How to take advantage of Raspberry Pi in a home network

1. Home network and Raspberry PiHome network and Raspberry Pi
Daniele AlbrizioDaniele Albrizio
daniele@albrizio.itdaniele@albrizio.it
By Evan-Amos - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=56262833

2. 2
What exactly is Raspberry Pi?
● The Raspberry Pi Foundation is a charity
founded in 2009 to promote the study of basic
computer science in schools, and is responsible
for developing a single-board computer called
the Raspberry Pi, the UK's best-selling PC of all
time.

3. 3
Raspberry Pi 3 2016
● 1.2 GHz 64-bit quad-core ARM Cortex-A53
● 500 MHz SDRAM
● SoC Broadcom BCM2837
● GPU Broadcom VideoCore IV @ 250 MHz (BCM2837: 3D
part of GPU @ 300 MHz, video part of GPU @ 400 Mhz),
1080p30 H.264/MPEG-4 AVC high-profile decoder and
encoder
● 1GB SDRAM shared with GPU
● 4xUSB 2.0
● 15-pin MIPI camera interface (CSI) connector

4. 4
Raspberry Pi 3 2016
● HDMI (rev 1.3), composite video (3.5 mm
TRRS jack), MIPI display interface (DSI) for raw
LCD panels
● Analog audio via 3.5 mm phone jack; digital via
HDMI
● MicroSDHC slot
● 10/100 Mbit/s Ethernet

5. 5
Raspberry Pi 3 2016
● 17 x GPIO
● 300 mA (1.5 W) average when idle, 1.34 A (6.7
W) maximum under stress
● Powered by 5 V via MicroUSB or GPIO header
● Bluetooth 4.1
● 802.11n wireless

6. 6
Privacy concerns in a home network
● What are all my devices really doing on my
network?
● Are all network flows licit?
● What can I do to limit information leakage and
uncontrolled behaviour?

7. 7
Needs
● Insulate my (trusted?) DSL router and main PC
from wireless untrusted devices like smart-
phones and IoTs (forwarding, NAT, hostapd)
● Traffic Analisys and consciousness (wireshark)
● Firewalling (iptables at the moment)
● Bonus:
– ADs removal (Pi-hole)

8. 8

9. 9
Shopping list
● Raspberry Pi 3
● Heat sinks
● Case
● SDCard
● Usb power supply

10. 10
Base Distro
● Raspbian (base)
● Kali (some VA and security testing)
● https://www.offensive-security.com/kali-linux-arm-images/
● https://docs.kali.org/kali-on-arm/install-kali-linux-arm-raspberry-p
– # dd if=kali-xxxxx-rpi.img of=/dev/sdX bs=512k
– Where sdX is your sdcard device: please be
absolutely sure of which is your sdcard device before
flashing: data loss danger.
● Insert your SDcard and power on your Raspberry

11. 11
First steps
● Bind the Raspberry IP on your DSL router dhcp
(reservation)
● Access via ssh using user:root pass:toor
keyboard/monitor-less
● Install hostapd, tcpdump, isc-dhcp-server
– sudo apt install hostapd tcpdump isc-dhcp-server
● Install PC authorized key in the raspberry (optional)
– ssh-copy-id -i ~/.ssh/id_rsa.pub root@kalihost

12. 12
Disable Network Manager for Wi-Fi
interface to avoid conflicts
● service network-manager restart
#/etc/NetworkManager/nm-system-settings.conf
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=false
[keyfile]
unmanaged-devices=mac:8a:70:95:99:99:99

13. 13
Configure NAT and IP address
● for the wireless lan interface
# file /etc/network/interfaces
auto wlan0
iface wlan0 inet static
address 10.5.5.1
netmask 255.255.255.0
post-up iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE
By Yangliy at English Wikibooks - Transferred from en.wikibooks to Commons., Public Domain, https://commons.wikimedia.org/w/index.php?curid=61795881

14. 14
IP Forwarding (like a router)
● In /etc/sysctl.d/99-sysctl.conf
– net.ipv4.ip_forward=1
● Reload parameters
– sysctl -p /etc/sysctl.conf
● Verify the parameter is “1”
– cat /proc/sys/net/ipv4/ip_forward

15. 15
Enable DHCP server on wlan0
● Enable dhcp server upon boot
– sudo update-rc.d isc-dhcp-server enable
● Start the dhcp server
– sudo isc-dhcp-server start
#/etc/dhcp/dhcpd.conf
subnet 10.5.5.0 netmask 255.255.255.0 {
range 10.5.5.26 10.5.5.36;
option domain-name-servers 10.5.5.1;
#option domain-name-servers 8.8.8.8, 8.8.4.4;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.255;
default-lease-time 600;
max-lease-time 7200;
}
#/etc/default/isc-dhcp-server
INTERFACESv4="wlan0"

