Close

Does this project spark your interest?

Become a member to follow this project and don't miss any updates

Web security everywhere

Secure your Internet, control your data, fight censorship. Bring your autonomous all in one privacy device everywhere.

16.8k 18 232 143

This project was created on 07/23/2014 and last updated 13 days ago.

Description
In a world where digital privacy doesn't exist anymore, where journalists couldn't securely do their work, where companies are spyed upon by various entities, and where Human Rights are cynically disregarded, there is an urgent need for an easy-to-use tool to restore digital privacy.

This autonomous device uses the available connectivity to build a secure access-point and bypasses internet filters to connect to a remote network, use a secured internet or even browse anonymously.
Connect your laptop/smartphone to the device's secured wifi access-point, no additional setup is needed. Enjoy a secured internet anywhere, anytime.

It could connect the internet via a public wifi access-point, 3G internet via phone usb/wifi tethering, corporate cable network, or even your own router/ADSL box.

It is very easy to use with its touch control interface and its fully automatized functions.

It could run autonomously during several hours on its internal battery.
Details

This device was semifinalist of The Hackaday Prize contest ! - Link -


Basically, this device acts as a wifi / ethernet router and access point. It could connect to the internet using some random wifi, a wired network, or a tethered android phone (wifi or usb). On the secured side, it acts as a wireless access point with internet forwarding so it works with every kind of device : PC, laptop, smartphone, using Windows, GNU/Linux, Android or even Mac-OSX.

The wireless access-point is also hardened with a random key feature. The access-point security key could be modified on-demand and at boot-time with a random one.

From the touch screen interface, TOR or an OpenVPN tunnel could be enabled. This custom interface could be used for complete operation, full setup and device monitoring.

It only needs a wifi adapter and no setup on the endpoint device (computer, smartphone…) to work. The user interface is also very easy to use with on/off buttons, so it is very easy to operate by non tech people.

In sensitive situations, the complete software and operating system could be installed in a few minutes from a preconfigured and encrypted image. The SD-card could also be removed from the device or even destroyed in a few seconds, causing no harm to the device, but makes it completely empty and useless. This way, sensitive data such as SSH private keys are secure.

The device hardware is open source, and uses only free software. This way, it could be improved by the community when it needs to, and it also helps defend digital freedom and Human Rights.

It also makes a perfect device to fight planned obscolescence : the software is built to be cross-compatible with different boards, offering different features, to adapt to various situations and evolve over time.

The device could be built at home using some easily sourceable parts and laser cut enclosure in a ready-to-build kit (see below), but could also be easily customized and manufactured for specific needs.


Key features


  • Secure wireless access point, with random security key generation features
  • On-demand OpenVPN transparent tunnelling to a remote trusted network/server (here, it is a second Raspberry Pi) :

- Point to point tunneling with internet forwarding

- Very stable and fast over wireless, cellular and other non reliable networks

- Keeps connected over a roaming connection

  • On-demand Tor transparent proxy :

- Anonymous browsing,

- Access forbidden websites / services based on location

- Force or Block relay nodes based on their location, from the main interface

  • Hardware firewall with dynamically and automatically addressed rules
  • Capable of traversing NATs and firewalls
  • Ad-blocker / DNS filter feature with quick custom rules
  • Touch display control interface
  • Very low power consumption : ~5 Watts, runs on a phone charger
  • Onboard 2600 mAh battery : ~4h running time
  • External 10000 mAh battery : adds ~8h and charges onboard battery
  • Very easy to operate, install and deploy

Why is it an important device ?


  • It prevents people from learning your physical location or browsing habits,
  • It helps defend individuals against traffic analysis,
  • It helps businesses to keep their strategies confidential,
  • It helps activists to anonymously report abuses or corruption,
  • It helps journalists to protect their research and sources online,
  • It helps people to use online services blocked by their local Internet providers

Target audience


  • People who want to fight a form of network surveillance that threatens personal freedom and privacy,
  • Every kind of job/activity that require confidentiality / privacy / security,
  • Every kind of job/activity that require some secure remote access,
  • Journalists / Activists

How you can help

This device is still in a prototype stage. It is actually looking for many things :

  • some technical and security expertise
  • a lot of feedback (reason I don't have any comments is still a mystery)
  • some funding would really help, I'm looking for a solution to kickstart from France but I'm open to everything
  • Of course, you are very welcome...
Read more »

Components

Project logs
  • Clarifying... Again...

