This device was semifinalist of The Hackaday Prize contest ! - Link -
Basically, this device acts as a wifi / ethernet router and access point. It could connect to the internet using some random wifi, a wired network, or a tethered android phone (wifi or usb). On the secured side, it acts as a wireless access point with internet forwarding so it works with every kind of device : PC, laptop, smartphone, using Windows, GNU/Linux, Android or even Mac-OSX.
The wireless access-point is also hardened with a random key feature. The access-point security key could be modified on-demand and at boot-time with a random one.
From the touch screen interface, TOR or an OpenVPN tunnel could be enabled. This custom interface could be used for complete operation, full setup and device monitoring.
It only needs a wifi adapter and no setup on the endpoint device (computer, smartphone…) to work. The user interface is also very easy to use with on/off buttons, so it is very easy to operate by non tech people.
In sensitive situations, the complete software and operating system could be installed in a few minutes from a preconfigured and encrypted image. The SD-card could also be removed from the device or even destroyed in a few seconds, causing no harm to the device, but makes it completely empty and useless. This way, sensitive data such as SSH private keys are secure.
The device hardware is open source, and uses only free software. This way, it could be improved by the community when it needs to, and it also helps defend digital freedom and Human Rights.
It also makes a perfect device to fight planned obscolescence : the software is built to be cross-compatible with different boards, offering different features, to adapt to various situations and evolve over time.
The device could be built at home using some easily sourceable parts and laser cut enclosure in a ready-to-build kit (see below), but could also be easily customized and manufactured for specific needs.
Key features
- Secure wireless access point, with random security key generation features :
- Quick connect to Android using QR code
- AP security forced on WPA2-PSK
- On-demand OpenVPN transparent tunnelling to a remote trusted network/server (here, it is a second Raspberry Pi) :
- Point to point tunneling with internet forwarding
- Very stable and fast over wireless, cellular and other non reliable networks
- Keeps connected over a roaming connection
- On-demand Tor transparent proxy :
- Anonymous browsing,
- Access forbidden websites / services based on location
- Force or Block relay nodes based on their location, from the main interface
- Hardware firewall with dynamically and automatically addressed rules
- Capable of traversing NATs and firewalls
- Ad-blocker / DNS filter feature with quick custom rules
- Touch display control interface
- Very low power consumption : ~5 Watts, runs on a phone charger
- Onboard 2600 mAh battery : ~4h running time
- External 10000 mAh battery : adds ~8h and charges onboard battery
- Very easy to operate, install and deploy
Why is it an important device ?
- It prevents people from learning your physical location or browsing habits,
- It helps defend individuals against traffic analysis,
- It helps businesses to keep their strategies confidential,
- It helps activists to anonymously report abuses or corruption,
- It helps journalists to protect their research and sources online,
- It helps people to use online services blocked by their local Internet providers
Target audience
- People who want to fight a form of network surveillance that threatens personal freedom and privacy,
- Every kind of job/activity that require confidentiality / privacy / security,
- Every kind of job/activity that require some secure remote access,
- Journalists / Activists
How you can help
This device is still in a prototype stage. It is actually looking for many things :
- some technical and security expertise
- a lot of feedback (reason I don't have any comments is still a mystery)
- some funding would really help, I'm looking for a solution to kickstart from France but I'm open to everything
- Of course, you are very welcome to spread the word about this project !
If you are willing to help, or just want to discuss about the project, please drop me a line !
If you are interested, I also added a Paypal Donate button on this page.
Connection diagram :
Functions diagram :
- How “Open" is the design ?
For a device like this one, being open in design is not an option : it could be audited, and so it could be trusted. The philosophical nature of being "free" (as in "freedom") is also very important to this project : protecting online privacy is also defending Human Rights.
So this device is meant to be as much open and free as possible :
- actual prototype is Raspberry Pi based. While R-Pi is not fully open hardware because of the Broadcom chips, schematics, board layouts and many other data are in the public domain. The actual device software is also built to remain compatible with different boards and hardware. Cross-compatibility is a key aspect of this device.
- the custom software is GPL v3, and every software component/library has been choosen considering it's free software licence,
- the different enclosure designs (when ready) will be in public domain
- I do my best to document the device, and release every source code I'm using in it when it's ready. I do my best to keep my software easy to understand or customize. I've already been asked about a second device with different features, so the software should adapt to different boards.
This project is also a great example of people openness. It could not have reached it's actual development state without some great people who donated either hardware or time (or both) : battery board and case come from PiModules, and Lemaker people are really of great help with the BPi board. And of course the many people or friends who give me some help, advices and critizisms is a great example of cooperation, and this is possible only because the project is so open.
- “Wow" factor: is the entry innovative, is the build impressive ?
While people apparently enjoy the device look, I used some already available components (PiModules UPiS & case, 2.8 TFT) to build the last prototype. It was the best way to approach what I imagine for the final device, and also it saved time for the coding and the many other things.
The software coding started long before this contest, is far from being finished, and is the most important part of the device. I think I built an attractive and effective user interface. If an attractive interface could help people better understand privacy concepts and start fight about their rights, I'm all for it.
I think this device is innovative on many aspects :
- I don't know of a similar device
- this device allows some advanced network operations, but requires almost no knowledge from the user. Building / installing/using Tor or a VPN are not so easy things for non tech people.
- to this day, internet privacy and security is a must, and people are becoming aware of the actual situation. Many end-users or even corporations don't know how to secure their online activities. This device is designed for these people, being very ease to use.
