Skip to main content

SecurityPi@Embedded Linux Conference: One Device to Monitor Them All


Linux Foundation hosts a few very prestigious conferences throughout the year, Embedded Linux and OpenIoT conference are among them. I first had my talks accepted in OpenIoT Summit last year, and I ended up presenting two talks and one with Dietrich (yay!). You can read about it here.



This year again, I decided to give it a try and submitted one of my hobby projects. The project uses a Raspberry Pi and tries to take care of its security and conveniently named as…..SecurityPi (Brownie points to me for the Innovative nomenclature!).
There are two parts of this post.
First, I'll explain about the background of the project - What is SecurityPi? How does it work? What is its purpose? And, how can you use it?
In the latter part of the post, I will talk about the conference, how the talk was received and a little about some future ideas that I am planning to work on as well as some suggestions that I got. 

Inception ~ How it all began:

The idea admittedly came to me on a journey through London tube, talking to Dietrich while going for Mozfest 2016. After Mozilla All Hands and watching all those awesome projects come out from using devices like RPI, Arduino, Particle IO made me super excited.
It also made me a little wary about the whole scenario where people quickly develop a prototype and deploy it, the system is connected to the internet and at the same time running software that is vulnerable to cyber attacks. In certain cases, the developers had not cared changing most of the default settings of the system they are running (damn most of them are configured using only root account in them with default password)!
Later in Berlin, at a closed briefing/meeting/discussion about some of the work Mozilla IoT team was doing (this was before open innovation), I got into a little debate where everyone was advocating for innovation and encouraging new communities to try new ideas. My point of concern - the idea of everyone introducing newer devices into the internet and keeping them open without any security, vulnerable to attacks by malicious hackers waiting to gain access and compromise these devices.
This instigated me to start to write some pieces of scripts to better configure a Pi so that with every vanilla installation, a Pi can be configured better. But then came the attack of the refrigerators and that made me realize I actually have no idea what my devices are doing, what services they are connecting to. And I realized there is no way for me to have a central Command and Control to monitor them other than their gateway i.e. my router. Hence started my journey for SecurityPi - one device to monitor them all.

Idea ~ How is the Job done:

What SecurityPi tries to achieve is what we have in our industry and organizations all the time. It acts as the IT Department - monitoring authority for the whole organization of devices at my home, connected to the internet. Almost all my devices including my cellphones communicate with the Internet via the Wifi connection. So SecurityPi will act as a doorkeeper sitting between my ISP and my Wifi analyzing all my traffic, looking for things I generally don’t do. And inform me about it (it won’t immediately block them unless I tell though).

So what does SecurityPi do?
It tries to understand your activity with help from various service insights and tools. It eventually creates a profile on your devices service/data usage based on the service and servers they are connecting to. It know known bad service,domain,servers (again with help form outside) and updated about it. So if any of your device connects to them you get a notification. Over the time it creates a usage profile for you and your device data usage (but the device stores this information without sending it anywhere) and shows you a pretty picture of what is going on. 
It does not try to do machine learning on the data, yet…..not without you knowing

Making my R-Pi-Wi-Fi Awesome again:

To achieve this I consolidated my previous attempts and scripts, daisy chained them so that the RPIi itself doesn't get hacked in the first place (who watches the watchman? :( ). Then I got to make this big hack achievable. I had to do the following steps:
  1. Get the RPi in place: Networks are messy. There is no easy and cheap way to actually get the RPi (which only had one networking card) in between my router and Wi-Fi (I did not want to use the RPI itself as a WiFi adapter). I ended up using the In-Line approach.
  2. Know what is going on: Time for me to play the spy and understand what my devices (and me!) are doing. I resorted to using Bro for this. Bro was created by Vern Paxson in 1995 while at Lawrence Berkeley National Laboratory. What’s powerful about Bro is the ability to inspect traffic at all OSI layers, as well as add additional scripting for increased attack detection. Bro conveniently gives me an insight of the packets flying between the devices and internet. But just getting them wasn't enough.
  3. Make Bro great again: "It seems nothing is as great as it had been once..". So I decided to do something about it. While Bro ships with an extensive signature base to detect a number of common attacks, the signatures can be enhanced with Threat Intelligence. Here comes the lovely Critical Stack (CS) into the scene. CS from Intel (not Counter Strike :P ) instantly gave me insight and capability to understand and gain information about spam, malicious attack and phishing domains among other things. Now I had knowledge, this combined with the information Bro was giving me, and finally the RPi could understand what was going on. Critical Stack is a free software that aggregates threat intelligence feeds. It’s a simple point-and-click integration to pull information, such as Tor Exit node IP addresses, known malicious IPs, or known phishing domains. The Critical Stack agent pulls the threat intelligence data, formats it into the Bro scripting language, and the Bro IDS picks up the new scripts automatically.
  4. But I wanted to see! And understand what is going on. I also wanted to get notified of any potential bad behaviors. I wanted to know if and when a device inside my home connects to a TOR network, or a Chinese VPN or maybe sending periodic encrypted packets to a Russian server. I also wanted an audit trail and all this in a pretty UI. I may not be able to stop you bad guys, but I sure as hell want to know when I am hacked and pull the plug (that I can do). Enter Elastiserach, Logstash and Kibana (ELK) . The whole ELK also gave me a lot of analytical capabilities (and also told me how much of my bandwitdh actually gets wasted in NetFlix).