    15 days ago • 1 comment

    To the many people who are asking if I have something to do with "Anonabox" cancelled kickstarter campaign :

    NO, I have nothing to do with them. They took advantage of this project when starting their campaign a few hours before the contest judging, and used my phrasing, but that's all. The tech savvy people could even check anonabox.com registrar to see the mentionned website was registered long after my project was registered to the contest.

    Edit : Hackaday just posted an article about this here. Thanks for your support, Hackaday !

    Here is also a good analyze about the Anonabox scam.

    I'm also very interested in starting a KickStarter campaign or anything else that could make this device reach market (KickStarter is not available officially from France). I'm open to every proposition, so please drop me a line !

    I just added a small Paypal Donate button on the project homepage... Do whatever you want with it :p

  • Random Security Key

    15 days ago • 0 comments

    I just pushed a new update (5_11)

    Along minor changes, there is now the possibility to manually or automatically generate a random security key. This key is being used by the wireless access point software (hostapd).

    A new menu entry allows to use this feature and see the actual key. I have yet to add other access-point related options but it's now easy. WPA2-PSK setting being hardcoded is not necessarily a bad thing for the moment :p

    Another hardcoded variable is key lenght. It is meant to be user-definable between 40-256 bits (for scalable security vs usability), but I didn't add it to the menus yet.

    The random key generation is also possible on boot, but it's still (also) a hardcoded config variable.

    Of course, hostapd and the related interface are automatically restarted when needed to apply the new config.

  • Clarifying

    16 days ago • 0 comments

    HackadayPrize semifinals ore now over. Congratulations to the 5 finalists ! You really deserve it !

    Now, move on, there's still a lot of work with this device...

    With the hype created by the (very questionnable) "Anonabox", it is very important I clarify a few things :

    • Tor is not meant to encrypt traffic, "Anonabox" is very wrong about this. Tor is meant to hide your IP address, nothing more : each end of the Onion circuit could see your traffic. Encrypting traffic is OpenVPN job.
    • Tor is not meant to be used all the time : for an example, using it to stream videos, like said on "Anonabox", will cause harm to the Onion network. This is the reason UnJailPi is not fully automatic, and you are still able to activate/deactivate Tor and OpenVPN : you use them when you need them.
    • This device won't protect your privacy if your end-point device (tablet, computer) is compromised already. You will also have to change some of your browsing habits : disable Javascript in your browser, carefully use credentials, and some more. Quoting Kali Linux meme : "With great power, comes great responsability"
    • For the moment, UnJailPi is built on top of a cut-down Raspbian Operating System. It was the best way (IMO) to start with a clean base : Raspbian repos are used widely so there shouldn't be anything really suspiciousn and software updates still remain easy. However I'm actually looking for a more specialised operating system : Moebius, OpenWRT, PORTAL are options.
    • UnjailPi prototypes use Raspberry Pi / Banana Pi boards. Raspberry Pi is a well known board, we can be 100% sure it doesn't have any hardware backdoors. About Banana Pi, I'm sure LeMaker people will be more than happy to have some of their boards handle an audit.
    • I never said anywhere I'm a security specialist. My code is easy enough to prove there are no flaws in it, and if there are, I'd be more than happy to correct them.
    • UnJailPi is still at the HackadayPrize semifinals status : it is still in a prototype stage and final revision is not there yet. The device is looking for some funding, some feedback, and could benefit of some technical help. If you are willing to support this project, feel free to contact me...

    I'm also being asked the differences with Adafruit OnionPi. Here are some of them :

    • OnionPi is fully automatic, Tor is enabled on startup. This was a good start base, but Tor needs to run only when we need it.
    • OnionPi doesn't provide any OpenVPN features
    • OnionPi doesn't offer access-point random key generation features
    • UnJailPi has a very easy-to-use user-interface
    • UnJailPi allows to block/force Tor relays depending on their location
    • UnJailPi is really autonomous with its internal battery (2-3 hours running-time)
    • UnJailPi works with every type of outside access : cable ethernet, private/public wifi, mobile data network with android USB/wifi tethering. There are also plans to include LTE 4G dongles support.


