# storage-security Security solution for my storage locker. Deployed to a raspberry pi with an attached camera. ##### The Background In mid-October 2020, my storage unit was broken into. This is going to be my method of collecting evidence and hopefully to identify the intruder. I'm also just trying to have fun with what is overall a bad situation for me. The major constraint for this project is it must be low power and there is no persistent communication channel to allow streaming video off premises (risk is intruder may discover and remove the storage device from the premises). Using some clever tricks, I may be able to mitigate this risk 90% of the time by keeping a phone hidden in my parked vehicle which syncs log and video data when my vehicle is parked in my parking stall? If it's possible to communicate up to my unit in some way, I could trigger some form of alarm in my unit when motion is detected in my storage area. ### Technology Stack * Raspberry Pi 4 w/ camera * OpenCV via GoCV bindings * Syncthing The raspberry pi is configured as a WLAN AP which my phone will connect to. My phone will also be running syncthing and have the RPI configured as a sync device. The phone will pull logs and videos taken from the RPI which have been saved to the sync folder each time my phone connects. This isn't a foolproof method in case the intruder locates the RPI / camera and disables / destroys it / removes it. The data is still stored on the RPI until the next time I'm within proximity. This is an acceptable risk given the constraints, however if a better method is discovered to immediately store the data outside of the storage unit that would be preferred (something low powered sitting in my vehicle? ) ### Raspberry Pi Setup Full steps to re-build this system are below. ##### Prerequisites 1. Connect the camera 2. Image the SDcard with Raspberry Pi OS Lite (minimal image based on debian) - make sure to pick lite - do not use the desktop version. 3. Connect a keyboard, mouse and monitor 4. Connect ethernet cable with internet connection 5. Update all packages, and install some prerequisites ```bash sudo apt update && sudo apt upgrade -y sudo apt install vim hostapd dnsmasq golang ``` ##### Boot optimizations Edit /boot/config.txt ```conf # Disable the rainbow splash screen disable_splash=1 # Disable bluetooth dtoverlay=pi3-disable-bt # Set the bootloader delay to 0 seconds. The default is 1s if not specified. boot_delay=0 ``` Edit /boot/cmdline.txt to make kernel quiet. The following is an example, the key part is the quiet flag ```conf dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=PARTUUID=32e07f87-02 rootfstype=ext4 elevator=deadline fsck.repair=yes quiet rootwait ``` ##### Configure Networking The RPI will act as an access point (not wireless client) using WPA2-Personal with both PSK and MAC authentication. It also needs to act as a DHCP server. The reason this is required is to provide a communication channel to collect data from the device. Once it's installed in the field, there will be no LAN connectivity and will rely on me passing by with my cell phone in pocket to periodically synchronize logs and video feed data - so the Pi must be configured to act as an access point which my phone will automatically connect to once in range. Set a static IP for WLAN0 interface by editing /etc/dhcpcd.conf ```conf interface wlan0 static ip_address 10.69.0.1/30 denyinterfaces wlan0 ``` Next configure the sole DHCP address. You can clear the entire contents of /etc/dnsmasq.conf and just add the following: ```conf interface=wlan0 dhcp-range=10.69.0.2,10.69.0.2,255.255.255.252,2h ``` Finally, configure host access point daemon by creating the file named /etc/hostapd/hostapd.conf ```conf interface=wlan0 hw_mode=g channel=7 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP ssid=StealThisYouStupidCrackheads wpa_passphrase=PASSWORD ``` Be sure to change the password in the above config. We also need to point the system to this config file by modifying /etc/default/hostapd - only modify the DAEMON_CONF line as such: ```conf # Original #DAEMON_CONF="" # Change it to this DAEMON_CONF="/etc/hostapd/hostapd.conf" ``` Finally, add the MAC address of phone to the whitelist by editing /etc/hostapd/accept ```conf 00:11:22:33:44:55 ``` Also make sure the services are enabled and reboot ```bash sudo systemctl enable hostapd sudo systemctl enable dnsmasq sudo reboot ``` Once it comes back up, ensure that phone will connect and gets an IP address. Also attempt to ping the Pi from the phone (or vice versa) to validate communication is possible. ##### Install and Setup Syncthing Follow the steps to add the syncthing apt source and isntall it - https://apt.syncthing.net/ Then setup the sync folder ```bash sudo mkdir /sync ``` Create the systemd unit file at /etc/systemd/system/syncthing.service ```s [Unit] Description=syncthing [Service] RunAs=pi ExecStart=/usr/bin/syncthing [Install] WantedBy=multi-user.target ``` And enable it, so it starts following a boot. ```bash sudo systemctl enable syncthing.service sudo systemctl start syncthing.service ``` Setup syncthing to sync this folder with syncthing on my phone. ##### Build OpenCV and Application Now that the infrastructure is set up the last thing needed is the application itself. The RPI will run hot while building and may crash if at minimum passive cooling is not provided. This stage may take up to an hour. Clone this repository (right here, the one you're reading) onto the rpi and grab all the go packages with go get. ```bash go get deadbeef.codes/steven/storage-security cd ~/go/src/deadbeef.codes/steven/storage-security go get cd ~/go/src/gocv.io/x/gocv make install cd ~/go/src/deadbeef.codes/steven/storage-security go build . sudo chown root:root storage-security sudo mv storage-security /usr/local/bin ``` Create a systemd service unit file at /etc/systemd/system/storage-security.service ```s [Unit] Description=storage-security [Service] RunAs=pi ExecStart=/usr/local/bin/storage-security [Install] WantedBy=multi-user.target ``` And enable it, so it starts following a boot. ```bash sudo systemctl enable storage-security.service ``` You should be able to test it out to see if motion detection and capture to file is working. If phone is connected to RPI SSID, then the /sync folder should also come over with the logs and capture video files.