as would a direct connection via a single ethernet cable, or a closed WiFi network.
Last edited by thagrol on Wed Aug 15, 2018 12:28 am, edited 1 time in total.
Note to self: don't feed the trolls
If you believe "L'enfer, c'est les autres" (Hell is other people) have you considered that it may be of your own making?

fruitoftheloom
Posts: 17445
Joined: Tue Mar 25, 2014 12:40 pm

Re: USB networking for secure file sharing

Wed Aug 15, 2018 12:13 am

thagrol wrote:
Wed Aug 15, 2018 12:10 am
gkaiseril wrote:
Tue Aug 14, 2018 9:27 pm
For the Pi Zero and Zero W there is the Ethernet Hub and USB Hub w/ Micro USB OTG Connector.

I would expect that SSH and SFTP should be sufficient for most people unless one does not want to use a wireless network.
But using that prevent the pi working as a USB gadget so doesn't fit the OP's requirement

There is always the option of using a USBNet Cable:

viewtopic.php?f=36&t=131042
Adieu

User avatar
jbeale
Posts: 3360
Joined: Tue Nov 22, 2011 11:51 pm
Contact: Website

Re: USB networking for secure file sharing

Wed Aug 15, 2018 4:34 am

In case you were puzzled why anyone would want this, the use case is a Windows PC that has a tested software system and changing any of the application software is difficult. However purely windows-OS-level changes such as permissions on a shared folder (and installing the Ethernet-over-USB driver) is more feasible. Meanwhile the thought is that having NO "normal" ethernet/wifi connections on the PC, only a connection to the Pi over USB would prevent some external attack vectors, while still allowing the Pi to extract some PC system data as needed, via shared filesystem eg. Samba.

Now if the Pi forwards that data on through wifi to a firewall, that's another system to secure, but the point is it seems to me you can achieve some connectivity to the outside world without changing the PC software, and without the PC itself being directly connected to a LAN, which were the requirements of the project at hand.

The USBnet cable is another idea along the same lines, but it seems to possibly be even less "standard" than a Pi.

ejolson
Posts: 1888
Joined: Tue Mar 18, 2014 11:47 am

Re: USB networking for secure file sharing

Wed Aug 15, 2018 10:58 am

jbeale wrote:
Wed Aug 15, 2018 4:34 am
it seems to me you can achieve some connectivity to the outside world without changing the PC software, and without the PC itself being directly connected to a LAN
Using a Pi Zero W with the USB running an Ethernet gadget and WiFi connected upstream to the Internet as configured in my previous post should work well to isolate the Windows PC while allowing access of files from the Pi side.

An alternative solution may be achieved with a Pi 3B+ by connecting the PC and the Pi using a standard networking cable and again using WiFi on the Pi for Internet. Additional details of this approach may be found in this thread.

Finally, if the PC has Bluetooth then you can pair the Pi, configure TCP/IP over Bluetooth and then have the wired networking interface available for the Internet connection. This is the approach taken here.
Last edited by ejolson on Wed Aug 15, 2018 8:58 pm, edited 1 time in total.

User avatar
thagrol
Posts: 853
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: USB networking for secure file sharing

Wed Aug 15, 2018 4:59 pm

jbeale wrote:
Wed Aug 15, 2018 4:34 am
Now if the Pi forwards that data on through wifi to a firewall, that's another system to secure, but the point is it seems to me you can achieve some connectivity to the outside world without changing the PC software, and without the PC itself being directly connected to a LAN, which were the requirements of the project at hand.
Yep, but you'll still need to take the usual measures to secure your Pi otherwise anyone who can acces it can access the PC. Not just a firewall, at the very least change the password for the Pi user.
Note to self: don't feed the trolls
If you believe "L'enfer, c'est les autres" (Hell is other people) have you considered that it may be of your own making?

Return to “Networking and servers”

Who is online

Users browsing this forum: No registered users and 12 guests