    I'm very open to discussion about this device. If you're interested, please drop me a line...

View all 27 project logs

Build instructions

See all instructions

Discussions

ali wrote 14 days ago null point

Hey, thanks for working on this! I've got a couple comments/feature requests:

It would be really great if people can easily share their UnJailPi connection with others over WIFI - would it ever be possible for a nearby client to detect an UnJailPi and connect to it with WIFI? The benefit here is a) the connectivity (3G/Broadband) is paid for by someone completely other than eg. the journalist/activist, b) if a journalist can connect via WIFI, their location will be less visible than if they connected something (their phone or UnJailPi) via 3G.

In terms of reducing the risk for the person sharing their connection to anonymous users, it could be required for guests to connect via a Tor bridge provided by the UnJailPi - traffic leaving the UnJailPi could not be traced back as an OpenVPN connection could.

The Tor bandwidth issue could be resolved with traffic shaping on the box, so each client is limited to X Mb of usage per minute. This wouldn't allow videos, but could allow abuse prevention for 100% Tor access.

It's best not to rely on VPN these days for anything more than encrypting traffic from your immediate ISP - the VPN provider will still have the plaintext, and the traffic from the VPN provider to end service will be unencrypted. Additionally advanced actors are collecting the VPN keys, either with insiders or exploiting the VPN comanies (there are only so many VPN companies). In short, HTTPS/TLS is the only real solution there.

Perhaps allowing owners to block HTTP (port 80) connections would give some protection against mistakes there (similar to the HTTP Nowhere plugin).

It should be possible to keep most of the software quite general, potentially allowing installation on phones to use their 3G, or on OpenWRT capable routers, so I hope the development doesn't make raspi too much of a requirement...

Thanks, best of luck!

Are you sure? [yes] / [no]

Arcadia Labs wrote 12 days ago null point

Hi,
Your first idea about sharing UnjailPi connections over wifi is nice, however
I'm not sure to understand well the part about a Tor bridge. Do you mean, we
always have a Tor circuit active for anonymous users, inside a reserved wifi
"tunnel" ? How would it react if both devices enable Tor ? However it's a great
idea.

About the VPN part, I never designed the device to connect to third-parties VPN
providers. It is meant to be used with your own server (I'd like it to be a
second unjailpi), you could leave at home or at a secure place and connect to it
when necessary (fast-food wifi etc...).

Your HTTP nowhere is a brilliant idea. From start I want to force http traffic
to https (like https everywhere) but couldn't find a good solutions. Blocking
HTTP could be a first real solutions, but would need some sort of captive portal
for denied connections.

Do you have some expertise about all this ? Perhaps we could talk...

For the moment, the software could run on about every linux computer. Running on
routers could be more tricky, I don't see how it could be usable without some
display.

Thanks for your support !

Are you sure? [yes] / [no]

ali wrote 11 days ago null point

Good to hear you liked the ideas!

I should probably mention a few caveats:

Connecting to a personal VPN server would lose the anonymity properties of commercial VPNs, since then only one person would be using it (though generally VPN shouldn't be considered anonymous anyway).

Terminating the VPN at the home would still leave traffic onwards in the clear, as though browsing in the clear in your living room.

IMO surprisingly few people would set up a home VPN server themselves due to the effort.

Sharing a connection would probably be a bad idea for the current VPN and Tor modes, since a malicious user could join and purposely emit location/IP data in the traffic, which would be associated with other users' traffic and greatly reduce their anonymity.

Sharing a connection would definitely be a bad idea for VPN mode if the other end was at the person's home, as that would allow allow random people access to the home's internal network.

In general, wrapping the pipe in Tor or VPN is hazardous and requires quite a lot of discipline and technical knowledge to use correctly, because if anything on the end user device is transmitting deanonymised traffic, the rest of the traffic can have its identity compromised by being associated with it. If a user can run the Tor Browser Bundle on their computer instead they would likely be safer because that traffic would be isolated from the rest of the computer's connections.