And that brings us back to what we started with.
I wrapped up all these again in another daisy chained bug hacky script which will take the pain out of installing configuring all these services into your RPI and create the system for you. That became SecurityPi. The kinks and my pain, all gets reflected in the presentation. Which you will be able to see below with the event video.

All these combined allows SecurityPi to
It tries to understand your activity with help from various services insights and tools. It eventually creates a profile on your devices service/data usage based on the service and servers they are connecting to. It know known bad service,domain,servers (again with help form outside) and updated about it. So if any of your device connects to them you get a notification. Over the time it creates a usage profile for you and your devices data usage (but does not send it to anywhere and stores it with you) and show you a pretty picture of what is going on. It does not try to do machine learning on the data, yet…..not without you knowing
The talk itself went great. With a ton of questions form people who generally build automative grade linux, embedded systems and also from DIY enthusiasts. I was super surprised, excited and happy that a lot of people are concerned about security of the IoT devices and how many of them liked to check out the code. My friend Leon who had his talk in the morning snapped a picture of me in the talk with too many people trying to snap the barcode to the github link.

I also met with one of my professors from RICE University, Lin Zhong who was there and attended my talk. There was no planned afterparty and Portland was being the classic rainy city all these three days, but surprisingly I met with a lot of people after the talk and got a ton of suggestions on how this can be improved. One being containerizing the setup, specially the ELK stack.
At the very last day, I met with Leon and went out to explore the city. We ended up grabbing dinner and then walking to Voodoo Donut to taste their famous donuts. 
Fun Fact: They only accept cash, so if Leon wasn’t carrying cash, we probably would have had to return.

Overall it was a nice fun filled three days. I enjoyed how the conference was organized and there were a ton of very interesting session spread throughout those three days. Got a ton of feedback on the code and moreover a clear actionable feedback on the talk itself.

Comments

Popular posts from this blog

FirefoxOS, A keyboard and prediction: Story of my first contribution

Returning to my cubical holding a hot cup of coffee and with a head loaded with frustration and panic over a system codebase that I managed to break with no sufficient time to fix it before the next morning.  This was at IBM, New York where I was interning and working on the TJ Watson project. I returned back to my desk, turned on my dual monitors, started reading some blogs and engaging on Mozilla IRC (a new found and pretty short lived hobby). Just a few days before that, FirefoxOS was launched in India in the form of an Intex phone with a $35 price tag. It was making waves all around, because of its hefty price and poor performance . The OS struggle was showing up in the super low cost hardware. I was personally furious about some of the shortcomings, primarily the keyboard which at that time didn’t support prediction in any language other than English and also did not learn new words. Coincidentally, I came upon Dietrich Ayala in the FirefoxOS IRC channel, who at

April Fool and Google Part 2: A Round Up of ALL of Google’s April Fools Jokes

Ok....this post I think will contain all of the pranks I could find  for today. After my last post here http://rkrants.blogspot.com/2012/04/april-fool-and-google-my-favorite.html Last Time I reported Only a handful of the pranks.. Understandable, as it was only the morning. After that I stumbled upon more of them Which I am gonna round up here. Now staring with the list. The very first one is obviously our favourite Google Maps Quest The above is their official video. In a post in Google Plus they say about it as follows  Today  + Google Maps  announced Google Maps 8-bit for NES. With #8bitmaps , you can do everything you'd normally do in Maps—search for famous landmarks and sites around the world, get directions and even use Street View. Just in time for April Fool's Day, Google has introduced Google Maps Quest, a retro 8-bit version of its mapping tool that is... totally awesome. In a characteristically whimsical video, available above, Google emplo

Curious case of Cisco AnyConnect and WSL2

One thing Covid has taught me is the importance of VPN. Also one other thing COVID has taught me while I work from home  is that your Windows Machine can be brilliant  as long as you have WSL2 configured in it. So imagine my dismay when I realized I cannot access my University resources while being inside the University provided VPN client. Both of the institutions I have affiliation with, requires me to use VPN software which messes up WSL2 configuration (which of course I realized at 1:30 AM). Don't get me wrong, I have faced this multiple times last two years (when I was stuck in India), and mostly I have been lazy and bypassed the actual problem by side-stepping with my not-so-noble  alternatives, which mostly include one of the following: Connect to a physical machine exposed to the internet and do an ssh tunnel from there (not so reliable since this is my actual box sitting at lab desk, also not secure enough) Create a poor man's socks proxy in that same box to have my ow