Raspberry Pi’s not only sound delicious, they are fantastic little computers for all your science, hobby and security needs. They are cheap, easy to use and provide a wide range of possibilities due the fact that several kinds of operating systems can be ran on them, the availability of programmable GPIO pins as well as the multi-core CPU availability and multiple USB ports.
Among other similar mini-computers, F-Secure uses Raspberry Pi’s for all kinds of automation projects as they are quick to set up and easy to use for certain red-teaming and penetration testing operations but also for information gathering setups through the various break-out boards of all kinds that exist for wireless and other technology be it radio links, bluetooth, I2C, Wi-Fi and other applications.
But, if you are not careful, your little hobby project might result in a security risk as an entry point into your network. Attackers might use your Raspberry Pi for their own purposes.
As fantastic as Raspberry Pi’s are, there are some draw backs. For all the security geeks out there, Raspberry Pi’s are great as long as physical security is not a requirement. Raspberry Pi’s cannot perform secure booting such as ARM Trustzone and the SD card and operating system are not easily encrypted to ensure offline attacks. In addition, SD cards are cheap but not known for their reliability, being very susceptible to power fluctuations that might cause havoc to the data on them. Not to mention easily stolen or damaged as they are removable media. Unless physical security is an issue and you cannot install it in an armored or secure box of some kind, you might want to look for another mini-computer with more security features such as the USB Armory, now a F-Secure product.
But, why would anyone want to get into Raspberry Pi’s? They are so… small?
Don’t let the size of your operation fool you. There are three main reasons, like for any computer on the internet, and they are the following:
But then, how are attackers getting into Raspberry Pi’s ?
People use Raspberry Pi’s for their science and hobby projects and hook them up to the internet. Then they forget they are actually exposing services to the internet, forget to review their firewall or router setup, the documentation forgot to mention certain functionality that is running or the end-user forgets to update the software regularly. Also, people do not change the default passwords or are not aware that the software they downloaded comes with accounts for which attackers can find the default passwords. And even then, easy to guess passwords can get bruteforced and attackers can get it.
So how do we prevent these situations and still enjoy all the science and hobby glory that is the Raspberry Pi?
A few security tips
Change the default passwords – if you are installing a recent version of noobs or raspbian, be sure to change the default password of the “pi” user to something that is long and hard to guess. A passphase like “iamasuckerfor5dollarmojitos” is still a much better than P@assword1!
$ passwd pi
Add your own user accounts – And do not use the “pi” user account that comes with your distribution. Make sure you do not log on to the machine using the “root” account directly and learn how to use the “sudo” command
Try not to use passwords when logging onto the system, but use keys instead. Keys are part of “something you have” and not “something you know” which for an attacker is turned into “something I can guess”. Set up your SSH service to use keys instead of passwords and ensure “something you have” doesn’t result in “something you lost”. Back up your private keys in at least two locations you trust
Make backups of your configurations. Your SD card will fail at some point and all that tuning and configuration work you did for hours and hours might have been wasted. Expect failure and backup your data or the SD card as a whole every so often so you can easily get back to a working configuration of your project. Back up the configuration to an external USB thumb drive as part of an encrypted package, file or filesystem.
Put it on its own network. Ensure the Raspberry Pi is installed on its own network and that it cannot reach other parts of the network while ensuring its outbound connections to the internet are known and filtered for daily use. You should not be able to contact your home file server or other systems from the raspberry pi and its internet connectivity should be limited. There are firewall construction tutorials to be found on the Internet that can aid you in ensuring that you are only allowing what is required for your project or application
Avoid pre-installed ready-to-go images if you can. If you are using a pre-installed image from somewhere, ask yourself why you need it. You need full and utter trust in the creator of the image as that person might have cut a few corners and installed vulnerable software along with it or even backdoors. This can even happen unwillingly and the creator might have been completely oblivious but these things happen. That trust might be misplaced. See if you can install the image or software yourself. If you can’t or won’t , make sure your Raspberry Pi is in its own network and cannot reach any other systems on your network. If your router has a DMZ segment or a guest Wi-Fi network, then that would be an excellent choice for a Raspberry Pi on the condition that only the services you want to be exposed are exposed to the internet.
If you absolutely need to use a pre-made image:
# /bin/rm -v /etc/ssh/ssh_host_*
# dpkg-reconfigure openssh-server
Update your packages regularly. Software has bugs, and those bugs get corrected by the authors. But those updates need to make it to your device. Following the instructions here will ensure you have the latest and greatest packages.
Turn off what you do not need. If you do not need to use certain services then firewall them off or turn them off. Raspbian has SSH disabled by default but older versions might still have it enabled. Ensure your firewall only exposes the services you want, preferably on non-default ports
Ensure the continuity of your setup
Hardware watchdog timer: It would be a shame if your plants died while being on vacation because your plant watering automation project stopped working due to the Raspberry Pi crashing all of a sudden. Or a power cut resulting in a hung operating system no longer allowing you to log on to it from across the globe. The Raspberry Pi comes with a Broadcom hardware watchdog timer that can reboot the Raspberry Pi in case it becomes unresponsive. This list of instructions shows you how.
Heatsink: In addition, it would be a shame if your Raspberry Pi ran too hot due to really tough weather conditions or due to the fact that you are overclocking the processor. Raspberry Pi’s can go a long way without cooling but overclocking might result in unexpected behavior. Therefore, make sure you have a heatsink on the CPU to ensure that really heavy spikes do not grind the Raspberry Pi to a halt. They only cost a few dollars and are easy to install.
Bonus – for the security geeks: Ensure you have SELinux running to ensure that whatever services you are running that are exposed the internet that are vulnerable, cannot be exploited easily. The following link from the Raspberry Pi forum has more information.
Find out even more about Raspberry Pi security in this article I co-authored for Make Magazine.
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
August 16, 2018