Security solution for my storage locker. Deployed to a raspberry pi with an attached camera
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Steven Polley 4ba8936fb9 A little note about insane filesystem restrictions due to arcane standards 5 months ago
.gitignore Update readme 6 months ago
README.md Update readme.md - this is all tested now 5 months ago
main.go A little note about insane filesystem restrictions due to arcane standards 5 months ago

README.md

storage-security

Security solution for my storage locker. Deployed to a raspberry pi with an attached camera.

The Background

In mid-October 2020, my storage unit was broken into. This is going to be my method of collecting evidence and hopefully to identify the intruder. I'm also just trying to have fun with what is overall a bad situation for me. The major constraint for this project is it must be low power and there is no persistent communication channel to allow streaming video off premises (risk is intruder may discover and remove the storage device from the premises). Using some clever tricks, I may be able to mitigate this risk 90% of the time by keeping a phone hidden in my parked vehicle which syncs log and video data when my vehicle is parked in my parking stall? If it's possible to communicate up to my unit in some way, I could trigger some form of alarm in my unit when motion is detected in my storage area.

Technology Stack

  • Raspberry Pi 4 w/ camera
  • OpenCV via GoCV bindings
  • Syncthing

The raspberry pi is configured as a WLAN AP which my phone will connect to. My phone will also be running syncthing and have the RPI configured as a sync device. The phone will pull logs and videos taken from the RPI which have been saved to the sync folder each time my phone connects.

This isn't a foolproof method in case the intruder locates the RPI / camera and disables / destroys it / removes it. The data is still stored on the RPI until the next time I'm within proximity. This is an acceptable risk given the constraints, however if a better method is discovered to immediately store the data outside of the storage unit that would be preferred (something low powered sitting in my vehicle? )

Raspberry Pi Setup

Full steps to re-build this system are below.

Prerequisites
  1. Connect the camera
  2. Image the SDcard with Raspberry Pi OS Lite (minimal image based on debian) - make sure to pick lite - do not use the desktop version.
  3. Connect a keyboard, mouse and monitor
  4. Connect ethernet cable with internet connection
  5. Update all packages, and install some prerequisites

sudo apt update && sudo apt upgrade -y
sudo apt install vim hostapd dnsmasq golang
Boot optimizations

Edit /boot/config.txt

# Disable the rainbow splash screen
disable_splash=1

# Disable bluetooth
dtoverlay=pi3-disable-bt
 
# Set the bootloader delay to 0 seconds. The default is 1s if not specified.
boot_delay=0

Edit /boot/cmdline.txt to make kernel quiet. The following is an example, the key part is the quiet flag

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=PARTUUID=32e07f87-02 rootfstype=ext4 elevator=deadline fsck.repair=yes quiet rootwait
Configure Networking

The RPI will act as an access point (not wireless client) using WPA2-Personal with both PSK and MAC authentication. It also needs to act as a DHCP server. The reason this is required is to provide a communication channel to collect data from the device. Once it's installed in the field, there will be no LAN connectivity and will rely on me passing by with my cell phone in pocket to periodically synchronize logs and video feed data - so the Pi must be configured to act as an access point which my phone will automatically connect to once in range.

Set a static IP for WLAN0 interface by editing /etc/dhcpcd.conf

interface wlan0
static ip_address 10.69.0.1/30
denyinterfaces wlan0

Next configure the sole DHCP address. You can clear the entire contents of /etc/dnsmasq.conf and just add the following:

interface=wlan0
    dhcp-range=10.69.0.2,10.69.0.2,255.255.255.252,2h

Finally, configure host access point daemon by creating the file named /etc/hostapd/hostapd.conf

interface=wlan0
hw_mode=g
channel=7
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ssid=StealThisYouStupidCrackheads
wpa_passphrase=PASSWORD

Be sure to change the password in the above config. We also need to point the system to this config file by modifying /etc/default/hostapd - only modify the DAEMON_CONF line as such:

# Original
#DAEMON_CONF=""

# Change it to this
DAEMON_CONF="/etc/hostapd/hostapd.conf"

Finally, add the MAC address of phone to the whitelist by editing /etc/hostapd/accept

00:11:22:33:44:55

Also make sure the services are enabled and reboot

sudo systemctl enable hostapd
sudo systemctl enable dnsmasq
sudo reboot

Once it comes back up, ensure that phone will connect and gets an IP address. Also attempt to ping the Pi from the phone (or vice versa) to validate communication is possible.

Install and Setup Syncthing

Follow the steps to add the syncthing apt source and isntall it - https://apt.syncthing.net/

Then setup the sync folder

sudo mkdir /sync

Create the systemd unit file at /etc/systemd/system/syncthing.service

[Unit]
Description=syncthing

[Service]
RunAs=pi
ExecStart=/usr/bin/syncthing

[Install]
WantedBy=multi-user.target

And enable it, so it starts following a boot.

sudo systemctl enable syncthing.service
sudo systemctl start syncthing.service

Setup syncthing to sync this folder with syncthing on my phone.

Build OpenCV and Application

Now that the infrastructure is set up the last thing needed is the application itself. The RPI will run hot while building and may crash if at minimum passive cooling is not provided. This stage may take up to an hour. Clone this repository (right here, the one you're reading) onto the rpi and grab all the go packages with go get.

go get deadbeef.codes/steven/storage-security
cd ~/go/src/deadbeef.codes/steven/storage-security
go get
cd ~/go/src/gocv.io/x/gocv
make install


cd ~/go/src/deadbeef.codes/steven/storage-security
go build .
sudo chown root:root storage-security
sudo mv storage-security /usr/local/bin

Create a systemd service unit file at /etc/systemd/system/storage-security.service

[Unit]
Description=storage-security

[Service]
RunAs=pi
ExecStart=/usr/local/bin/storage-security

[Install]
WantedBy=multi-user.target

And enable it, so it starts following a boot.

sudo systemctl enable storage-security.service

You should be able to test it out to see if motion detection and capture to file is working. If phone is connected to RPI SSID, then the /sync folder should also come over with the logs and capture video files.