Skip to main content

SecurityPi@Embedded Linux Conference: One Device to Monitor Them All

Linux Foundation hosts a few very prestigious conferences throughout the year, Embedded Linux and OpenIoT conference are among them. I first had my talks accepted in OpenIoT Summit last year, and I ended up presenting two talks and one with Dietrich (yay!). You can read about it here.

This year again, I decided to give it a try and submitted one of my hobby projects. The project uses a Raspberry Pi and tries to take care of its security and conveniently named as…..SecurityPi (Brownie points to me for the Innovative nomenclature!).
There are two parts of this post.
First, I'll explain about the background of the project - What is SecurityPi? How does it work? What is its purpose? And, how can you use it?
In the latter part of the post, I will talk about the conference, how the talk was received and a little about some future ideas that I am planning to work on as well as some suggestions that I got. 

Inception ~ How it all began:

The idea admittedly came to me on a journey through London tube, talking to Dietrich while going for Mozfest 2016. After Mozilla All Hands and watching all those awesome projects come out from using devices like RPI, Arduino, Particle IO made me super excited.
It also made me a little wary about the whole scenario where people quickly develop a prototype and deploy it, the system is connected to the internet and at the same time running software that is vulnerable to cyber attacks. In certain cases, the developers had not cared changing most of the default settings of the system they are running (damn most of them are configured using only root account in them with default password)!
Later in Berlin, at a closed briefing/meeting/discussion about some of the work Mozilla IoT team was doing (this was before open innovation), I got into a little debate where everyone was advocating for innovation and encouraging new communities to try new ideas. My point of concern - the idea of everyone introducing newer devices into the internet and keeping them open without any security, vulnerable to attacks by malicious hackers waiting to gain access and compromise these devices.
This instigated me to start to write some pieces of scripts to better configure a Pi so that with every vanilla installation, a Pi can be configured better. But then came the attack of the refrigerators and that made me realize I actually have no idea what my devices are doing, what services they are connecting to. And I realized there is no way for me to have a central Command and Control to monitor them other than their gateway i.e. my router. Hence started my journey for SecurityPi - one device to monitor them all.

Idea ~ How is the Job done:

What SecurityPi tries to achieve is what we have in our industry and organizations all the time. It acts as the IT Department - monitoring authority for the whole organization of devices at my home, connected to the internet. Almost all my devices including my cellphones communicate with the Internet via the Wifi connection. So SecurityPi will act as a doorkeeper sitting between my ISP and my Wifi analyzing all my traffic, looking for things I generally don’t do. And inform me about it (it won’t immediately block them unless I tell though).

So what does SecurityPi do?
It tries to understand your activity with help from various service insights and tools. It eventually creates a profile on your devices service/data usage based on the service and servers they are connecting to. It know known bad service,domain,servers (again with help form outside) and updated about it. So if any of your device connects to them you get a notification. Over the time it creates a usage profile for you and your device data usage (but the device stores this information without sending it anywhere) and shows you a pretty picture of what is going on. 
It does not try to do machine learning on the data, yet…..not without you knowing

Making my R-Pi-Wi-Fi Awesome again:

To achieve this I consolidated my previous attempts and scripts, daisy chained them so that the RPIi itself doesn't get hacked in the first place (who watches the watchman? :( ). Then I got to make this big hack achievable. I had to do the following steps:
  1. Get the RPi in place: Networks are messy. There is no easy and cheap way to actually get the RPi (which only had one networking card) in between my router and Wi-Fi (I did not want to use the RPI itself as a WiFi adapter). I ended up using the In-Line approach.
  2. Know what is going on: Time for me to play the spy and understand what my devices (and me!) are doing. I resorted to using Bro for this. Bro was created by Vern Paxson in 1995 while at Lawrence Berkeley National Laboratory. What’s powerful about Bro is the ability to inspect traffic at all OSI layers, as well as add additional scripting for increased attack detection. Bro conveniently gives me an insight of the packets flying between the devices and internet. But just getting them wasn't enough.
  3. Make Bro great again: "It seems nothing is as great as it had been once..". So I decided to do something about it. While Bro ships with an extensive signature base to detect a number of common attacks, the signatures can be enhanced with Threat Intelligence. Here comes the lovely Critical Stack (CS) into the scene. CS from Intel (not Counter Strike :P ) instantly gave me insight and capability to understand and gain information about spam, malicious attack and phishing domains among other things. Now I had knowledge, this combined with the information Bro was giving me, and finally the RPi could understand what was going on. Critical Stack is a free software that aggregates threat intelligence feeds. It’s a simple point-and-click integration to pull information, such as Tor Exit node IP addresses, known malicious IPs, or known phishing domains. The Critical Stack agent pulls the threat intelligence data, formats it into the Bro scripting language, and the Bro IDS picks up the new scripts automatically.
  4. But I wanted to see! And understand what is going on. I also wanted to get notified of any potential bad behaviors. I wanted to know if and when a device inside my home connects to a TOR network, or a Chinese VPN or maybe sending periodic encrypted packets to a Russian server. I also wanted an audit trail and all this in a pretty UI. I may not be able to stop you bad guys, but I sure as hell want to know when I am hacked and pull the plug (that I can do). Enter Elastiserach, Logstash and Kibana (ELK) . The whole ELK also gave me a lot of analytical capabilities (and also told me how much of my bandwitdh actually gets wasted in NetFlix).

