By default, when setting up a Raspberry PI, Bluetooth and WiFi are enabled. This is not always what you want, especially when you don’t need either of them. So, time to disable them, because having them enabled and probably unsecured is a potential attack vector into your network.
Change Boot Configuration
First, we need to edit the boot configuration file /boot/config.txt
and add the following lines (edit if they are already there):
# Disable Bluetooth
dtoverlay=disable-bt
# Disable WiFi
dtoverlay=disable-wifi
This will disable the Bluetooth and WiFi interfaces on start-up.
Unfortunately, it is not that easy. Would be nice, wouldn’t it?
The services are still running, the kernel modules are still loaded. Both are completely unnecessary at this point, so let’s take care of that.
Disable the Services
To disable the services run the following commands:
sudo systemctl disable wpa_supplicant.service
sudo systemctl disable hciuart.service
sudo systemctl disable bluealsa.service
sudo systemctl disable bluetooth.service
Blacklist the Kernel Modules
Now that the services are deactivated, it’s time to blacklist the kernel modules. To do so, open /etc/modprobe.d/raspi-blacklist.conf
in an editor of your choice and add:
# Disable Bluetooth
blacklist btbcm
blacklist bnep
blacklist bluetooth
# Disable WiFi
blacklist 8192cu
As you might have guessed by the file name, this will blacklist the modules and prevent them from being loaded during the system start.
Disable WiFi Check
Now, with the next login you might see a message like this:
rfkill: cannot open /dev/rfkill: Permission denied
rfkill: cannot read /dev/rfkill: Bad file descriptor
This is generally nothing to be worried about, as it is just the WiFi check telling you it can’t check the status of the WiFi interface. What a surprise!
There are 2 ways to go about it. Ignore it, which you can happily do, but if you’re like me and get annoyed by it, you might want to disable the WiFi check.
To do so, open /etc/profile.d/wifi-check.sh
in an editor of your choice and add exit 0
right after the first opening bracket. The file should then look like this:
(
exit 0
export TEXTDOMAIN=wifi-check
. gettext.sh
if [ ! -x /usr/sbin/rfkill ] || [ ! -c /dev/rfkill ]; then
exit 0
fi
if ! /usr/sbin/rfkill list wifi | grep -q "Soft blocked: yes" ; then
exit 0
fi
echo
/usr/bin/gettext -s "Wi-Fi is currently blocked by rfkill."
/usr/bin/gettext -s "Use raspi-config to set the country before use."
echo
)
If for whatever reason, you don’t feel like editing yet another file, you can just throw this command in your console, and it will do exactly that:
sudo sed -i '2i\ \ \ \ \ \ \ \ exit 0' /etc/profile.d/wifi-check.sh
Now, log out and back in and the warning message should be gone. Just don’t forget to reverse this change if you ever need to activate WiFi again.
(Optional) Remove Unused Software
Now that we have disabled Bluetooth and WiFi, we can also remove the software for it. This step is entirely optional, but if you like a clean system, go ahead.
sudo apt purge bluez bluez-firmware wpasupplicant
sudo apt-get autoremove
Reboot
To apply all these changes, the Raspberry PI needs to be rebooted.
sudo reboot