8

I don't know if this is possible.

I'm hosting a web farm on raspberry pi (for fun).

And one of them is at friend's house. I can access the pi remotely using VNC. How can i prevent my friend from accessing the PI like plugging it to a screen?

Marcel
  • 183
  • 1
  • 4
  • I assume sticking glue or some other concoction in to the USB/HDMI port is out of the question? Or perhaps "clamp down" the metal around the USB/HDMI? You're looking for a software/programmatic way? – BruceWayne Apr 02 '18 at 16:57
  • @BruceWayne I was wondering if there was software way. I thought for sure their would be way – Marcel Apr 02 '18 at 20:00
  • It's covered in the comments, but if they have physical access to the Pi, it'd be relatively difficult for you to 100% lock them out/prevent unauthorized access...which is why I suggested the more ...physical? route. – BruceWayne Apr 02 '18 at 20:15
  • Possible duplicate of Disabling USB ports – Dmitry Grigoryev Apr 03 '18 at 07:44

3 Answers3

8

You can disable the HDMI output on your Pi by running:

/usr/bin/tvservice -o

(the option is documented in the code here)

The USB ports can apparently be disabled by running:

echo 0x0 > /sys/devices/platform/bcm2708_usb/buspower

However, since the USB and Ethernet share a controller, turning off the USB also disables the Ethernet... which isn't great, if you're hoping to connect via Ethernet to your Pi!

Note also that if the Pi is rebooted, these settings will not persist, so the attacker would briefly be able to access USB and video output.

Alternatively, you could, if you're willing to physically modify the Pi, just block the ports with a filler material. This must of course be irreversible, so the Pi will be irreparably damaged, but may at least place a roadblock in the way of an attacker.

Ultimately, a determined attacker with physical access could work around any of these constraints (simply by taking out the SD card and editing it to disable all of these protections). Depending on how important the data is, you need to decide whether you can trust your friend not to tamper with the device (else host it yourself).

Aurora0001
  • 6,308
  • 3
  • 23
  • 38
  • So there's no really a 'Production' solution. I was just wondering. Thanks for the help! – Marcel Apr 02 '18 at 10:55
  • 4
    @Marcel the production solution is to limit physical access to the people you trust. Either you trust your friend, you need to keep it in a secure container, or keep it at your house. – Captain Man Apr 02 '18 at 15:21
  • 1
    Not irreparably; they could remove the ports and put new ports on. – user253751 Apr 02 '18 at 23:13
5

Other than the "locked case" solution, you could remove the USB drivers for input devices. That would allow the USB-based networking to continue working while stopping keyboards and mice working. However, none of this prevents him from removing the SD card and accessing the files directly - hence the need to lock it in a box.

(I believe this is input.o, hid.o and mousedev.o modules, but I've not tried it.)

pjc50
  • 225
  • 1
  • 6
2

Another solution (you have asked in a comment for a "'production' solution") could be to restrict physical access by encapsulating the Raspberry Pi into a lockable case (container like a server rack or IT cabinet). This way you do not need to partial damage the device with glue or something like that.

There are small cabinets available with a glass door. This could be really usefull if you need the status of the LEDs: in case you need this information simply ask your friend to look for the LEDs and report back.

Just a few different examples, not a recommendation:

https://en.wikipedia.org/wiki/File:Industrial-computer.jpg

http://www.chassis-plans.com/portable-storage-system/

https://www.amazon.com/dp/B00JZVUBFE/

Or you could build your own case like you need it. Options are endless.

Fabian
  • 1,260
  • 1
  • 10
  • 19
  • Side note, the locks used on cases like these are super-easy to pick and should be replaced if you want any real security. However, any lock (almost!) can be picked if your attacker has enough time and privacy - and it sounds like your friend has both. – JPhi1618 Apr 02 '18 at 20:44
  • @JPhi1618 good point! And if needed one could implement according sensors to detect it (case status = open) and trigger notification. – Fabian Apr 02 '18 at 20:56