And that brings us back to what we started with.
I wrapped up all these again in another daisy chained bug hacky script which will take the pain out of installing configuring all these services into your RPI and create the system for you. That became SecurityPi. The kinks and my pain, all gets reflected in the presentation. Which you will be able to see below with the event video.

All these combined allows SecurityPi to
It tries to understand your activity with help from various services insights and tools. It eventually creates a profile on your devices service/data usage based on the service and servers they are connecting to. It know known bad service,domain,servers (again with help form outside) and updated about it. So if any of your device connects to them you get a notification. Over the time it creates a usage profile for you and your devices data usage (but does not send it to anywhere and stores it with you) and show you a pretty picture of what is going on. It does not try to do machine learning on the data, yet…..not without you knowing
The talk itself went great. With a ton of questions form people who generally build automative grade linux, embedded systems and also from DIY enthusiasts. I was super surprised, excited and happy that a lot of people are concerned about security of the IoT devices and how many of them liked to check out the code. My friend Leon who had his talk in the morning snapped a picture of me in the talk with too many people trying to snap the barcode to the github link.

I also met with one of my professors from RICE University, Lin Zhong who was there and attended my talk. There was no planned afterparty and Portland was being the classic rainy city all these three days, but surprisingly I met with a lot of people after the talk and got a ton of suggestions on how this can be improved. One being containerizing the setup, specially the ELK stack.
At the very last day, I met with Leon and went out to explore the city. We ended up grabbing dinner and then walking to Voodoo Donut to taste their famous donuts. 
Fun Fact: They only accept cash, so if Leon wasn’t carrying cash, we probably would have had to return.

Overall it was a nice fun filled three days. I enjoyed how the conference was organized and there were a ton of very interesting session spread throughout those three days. Got a ton of feedback on the code and moreover a clear actionable feedback on the talk itself.


Popular posts from this blog

ARCore and Arkit, What is under the hood: SLAM (Part 2)

In our last blog post ( part 1 ), we took a look at how algorithms detect keypoints in camera images. These form the basis of our world tracking and environment recognition. But for Mixed Reality, that alone is not enough. We have to be able to calculate the 3d position in the real world. It is often calculated by the spatial distance between itself and multiple keypoints. This is often called Simultaneous Localization and Mapping (SLAM). And this is what is responsible for all the world tracking we see in ARCore/ARKit. What we will cover today: How ARCore and ARKit does it's SLAM/Visual Inertia Odometry Can we D.I.Y our own SLAM with reasonable accuracy to understand the process better Sensing the world: as a computer When we start any augmented reality application in mobile or elsewhere, the first thing it tries to do is to detect a plane. When you first start any MR app in ARKit, ARCore, the system doesn't know anything about the surroundings. It starts pro

ARCore and Arkit: What is under the hood : Anchors and World Mapping (Part 1)

Reading Time: 7 MIn Some of you know I have been recently experimenting a bit more with WebXR than a WebVR and when we talk about mobile Mixed Reality, ARkit and ARCore is something which plays a pivotal role to map and understand the environment inside our applications. I am planning to write a series of blog posts on how you can start developing WebXR applications now and play with them starting with the basics and then going on to using different features of it. But before that, I planned to pen down this series of how actually the "world mapping" works in arcore and arkit. So that we have a better understanding of the Mixed Reality capabilities of the devices we will be working with. Mapping: feature detection and anchors Creating apps that work seamlessly with arcore/kit requires a little bit of knowledge about the algorithms that work in the back and that involves knowing about Anchors. What are anchors: Anchors are your virtual markers in the real wo

IRCTC blocking certain countries?

Indian Railway Catering and Tourism Corporation or most commonly known as IRCTC is the only authorized government portal in India through which someone can book a Train Ticket. It also provides booking for flights and buses but its primary use for most people is to book rail tickets online. And like thousands of other people I also use the site intermittently while booking train tickets, especially for my parents who are in India and when I want to book tickets for them. A few days back they asked me to book a ticket for them and that is when the fun started. I found out that when I tried to access the website day before yesterday (4th July 2018), instead of the familiar login page I was greeted with an error that page cannot be loaded. I thought maybe something wrong and I would try later. After a day I tried and faced the same error. Now a little bit curious since I actually never seen the site down for a prolonged time, blamed it on my Comcast connection and connecte