I'm also showing the device to many people, including corporations. I see these people are very interested in it, this is a very innovative and usefull concept to them. This is enough for me to work further on it.
On the other hand, this project may be considered impressive due to the fact I'm all alone working on it until now, and without fancy tools...
- Is the entry a connected device and is that “connectedness" meaningful to the function ?
This device helps bring privacy to connected people by installing itself between the users and the Internet.
It could connect two remote places using a very secure tunnel.
This is also a mobile wireless access point, and a wireless client.
It could also work with cable ethernet and cellular data network.
Being connected is the reason this project exists from start...
- Is the project reproducible and could the work be extended for other uses ?
This device has been thought to be reproducible, from start : the software is compatible with many different main boards and hardware, even with a computer running Debian. Additional components, such as battery board, touchdisplay, USB wifi adpaters, are either optional or interchangeable with other components. I took this decision to allow everyone to build it at home, using on the shelf or easily available hardware.
This device has been designed to evolve if there are specifical needs : the corporations to whom I showed the prototypes already asked for a 4x ethernet switch instead of the wireless access point so I'm working towards that and plan to port the software to the incoming BPi-R1 board (planned for release in october). This is just one example, and this is why openness is so important to this project.
- Does the entry exhibit engineering innovation ?
I think no device allows VPN / TOR use with pressing a single button on a touchscreen. There are many components that work with each other, and it was not easy to make work well. Automatic firewall rules switching function was a hard part, with many facepalms. his software is very innovative in my opinion, especially because of the attractive user interface.
I also had to deal with overheating issues which caused the last prototype to suddenly reboot, and the first prototype enclosure was built completely by hand.
These moments were not that easy to deal with but I think overall result is great and it is a great learn process.
- Is there an intuitive interface ? (is the entry usable in the real world ?)
It was a primary objective of this device, long before this contest. "Secure" and "easy to use", too often, are opposite concepts, so I thought I could do something about it. The user interface is very easy to use, even if it still needs some work and new features. I built it for myself at start, but now I try to show it to many people to get some feedback. People seem to appreciate the ease of use of the user interface, I made it for non-techy users so I think I succeeded in it.
I use this device personally very often in many situations (see the project logs), so it's now proven to be usable (and usefull) in the real world.
- Is it/could it be manufacturable ?
It is not only manufacturable, but it is especially easily manufacturable : the used component are interchangeable and easily available, and I'm using an already available enclosure (with a custom part) in the last prototype.
I also posted a Doodle poll about the device, and it appears the laser cut enclosure road is the best solution for the final design : it could be easily built at home and/or mass-manufactured, still allows for some customizations, and has a very professional look.
For the first move into marketing, I want to design and sell ready-to-build kits, with every parts needed : mainboard, display, battery, enclosure. I also want my own Arcadia Labs one-man company to assemble the kits, propose ready-to-run devices, and customize kits for specific uses.
This solution also lowers manufacturing cost, and could also add business and attention to very nice and innovative companies : Raspberry Pi foundation, PiModules, Adafruit, LeMaker, and others.
I think reinventing the wheel is a waste of ressources, especially when other companies already build well designed components.
Early example of a ready-to-build kit.
What is working, or not, at this stage ?
First, it is very nice to see the essential features of the device are working already :
- The main interface is running well, and still remains very easy to use
- The Tor and OpenVPN transparent proxies switching functions are working really well,
- Automatic firewall rules switching works and still remains easy to adapt / improve
- The main prototype's hardware power management and battery charging features are working
- Overall stability is great
- The main prototype is nice looking already, has been publicly demonstrated, and gets some very good feedback
Of course, everything did not work as smooth as I imagined, and some features still need some work :
- Raspberry Pi prototype's power management functions are working already, but this part still needs some work to better integrate in the user interface and port to the other boards,
- The internet connectivity detection function is a little slow,
- The transparent web filter part still has some glitches, and drops internet access after some time. I think it's caused by a cache overload, but I didn't work much on this part yet. It is not really essential for the moment in my opinion.
- The device's operating system is being cleaned up of unnecessary components already, but I still could do more
I also have many additional features in mind, but these are either not implemented, or not working yet :
- TOR easy setup features inside the user interface : exit node location should be easily selectable., Incidentally, it also needs an exit node(s) blacklisting
- add easy wireless client setup feature, with ability to monitor / scan for nearby wifi access points and connect to them. On the previous prototypes, this feature was part of a web interface, running on the access point side. This web interface has now been removed, so this feature should now be ported inside the main user interface.
- HTTPS everywhere and a MAC address modification to improve web privacy
- Firewall setup inside the main interface
- a RGB lit power switch. It will also show the device status.
- An installation script is planned, but is still far from being ready
- I wanted to work much more on the server device.
Software bits :
- Stripped-down Raspbian
- hostapd
- dnsmasq + dnsutils
- OpenVPN client and server
- OpenSSL
- TOR
- Notro FBTFT driver
- WiringPi
- Python + Pygame + python-psutil
- geoip-database + libgeoip1 + python-geoip_1.2.4-2_armhf.deb
- a few graphics and coding ideas from the Adafruit Raspberry Pi touchscreen camera project
Licences
Each software or library used is under one of these licences :
- Creative Commons Attribution-ShareAlike
- GNU General Public License 2 or 3
- BSD Licence
- MIT Licence
The device's custom software uses GNU General Public License 3.