Raspberry Pi’s not only sound delicious, they are fantastic little computers for all your science, hobby and security needs. They are cheap, easy to use and provide a wide range of possibilities due the fact that several kinds of operating systems can be ran on them, the availability of programmable GPIO pins as well as the multi-core CPU availability and multiple USB ports.
Among other similar mini-computers, F-Secure uses Raspberry Pi’s for all kinds of automation projects as they are quick to set up and easy to use for certain red-teaming and penetration testing operations but also for information gathering setups through the various break-out boards of all kinds that exist for wireless and other technology be it radio links, bluetooth, I2C, Wi-Fi and other applications.
But, if you are not careful, your little hobby project might result in a security risk as an entry point into your network. Attackers might use your Raspberry Pi for their own purposes.
As fantastic as Raspberry Pi’s are, there are some draw backs. For all the security geeks out there, Raspberry Pi’s are great as long as physical security is not a requirement. Raspberry Pi’s cannot perform secure booting such as ARM Trustzone and the SD card and operating system are not easily encrypted to ensure offline attacks. In addition, SD cards are cheap but not known for their reliability, being very susceptible to power fluctuations that might cause havoc to the data on them. Not to mention easily stolen or damaged as they are removable media. Unless physical security is an issue and you cannot install it in an armored or secure box of some kind, you might want to look for another mini-computer with more security features such as the USB Armory, now a F-Secure product.
But, why would anyone want to get into Raspberry Pi’s? They are so… small?
Don’t let the size of your operation fool you. There are three main reasons, like for any computer on the internet, and they are the following:
- Because the Raspberry Pi is a computer and its computing power – although limited compared to desktop computers – can be abused for e.g. mining cryptocurrency which can yield an attacker advantage
- Because the Raspberry Pi can be used as a bounce point to be able to jump to or attack other hosts to hide the tracks of a would-be attacker when attacking something else using a directed attack or as part of a Distributed Denial of Service attack
- As an entry point towards the rest of an internal network where usually defenses are low. People usually don’t have firewalls for the systems on their internal network. An attacker can easily try to reach the file servers of a non-suspecting victim and try to install ransomware, try to obtain documents with which the attacker can blackmail the victim or to manipulate the firewall and router settings to ensure persistent access in the future for later nefarious actions by attacking the web console of the router or by performing uPNP manipulation to open up more ports to the internet for attack
But then, how are attackers getting into Raspberry Pi’s ?
People use Raspberry Pi’s for their science and hobby projects and hook them up to the internet. Then they forget they are actually exposing services to the internet, forget to review their firewall or router setup, the documentation forgot to mention certain functionality that is running or the end-user forgets to update the software regularly. Also, people do not change the default passwords or are not aware that the software they downloaded comes with accounts for which attackers can find the default passwords. And even then, easy to guess passwords can get bruteforced and attackers can get it.
So how do we prevent these situations and still enjoy all the science and hobby glory that is the Raspberry Pi?
A few security tips
Change the default passwords – if you are installing a recent version of noobs or raspbian, be sure to change the default password of the “pi” user to something that is long and hard to guess. A passphase like “iamasuckerfor5dollarmojitos” is still a much better than P@assword1!
$ passwd pi
Add your own user accounts – And do not use the “pi” user account that comes with your distribution. Make sure you do not log on to the machine using the “root” account directly and learn how to use the “sudo” command
Try not to use passwords when logging onto the system, but use keys instead. Keys are part of “something you have” and not “something you know” which for an attacker is turned into “something I can guess”. Set up your SSH service to use keys instead of passwords and ensure “something you have” doesn’t result in “something you lost”. Back up your private keys in at least two locations you trust
Make backups of your configurations. Your SD card will fail at some point and all that tuning and configuration work you did for hours and hours might have been wasted. Expect failure and backup your data or the SD card as a whole every so often so you can easily get back to a working configuration of your project. Back up the configuration to an external USB thumb drive as part of an encrypted package, file or filesystem.
Put it on its own network. Ensure the Raspberry Pi is installed on its own network and that it cannot reach other parts of the network while ensuring its outbound connections to the internet are known and filtered for daily use. You should not be able to contact your home file server or other systems from the raspberry pi and its internet connectivity should be limited. There are firewall construction tutorials to be found on the Internet that can aid you in ensuring that you are only allowing what is required for your project or application
Avoid pre-installed ready-to-go images if you can. If you are using a pre-installed image from somewhere, ask yourself why you need it. You need full and utter trust in the creator of the image as that person might have cut a few corners and installed vulnerable software along with it or even backdoors. This can even happen unwillingly and the creator might have been completely oblivious but these things happen. That trust might be misplaced. See if you can install the image or software yourself. If you can’t or won’t , make sure your Raspberry Pi is in its own network and cannot reach any other systems on your network. If your router has a DMZ segment or a guest Wi-Fi network, then that would be an excellent choice for a Raspberry Pi on the condition that only the services you want to be exposed are exposed to the internet.
If you absolutely need to use a pre-made image:
- Change all the passwords for all accounts including but not limited to the “pi” user and “root” user. The software that comes with the Raspberry Pi might include more services. Check with “netstat” to see what services are running and check your firewall and router configuration to ensure you are only exposing that what needs exposing
- Re-generate the SSH keys by performing the following:
# /bin/rm -v /etc/ssh/ssh_host_*
# dpkg-reconfigure openssh-server
- Consider changing the running services towards non-standard ports to avoid drive-by and mass scanning of the services and to force the attacker to single you out. 99% of attackers do not and are just out to get those victims that have their stuff running on default ports
- Check back with the author of the image for updates and related security news. Subscribe yourself to the mailing list, twitter account or other information source related to that project
Update your packages regularly. Software has bugs, and those bugs get corrected by the authors. But those updates need to make it to your device. Following the instructions here will ensure you have the latest and greatest packages.
Turn off what you do not need. If you do not need to use certain services then firewall them off or turn them off. Raspbian has SSH disabled by default but older versions might still have it enabled. Ensure your firewall only exposes the services you want, preferably on non-default ports
Ensure the continuity of your setup
Hardware watchdog timer: It would be a shame if your plants died while being on vacation because your plant watering automation project stopped working due to the Raspberry Pi crashing all of a sudden. Or a power cut resulting in a hung operating system no longer allowing you to log on to it from across the globe. The Raspberry Pi comes with a Broadcom hardware watchdog timer that can reboot the Raspberry Pi in case it becomes unresponsive. This list of instructions shows you how.
Heatsink: In addition, it would be a shame if your Raspberry Pi ran too hot due to really tough weather conditions or due to the fact that you are overclocking the processor. Raspberry Pi’s can go a long way without cooling but overclocking might result in unexpected behavior. Therefore, make sure you have a heatsink on the CPU to ensure that really heavy spikes do not grind the Raspberry Pi to a halt. They only cost a few dollars and are easy to install.
Bonus – for the security geeks: Ensure you have SELinux running to ensure that whatever services you are running that are exposed the internet that are vulnerable, cannot be exploited easily. The following link from the Raspberry Pi forum has more information.
Find out even more about Raspberry Pi security in this article I co-authored for Make Magazine.