16. 16
Enable Wi-Fi Access Point
● Insert DAEMON_CONF="/etc/hostapd/hostapd.conf"
in /etc/default/hostapd
● Modify and customize hostapd.conf (see next slide)
● Enable startup on boot
– sudo update-rc.d hostapd enable
● Start the access point
– sudo service hostapd start

17. 17
/etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=trap
hw_mode=g
ieee80211n=1
wmm_enabled=1
# Low priority / AC_BK = background
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
[…]
macaddr_acl=0
ignore_broadcast_ssid=0
wpa=1
wpa_passphrase=lamiapassphrasesegreta
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
ieee80211w=n
#ap_isolate=1
channel=6
acs_num_scans=5
acs_chan_bias=1:0.8 6:0.8 11:0.8
chanlist=1 6 11
By Maripo GODA - Own work, CC BY-SA 3.0,
https://commons.wikimedia.org/w/index.php?curid=18774788

18. 18
Traffic dump and sniff
● Use the following script to remotely dump (on
your PC) traffic from your raspberry and show
it in your local wireshark
– Your raspberry being 192.168.1.5 and your pc being
192.168.1.10
#!/bin/sh
ssh root@192.168.1.5 tcpdump -U -s0
'not((host 192.168.1.5 and port 22)or(host 192.168.1.10 and port 22))'
-i wlan0 -w - | wireshark -k -i -

19. 19
Wireshark
● Industry standard sniffer
● Provides highlighting, correlation, decoding,
filtering, etc..
● Multiplatform (linux, windows, mac)
● Provides statistics and flow analysis

20. 20
I need you
● Connectivity hungry apps as soon as a
smartphone connects:

21. 21
Connectivity Check without SSL
●
GET /generate_204 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36
Host: connectivitycheck.gstatic.com
Connection: Keep-Alive
Accept-Encoding: gzip
●
HTTP/1.1 204 No Content
Content-Length: 0
Date: Fri, 27 Oct 2017 18:48:06 GMT

22. 22
YeeLight strange pattern
● I tought I bought a LAN controlled light
● A WAN one I got

23. 23
Who the hell is this one?
● $ geoiplookup 52.221.85.229
– GeoIP Country Edition: SG, Singapore
● $ host 52.221.85.229
– 229.85.221.52.in-addr.arpa domain name pointer
ec2-52-221-85-229.ap-southeast-
1.compute.amazonaws.com.

24. 24
Further findings
● Telegram uses non TLS encryption on tcp port
80
● Whatsapp sometimes uses google dns 8.8.8.8
to reach its servers

25. 25
Ads and Privacy
● Profiling
– Cookies
– Referrals
– Javascripts
– Biometrics (fingerprinting of
mouse movements or
keyboard typing)
By Nicolasbuenaventura - Own work, CC BY-SA 3.0,
https://commons.wikimedia.org/w/index.php?curid=32181778

26. 26
Bonus track: Pi-Hole
● Advertising blackholing
● On-the-access-point
● Web interface
● Extensive statistics
● Customizable lists, white and black ones
● Disable button

27. 27
Install Pi-hole
● Download and install Pi-hole
– curl -sSL https://install.pi-hole.net | bash
● Customize /etc/pihole/setupVars.conf for using wlan0 addresses
– PIHOLE_INTERFACE=wlan0
– IPV4_ADDRESS=10.5.5.1/24
● Change Pi-hole web interface management password
– pihole -a -p somepasswordhere
● You can also remove the password by not passing an argument
– pihole -a -p
● Head your browser at http://192.168.1.5/admin

28. 28

29. 29

30. 30

31. 31

32. 32

33. 33

34. 34

35. 35

36. 36

37. 37

38. 38
Spare space for fun
● Security Webcam using motion
● Plenty of GPIO space

39. 39
What we learned to improve our
privacy consciousness
● What is Raspberry
● How to install Kali Linux on Raspberry Pi 3
● Setup a wireless router using NAT and DHCP
● Sniff and read realtime traffic pattern
● AD’s suppression
● ...

40. 40
Quest'opera è stata rilasciata con licenza Creative Commons Attribuzione - Non
commerciale - Condividi allo stesso modo 3.0 Italia. Per leggere una copia della
licenza visita il sito web http://creativecommons.org/licenses/by-nc-sa/3.0/it/ o
spedisci una lettera a Creative Commons, PO Box 1866, Mountain View, CA 94042,
USA. Alcune immagini hanno licenze d’uso differenti e sono indicate sulle immagini
stesse.
Daniele Albrizio
daniele@albrizio.it
Questions?Questions?

41. 41
Further readings
● Yeelight hardware and software reverse
engineered
– https://hackernoon.com/inside-the-bulb-adventures-in-re
– https://github.com/OpenMiHome/mihome-binary-protoco