by Erik T. Heidt | September 3, 2013 | Comments Off on Raspberry PI & Securing the DIY Internet of Things
(Note, if you know what a PI is and just want to jumpstart the security posture of your device, skip to How do I secure this thing?)
What is a Raspberry PI and who are these Makers?
You have probably heard a number of organizations discussing the “internet of things” or “industrial internet”, an emerging situation where almost every device is accessible via the internet. Most people picture this being driven by large enterprises adding features that leverage the power of the internet’s instant communications capability into consumer goods (like cars and refrigerators) and industrial products (like power meters and buildings). But there is also a powerful community of “Makers” who are creating their own Do It Yourself (DIY) Internet of Things.
In the 70’s and early 80’s the term Maker didn’t exist. The folks you saw purchasing soldering irons and electronics components where Nerds back then (or Hackers in the pre-cyber crime meaning of the word). They read BYTE magazine for Steve Ciarcia’s “Circuit Cellar” column and opened Scientific American directly to the “Amateur Scientist” column.
The appearance, hair styles and labels for these folks have changed a bit, but not their passions. And the good news for the tinkerers, amateur scientists, innovators and home-brew engineers of 2013 is that advances in technology and manufacturing are providing access to low-cost, inexpensive and powerful platforms.
Enter the Raspberry PI “Version B”. My first computer had 48K of RAM, 4 MHz (after modification) CPU, 360K floppy disk, and a cost of – well, expensive. A $35 Raspberry PI-B has 512 MBytes of RAM, 700 MHz ARM CPU (similar to iPhone 3 or Pentium II), USB, on-board Ethernet, and uses an SD card (GBytes) for storage. Sufficient computer capabilities that it really can be used as a proper computer and many folks are making DIY set-up top media centers, game consoles and laptops with them.
The really interesting feature of the PI is that it is setup to communicate with the outside world. It’s General Purpose Input/Output (GPIO) pins enable it to be interfaced with all manner of sensors, motors, displays or anything electronic you can think of. BTW, if you can’t imagine the fun all this can provide, YouTube is packed with videos of Makers showing off their Raspberry PI projects. Want to build an internet connected clock, thermostat, robot, weather station, email alarm, or … You get the idea, the PI is for you.
Last week, all of this culminated in the Raspberry PI winning a 2013 INDEX Award.
So, when mine arrived, you can image with this world of interesting stuff my first concerns was:
How do I secure this thing?
Most Raspberry PIs run a version of the Linux operating system. This is good news all around, as Linux is great fun to tinker with itself, brings loads of powerful software to the platform, and can be configured to be very secure.
Note: The recommendations here will be sufficient for many Makers and enthusiasts who want to build things with the Raspberry PI and are targeted at that community. If you are trying to develop a commercial product or have aspirations for the PI beyond “enthusiast” use, then additional security measures should be examined. The good news is that there are lots of resources on securing Linux for all manner of deployments, so leverage them!
If your solution is not properly secured, it will not be reliable. Few things will be as frustrating as having to re-image a device that has been pwned.
Once connected to the internet, the Raspberry PI is going to be subject to all manner of random attacks. As a result, we should take a few moments to apply common sense controls against the biggest threats. Generally attackers gain access through:
- Unchanged default passwords
- Known vulnerabilities in the OS or software that have not been patched
- Not controlling what services are available from the internet or public networks
These are the dominant security issues for hosts from your PI project all the way up to the largest breaches you have read about affecting banks and government agencies. So let’s dig in…
Step 1: Change default account passwords.
The default distribution comes with an account called “pi” and a password of “raspberry”. This needs to be changed. To do this, first login using the “pi” account then enter the command “passwd”. You may be prompted to enter the current password, and then will enter your new password twice. “password updated successfully” equals success!
$ passwd Changing password for pi. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Additional commands and concepts you many want to research include sudo, adduser and passwd. Try using the command “man” command to learn how to use Linux’s built in documentation (i.e. man man, man sudo, man passwd, and so on).
Step 2: Update it and keep it up to date.
The operating system and many of the application on the PI can be managed through the Advanced package tool (APT):
$ sudo apt-get update
This command updates the information in APT’s libraries about available software and versions. In order to actually install the updates use:
$ sudo apt-get upgrade
The update command should always be run before using the of ‘apt’ family of commands. Note, the upgrade process may ask you a few questions – I have always accepted the defaults when prompted and have not had any problems on the PI or other platforms.
The important thing is to keep the host up to date regularly. I have found it is best to automate the update. I would suggest that you set up the “unattended-upgrades” package and do a weekly or daily update. Setting up the package requires editing the configuration file, and as I am trying to keep these recommendations accessible to folks who are new to Linux as well as the PI, I am going to skip them here.
Note: It is also a good idea to update the firmware on the PI itself from time to time. Firmware updates do not warrant automation, but should probably be performed as a component of any major platform changes you install, or when trying to debug problems. Here is the command:
$ sudo rpi-update
Step 3: Block suspicious SSH connections.
Odds are you are going to want to use SSH in order to login to and play with your PI, especially if you want to access your PI from the internet. There are two things that are important to a solid SSH implementation: (1) ensuring SSH is configured properly and (2) using a password-guess countermeasure.
The security minded can find a number of great resources on configuring SSH, but SSH comes pretty well configured in the Raspberry PI’s standard Linux distribution – which is great news.
Strong passwords are great, but they work most effectively when they are paired with anti-guessing countermeasures. My favorite on Linux is fail2ban, which works by temporarily blocking the IP address of any host from which several bad login or password attempts are made in a short period of time. The default is three bad password attempts, which results in a 10 minute block on the IP address. This is a powerful tool, capable of providing anti-guessing support for a number of common Linux services and applications. Trivial to install:
$ sudo apt-get install fail2ban
If you are going to be using SSH a lot, then you may want to consider setting up certificate based (vs. password) login. A quick search of “ssh certificate login” will provide a number of resources with instructions for setting up this kind of access.
Step 4: Controlling publicly available services.
Most home networks are behind a NAT based router and, as a result, if you want to a service to be available from the internet you have to deliberately configure the router and the host. The host generally has to be set up with a static IP address, and the router has to know what ports/services to forward to that host. Most consumer routers can do this, but no two have the same configuration instructions – so you will have to research your router. From a security perspective, the good news is that you will likely have to take some deliberate action in order to put a service or application (like SSH or Apache the HTTP server) on the internet from your PI. As a result, you should have a pretty good idea about what services you are publishing on the internet and can quickly research the proper steps for security them.
If you are going to run your PI using a routers “DMZ mode” where all inbound internet will be forwarded to the PI or will be using the PI on an untrusted network (such as at a public event), then you may want to consider restricting the network accessible services with a firewall. The good news is that Linux comes with a great firewall the bad news is that the Linux firewall isn’t the simplest to manage. This is often the tradeoff between power or capability and ease of use. That said, there are a number of utilities that seek to simplify the Linux firewall. There are also some good intrusion detection or prevention tools that are not too complex. If you are interesting in taking the security of your PI to this next level, a few tools I recommend looking at are iptables, ufw (an IP tables management tool), psad, and fwsnort.
Ongoing innovation by individuals continues to be an exciting source of invention and new ideas. The emergence of the Raspberry PI and other platforms that provide innovators with cost-effective and powerful platforms is very exciting. I hope that this content is helpful to folks who want to experiment with the PI while avoiding common security pitfalls.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.