WoTT - An attempt to automate Raspberry Pi security

[vpetersson]

Hi guys,

Viktor here, the creator of Screenly. Recently, I’ve been busy hacking on a new project called Web of Trusted Things (WoTT). The concept behind WoTT is to simplify credential management (think API keys and password etc), certificate management (every device gets an x509 certificate as an identity) as well as to do an ongoing security audit of your fleet of devices.

I’d like to invite my fellow Raspberry Pi friends as early testers of our beta.

Here’s what we have right now:

• An open source agent that is installed on the Raspberry Pi
• A dashboard to manage and gain visibility of all your Raspberry Pis
• Some documentation and use cases (https://github.com/WoTTsecurity/agent#use-cases)
• Screenly OSE integration as a reference implementation (https://github.com/WoTTsecurity/agent/t ... s/screenly)

We have a number of use cases on Github and we are actively posting new ones. We would love to get your feedback and for you to tell us what problems we can solve for you.

Here are some things we have on the roadmap for the next few weeks:

• Docker and Balena (former Resin) integration
• Ubuntu Core (former Snappy) integration
• Integrations and tutorials for the most popular IoT platforms
• TPM integration for additional security hardening

I'd invite you all to test it. You can find quick installation instructions here:
https://github.com/WoTTsecurity/agent#installation

If you have any questions, please post them in this thread and we will try to answer as quickly as possible and if you encounter any bugs, please file them on Github (https://github.com/WoTTsecurity/agent).

[bigfoot_rights]

Hi,

Really big fan of Screenly. The headaches it has eliminated from using other digital signage solutions (even expensive paid ones) won't be missed.

I've used WoTT a little and it was straightforward and simple. The question I have is about the specifics of the Active Devices section of the dashboard. How often does it ping a device and is that/will it be configurable? I noticed it still reported my Pi as active for a while after I had turned it off. It could be that I'm just used to PRTG Network Monitor that I currently use to ping all of my Pis to see if they're up and it reported as inactive right after I stopped looking.

Thanks a million, Screenly is great.

[vpetersson]

Really big fan of Screenly. The headaches it has eliminated from using other digital signage solutions (even expensive paid ones) won't be missed.

Thank you for the kind words!

I've used WoTT a little and it was straightforward and simple. The question I have is about the specifics of the Active Devices section of the dashboard.

If I'm not mistaken, "Active Devices" is defined as devices who have pinged our backend in the last 24 hours (but need to double check the specific cut-off we use as I didn't write this code). Since we don't have any permanent connection (such as MQTT or WebSocket) to our backend, we get a bit less granularity. Moreover, since we anticipate that a lot of devices being on 3G/4G/5G or flakey WiFi, we expect devices to periodically drop off and return a few hours later (much like we have seen with Screenly).

How often does it ping a device and is that/will it be configurable?

Good question! Right now we ping every hour, but we are working on breaking that down to more based on the task. For instance, we might not need to check for default credentials more than say once every 24 hours, but other things (such as suspicious network traffic), we will need to do more frequently (perhaps every 5 or 15 minutes) in order to determine a baseline and to perform abnormality detection.

I noticed it still reported my Pi as active for a while after I had turned it off. It could be that I'm just used to PRTG Network Monitor that I currently use to ping all of my Pis to see if they're up and it reported as inactive right after I stopped looking.

No, this is expected as per the above. We've designed the system for large fleets, and at scale, you'd expect devices to periodically drop off, so we don't want to perhaps raise an alert early on.

Thanks a million, Screenly is great.

Thanks again for your kind words!

Let me know if you have any other feedback or questions!

P.S. Screenly is not going anywhere. We have a fairly large capable team working on moving it forward too and the user base is growing every day D.S.

[otobey]

Hello!

I'm started WOTT install, but I can't install.
Error message is
"Err:3 https://packagecloud.io/wott/agent/raspbian buster Release
404 Not Found [IP: 54.193.63.214 443]
E: The repository 'https://packagecloud.io/wott/agent/raspbian buster Release' does not have a Release file."

Should I change its 'Suite' value from 'testing' to 'stable' ? or back to Raspberry Stretch?

[vpetersson]

Hello!

I'm started WOTT install, but I can't install.
Error message is
"Err:3 https://packagecloud.io/wott/agent/raspbian buster Release
404 Not Found [IP: 54.193.63.214 443]
E: The repository 'https://packagecloud.io/wott/agent/raspbian buster Release' does not have a Release file."

Should I change its 'Suite' value from 'testing' to 'stable' ? or back to Raspberry Stretch?

The release of Buster somewhat came as a surprise to us (as it pre-dated even the upstream Debian release). Adding support for Buster is however on the agenda and you can track the ticket here https://github.com/WoTTsecurity/agent/issues/185.

We hope to knock this out soon.

[vpetersson]

I'm happy to announce that we now have support for the Raspberry Pi 4. Installation instructions remain the same.