Recently I was asked for advice on securing Raspberry Pis, which somebody intended to use as the basis of a simple embedded device.
This is a frequent question, but unfortunately strong solutions don’t exist.
The fundamental issue is that there’s no way to stop a reasonably determined attacker from extracting or modifying the operating system and application, both of which are stored pretty much in the open on an SD card.
The only option you have is to make it difficult, but there’s no way to actually prevent it. Some microcontrollers can be configured to only load signed code and similar things, but unfortunately not the Raspberry Pi.
You can have physical security an un-openable (or rather, hard to open) enclosure, glue the SD card in place with epoxy resin, or similar shenanigans, but clearly that will only deter amateurs, not stop an actual determined attacker.
Hermetically closed cases may also present a problem to transfer heat away from the CPU.
If you have code that will phone home, you have another problem to consider: can your infrastructure trust the data coming from the devices in the field?
By all means take steps to discourage tampering:
But be aware that none of these measures will prevent tampering at all – they just make it more cumbersome to attack you successfully, but won’t stand up to a competent person.
Do you have a question? A project proposal? Something special in mind? Contact me, and let’s talk about how I can make your team, your products, and your life better