My suggestion was that instead of wrapping the entire outbound pipe in VPN or Tor, a Tor bridge could be available with the WiFi LAN at eg. 192.168.1.2:9999 and any immediate WAN traffic blocked, so the Tor bridge must be used to reach the internet. With my current understanding I think that's secure and would keep different users' traffic separated. This is completely different from the current VPN and Tor settings, so would be a 3rd option.

Blocking outbound port 80 traffic changes the anonymity profile of it slightly so it might be reduced from "is a Tor user" to "is an UnJailPi user". Personally I don't think that's a show-stopper, but something to be aware of.


Comments to points from another post I saw:

PHP concerns seem legitimate IMO. It'd probably be safest for all admin functionality to be touch screen only and not available on the LAN.

Decades of experience working with people's communications in clear text might not make Telco companies the best communications security advisors ;)

Kaspersky labs' founder has recently been quoted arguing for "Internet Passports", whatever they are, so may not be the best advisors for anonymous technology devices.


However, it's great that you're working to do something about the clearly unsatisfactory communications security situation, especially for regular non-technical people, and I raise all these points so you can be aware of them as you go.

Are you sure? [yes] / [no]

iondream wrote 14 days ago null point

Finally, a portable attack barrier, just like in ghost in the shell. Do you think a neural jack will be included in version 2?

Are you sure? [yes] / [no]

Arcadia Labs wrote 14 days ago null point

I never thought about that ! But where would you plug the other end ?

Are you sure? [yes] / [no]

jigo santos wrote 14 days ago null point

any chance that you will start an indiegogo project for this device?

Are you sure? [yes] / [no]

Arcadia Labs wrote 14 days ago null point

If there is no way with kickstarter, yes, indiegogo or another one is an option.

Are you sure? [yes] / [no]

sandie wrote 15 days ago null point

Suspended project on KickStarer was your or not? I would be very happy to donate your work for a device reward. There is high interest / market demand as seen on KickStarter. Hope you will use it!

Are you sure? [yes] / [no]

Arcadia Labs wrote 15 days ago null point

Hi ! Of course not, Anonabox scam is not a project of mine.
I'd be happy to start a KickStarter based on this device, but I'm not from US. If you have a solution, I'm very interested !
Thanks for your support !

Are you sure? [yes] / [no]

Ivy.Y wrote a month ago null point

Its impressive!!! Small but STRONG!!!

Are you sure? [yes] / [no]

tony.zhang wrote a month ago null point

So nice to see it has been ported into Banana Pi board finally!

Are you sure? [yes] / [no]

Arcadia Labs wrote a month ago null point

You were of great help, Tony... ;)

Are you sure? [yes] / [no]

Yaggi-2013 wrote a month ago null point

Wow ! impressive ! Small and full of functions ! I'd love put it behind my dbm-boosted Yaggi !

Are you sure? [yes] / [no]

Tachyon wrote 2 months ago null point

Regarding the heat issue...try starting simple. Block off the sides and let convection do the work. This is assuming you make it to be stood up as in the first photo. Note that you'll need to leave an opening at the bottom.

Are you sure? [yes] / [no]

GuyisIT wrote 2 months ago null point

Congrats on making the cut for the HaD Prize! This is an awesome project, and I can' wait to see the code.

Are you sure? [yes] / [no]

Arcadia Labs wrote 2 months ago null point

Many thanks for your support ! I'm actually cleaning up the actual code for a first release, so it won't take long.

Are you sure? [yes] / [no]

Arcadia Labs wrote 2 months ago null point

Actually I'm exploring another board, more adapted to this use (the Banana Pi). Code is 100% compatible, but I still need to make the LCD work as expected :)
I have plans to make a really nice enclosure, but it takes time. I second you on this :)

Are you sure? [yes] / [no]

DigiGram wrote 2 months ago null point

Now I have a good reason to get a RPi!! This looks awesome. Will really look into building something like this! But with a case that will not have TSA remove my luggage at the airport :D (Being a foreign Chemical Engineer already puts you on some kind of watchlist)

Are you sure? [yes] / [no]

Similar projects