Do you think Raspberry Pi should be a more secured device than it currently is?

Poll ended at Fri Oct 18, 2013 10:08 pm

Yes, totally
33%
1
No, it is quite secure
33%
1
Only when used as a 'personal device'
No votes
0
Depends on the OS installed
No votes
0
This is an OpenElec only issue
33%
1
 
Total votes: 3
ShattaAD
Posts: 1
Joined: Wed Oct 03, 2012 7:12 pm

WiFi Security Flaw on RPi

Mon Sep 23, 2013 10:08 pm

I noticed when using Openelec v3.2, RPi store the user's SSID and Wifi Passphrase in unencrypted plaintext in the 'settings' file located under 'addon_data>os.openelec.settings'. It is possible for someone to hijack this 'settings' file through various means and gain access to your Wifi network or "more". Why hasn't the RPi or the Openelec team chose a safer option to store this piece of important info rather than let it open wide for everyone to see. I discover this after I took my RPi to a friend's house to watch some movies and used my friend's Wifi network for a bit, in which my friend entered the passphrase without anyone seeing what it was. When I got home, and browse through the setting files, I notice my friend's SSID and passphrase was still stored in there and in xml plaintext. I was honest enough to let my friend know and told her to change it. Ended up she has to change much more than that as her Facebook and Email account consist of a similar passcode(similar enough to be guessed based on the leaked wifi passphrase). Now, what if someone isn't honest and decide to use this maliciously. With so many and more people everyday using the RPi, this is a substantial security risk even though the RPi was meant to be a personal device. On top of that, this very file can be accessed without a password through other channels besides the physical one including but not limited to, WAN, LAN, Samba, WINS, SSH, HTTP, etc. I can't believe someone made it this easy to access a high level security feature that ppl have spent decades to develop the proper technologies and encryption methods to hide. Please someone fix this pronto!

User avatar
AndrewS
Posts: 3625
Joined: Sun Apr 22, 2012 4:50 pm
Location: Cambridge, UK
Contact: Website

Re: WiFi Security Flaw on RPi

Tue Sep 24, 2013 12:22 am

ShattaAD wrote:Ended up she has to change much more than that as her Facebook and Email account consist of a similar passcode(similar enough to be guessed based on the leaked wifi passphrase).
*facepalm*

User avatar
redhawk
Posts: 3465
Joined: Sun Mar 04, 2012 2:13 pm
Location: ::1

Re: WiFi Security Flaw on RPi

Tue Sep 24, 2013 12:51 am

I don't see this being a security flaw these kind of files are not normally accessible unless you have compromised your security by enabling remote ssh access in your router i.e port forwarding rule.
Even if encryption was used to protect the wifi password it's highly likely the method would be know to hackers anyway and could be decrypted using brute force, hash and rainbow tables etc.
Furthermore having the same password for your router as well as your online services is just asking for trouble.

Richard S.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 22715
Joined: Sat Jul 30, 2011 7:41 pm

Re: WiFi Security Flaw on RPi

Tue Sep 24, 2013 6:52 am

Sorry, I don't think this is a suitable poll. If you have a question about security, please ask a question about security. See the replies above - this doesn't appears to be a wifi security flaw.

Closing.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

Return to “Staffroom, classroom and projects”