How Vulnerable is your Raspberry Pi

The IoT revolution has brought with it many Internet-connected computing devices, including several Single Board Computers, such as the Raspberry Pi (RBPi), going beyond the traditional mobile devices, laptops, desktops, and servers. It is common to see on the network devices such as Internet radio, refrigerators, thermostats, DVRs, and TVs, apart from SBCs such as the RBPi.

As projects rush towards completion, Internet security is ignored, resulting in severe consequences—this is applicable to both commercial products and hobby projects. The online search for IoT security may reveal results suitable for commercial products, with a long intimidating list of requirements. However, the commercial arena has to deal with several regulatory consequences for security breaches. As the RBPi is a Linux computer system, security advices for larger systems apply to it as well.

Hobby projects on the RBPi are fine, but leaving your device open to an attacker will allow them to use it as a stepping-stone to attack someone else from your network. Moreover, there is always the possibility that you have some data on your device you would prefer to keep private. Therefore, you need some tools for your toolbox and some ways to think about circumventing the problem.

As all RBPis have the same default username and password, this is the first thing the attackers look for. Therefore, change the default password to something difficult to crack. Always keep the system updated, including all the packages installed. Use the commands “sudo apt-get update && sudo apt-get upgrade” for Debian systems, and “sudo dnf update” for Fedora systems.

The security of your Raspberry Pi depends on what it does and what is on it. So you will have to figure out what is it that makes it a target. Attacks may come from different sources, such as an individual manually attacking your device, worms that automatically enter from the network, or viruses installed by someone operating the system.

In general, DIY IoT devices usually do not have medical or financial data, but possibilities do exist. However, there may be other type of data on the RBPi. Stored passwords may be used to attack other systems. The attacker may get access to a web interface that he/she could analyze for finding out more attack methods.

Other vulnerabilities on the RBPi can be the hardware under its control, the devices that it communicates with, or the information it displays. For instance, the attacker may take over the camera connected to your RBPi, monitor the network traffic if you are using your RBPi as a network router, display wrong messages, or vandalize the display. If not anything else, the attacker may take over your RBPi and make it a part of a botnet, or use it as an anonymous relay to attack other sites.

Using encryption for networked connections works very well—the RBPi is powerful enough to handle encryption. For instance, configure web servers to use HTTPS with SSL/TLS. For remote logins, use SSH. Use software packages for the encryption. That way, you will not have to learn to be a cryptographer, but always keep the key a secret.