I’ve been tinkering lately. What that usually means for me, is that a Raspberry Pi or two get pulled out of the drawer, I spend a little time figuring out what the hell I last did with it, and then I start hooking up some wires, led’s, or other randomness to make it blink.
Lately, though, my tinkering has resulted in what I expect to be a permanent addition to my home automation suite (more details later – this article isn’t about that). This means a few things: always on, network connected, and home connected. And here be dragons.
What Can That Thing Do?
Being connected to your home and a network at the same time changes the game – occasionally using your Pi to power an AirPlay speaker or a media library is vastly different than hooking it up to your garage door, door lock, or a security camera. It’s now a potential window into your habits, how you live your life, and could even be used to determine whether you’re home or not – this is all data worth protecting, and paying attention to the security implications of that inexpensive little computer is important.
While Linux is generally considered a secure platform, that security depends on a knowledgable administrator. When was the last time you checked for OS updates on your PI? Did you install the updates made available after the recent KRACK WiFi vulnerability was discovered? Hell, do you still login with the ‘pi’/’raspberry’ default password???
If you have a Pi that’s plugged in all the time acting as a server or a home automation bridge, it’s time to pay attention.
What Do I Need To Do???
Because the Raspberry Pi is a general computing device, there’s no single answer – you’ll need to make some decisions on your own. Assuming, however, that you’re running a standard Raspian distribution, the following are some things to keep in mind.
Start with Advice from the Source
The Raspberry Pi Foundation itself publishes guidelines on security. Read it – there’s good stuff here that is all relatively straight forward.
Change your Blasted Password!
This one should be dead obvious, but with Raspbian configured to load straight to the desktop without requiring a login, it’s easy to forget what’s going on behind the scenes. If someone does manage to gain access to your network, it’s dead simple to write a script that will attempt to
ssh pi@<every-ip-address-it-finds> using the default password!
Don’t use the Default Account
The default account is well known – every fresh distribution of Raspian includes it, making it an easy target, even if you do change the password. After you get rid of the default password, create a new user, and use that one from then on.
Raspberrypi.org does indicate that Raspian does depend on the ‘pi’ user to exist, but unfortunately doesn’t explain for what purpose – depending on your needs, it’s worth attempting to delete the user, but be prepared to recreate it if you find that your device is no longer operating.
Keys, Keys, Keys
If you have SSH enabled, you should be using key-based authentication to access your Pi, eliminating the password as a potential attack vector. This will eliminate any attack vector that doesn’t include an attacker gaining access to your private key, meaning that they first need to access your home computer (you haven’t posted your private key on the Internet anywhere, have you?)
The page listed above has a good overview of how to do this – if you’re new to it, however, it can get a bit technical and confusing, so repeat after me. “Before touching anything in my ~/.ssh folder, I will read up on what these files mean.” Said it? Ok, good – now I fully expect that you won’t accidentally send your private key to a server instead of your public key. That’s a no-no.
And of course, if you don’t need SSH, then turn it of – one less potential security hole to be concerned with.
What services have you added to the PI? Is there a web server running? Do you ever send a password to one of these service? Are you positive that the password isn’t sent in plain text?
This one is all up to you, but knowing what services you’ve installed that may be available to the network, and protecting them appropriately is critical. Use HTTPS for your web servers. Install a firewall if you need to. Do it!
If this Pi has been sitting in the drawer for a while, running the same instance of the OS that you installed with your last project, then it’s worth starting fresh – grab the latest version of Raspbian (the Lite version, if you can), and put it onto the SD card. This way there’s no chance for you to forget about whatever it is you left I stalled on it from last year.
Awesome Capabilities Deserve Security
There are some truly incredible projects that you can put together using the Raspberry Pi, taking your computing skills to the next level, however don’t overlook the security ramifications involved! A little knowledge and attention to detail can help save you time and frustration later!