mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Raspberry Pi Security

Sat Aug 31, 2019 1:03 am

I have a few raspberry pi's at customer sites that are measuring sensor data and sending this data to a web application over https.

I have been reading a lot about commercial IoT devices claiming to be "ultra secure" and the like. I am not knowledgeable in this area, and am hoping someone can confirm my assumptions, or at least point me in the direction of what I should be implementing on my raspberry pi's.

If the raspberry pi is connected to customers wifi (assuming it is secure itself), using stock Raspbian Buster, a strong password to login to the pi, and ssh is disabled.

Obviously everything is hackable given enough resources thrown at it, but would this be considered secure?

Andyroo

Re: Raspberry Pi Security

Sat Aug 31, 2019 2:26 am

Some basic advice is https://www.raspberrypi.org/documentati ... ecurity.md

I would also look to change the user - ‘pi’ is the obvious user to try on a Pi so half the protection is gone.

Consider folk getting access physically to the Pi - a few seconds to whip the SD card out

A search for securing Linux will turn up 100s of links but you may do better employing an outside security consultant to give advice.

tpyo kingg
Posts: 840
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Raspberry Pi Security

Sat Aug 31, 2019 5:30 am

mattg31 wrote:
Sat Aug 31, 2019 1:03 am
If the raspberry pi is connected to customers wifi (assuming it is secure itself), ...
Wi-fi should always be considered compromised. However, that's not always a big deal.

Since it is rather hard to defend against all things all the time, generic checklists usually fall short. Perhaps you can describe what or whom you wish to defend against.

Remember, having physical access to the machine changes the rules. Even the OpenBSD developers generally concede defeat then.

User avatar
DougieLawson
Posts: 39837
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Raspberry Pi Security

Sat Aug 31, 2019 7:00 am

mattg31 wrote:
Sat Aug 31, 2019 1:03 am
If the raspberry pi is connected to customers wifi (assuming it is secure itself), using stock Raspbian Buster, a strong password to login to the pi, and ssh is disabled.

Obviously everything is hackable given enough resources thrown at it, but would this be considered secure?
It's no more or less secure than any other Linux system running as a client system.

The main insecurity with Raspberries is when you set then up with open ports as a server on the internet with pi/raspberry as the userid/password. It's less than four minutes for the hackers to find it and come knocking on the door.

If nothing is port forwarded through the NAT router then you've removed that risk.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Re: Raspberry Pi Security

Sat Aug 31, 2019 10:39 am

Great thanks for the replies guys!

So Changing the userid/password from the default to something more secure, adding a firewall, and ensuring any port forwarding is off will make it secure. Also physically securing SD card.

Thanks again!

User avatar
DougieLawson
Posts: 39837
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Raspberry Pi Security

Sat Aug 31, 2019 10:47 am

How do you intend to physically secure an SDCard? Bearing in mind that when it goes end-of-life you will need to replace it.

If I have physical access to your RPi then all bets are off (just like if I stole your laptop).
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

tpyo kingg
Posts: 840
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Raspberry Pi Security

Sat Aug 31, 2019 10:57 am

mattg31 wrote:
Sat Aug 31, 2019 10:39 am
... will make it secure.
It depends on the context. Again, what do you wish to defend against?

hippy
Posts: 8240
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry Pi Security

Sat Aug 31, 2019 11:32 am

tpyo kingg wrote:
Sat Aug 31, 2019 10:57 am
Again, what do you wish to defend against?
I am quite sure the answer would be 'anything and everything'; preventing any miscreant being able to affect operation of the device in any adverse way, and to prevent them using it as a stepping stone to gain access to the wider local network or anything connected to that.

It is not realistic nor reasonable to expect a non-expert user to know exactly what they need to be protecting against.

mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Re: Raspberry Pi Security

Sat Aug 31, 2019 11:37 am

At this point I am not going to physically secure the SD card. I am more concerned about compromising the customers IT infrastructure somehow, like allowing a backdoor into their network. Most of the devices I have out right now are just on the guest wifi, and not on the corporate stack, and the userid/password are changed on the pi.
There is nothing on the raspberry pi itself that is sensitive with the exception of the API token inside the python program. But even this would only allow the hacker (I think) to post fake data, or flood my server with post requests?
Like I said, I think I am more worried about compromising the network the pi is on as a result of poor setup on my part.

User avatar
DougieLawson
Posts: 39837
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Raspberry Pi Security

Sat Aug 31, 2019 11:41 am

mattg31 wrote:
Sat Aug 31, 2019 11:37 am
At this point I am not going to physically secure the SD card. I am more concerned about compromising the customers IT infrastructure somehow, like allowing a backdoor into their network.
That's only true if you're NASA with an inherently insecure network. It wasn't just that the RPi that was doing bad things it was their network security, lack of intrusion detection and lack of device monitoring that allowed it.

https://gizmodo.com/hacker-used-raspber ... 1835802380
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Re: Raspberry Pi Security

Sat Aug 31, 2019 11:49 am

Wow! See that is exactly what I don't want to happen!
Obviously we don't know the configuration of the pi that caused this breach, but I'm assuming either the individual had physical access to this pi, or the userid/password was insecure and hacked remotely?

epoch1970
Posts: 5589
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Raspberry Pi Security

Sat Aug 31, 2019 11:53 am

If you don’t physically secure the SD card, I will soon pinch it, add init=/bin/sh in cmdline.txt, boot on my Pi, rejoice with your code, install mine, and possibly change the passwords to deny you access.
Then I will put back the SD in the original Pi and roam the customer’s network.

If you don’t physically secure the SD card, request a VLAN from the customer so that if your Pi is compromised, it has access to a minimum of machines and information.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Re: Raspberry Pi Security

Sat Aug 31, 2019 12:48 pm

Ok i'm seeing the value in securing the SD card, I suppose I was trusting that the people who have access to the devices are trusted, but that can never be guaranteed.
I'm assuming the pi will outlive the SD card by several factors, so this is probably not the best plan, but using epoxy to secure the SD is probably going to be my plan. If the card dies in 2 years, I suppose I will just supply another pi.

This isn't the topic of the conversation, but is the raspberry pi compute module a better plan because it uses onboard memory vs SD card? Unfortunately it is about 4 times the cost (in Canada) once you include the i/o board.

fruitoftheloom
Posts: 24063
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Raspberry Pi Security

Sat Aug 31, 2019 12:53 pm

mattg31 wrote:
Sat Aug 31, 2019 12:48 pm
Ok i'm seeing the value in securing the SD card, I suppose I was trusting that the people who have access to the devices are trusted, but that can never be guaranteed.
I'm assuming the pi will outlive the SD card by several factors, so this is probably not the best plan, but using epoxy to secure the SD is probably going to be my plan. If the card dies in 2 years, I suppose I will just supply another pi.

This isn't the topic of the conversation, but is the raspberry pi compute module a better plan because it uses onboard memory vs SD card?

Depends on the "product" you are selling, do you have the capability to manufacture a base board & case ?

https://www.raspberrypi.org/documentati ... /README.md
Thinking outside the box is better than burying your head in the sand...

User avatar
rpdom
Posts: 17569
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspberry Pi Security

Sat Aug 31, 2019 12:57 pm

The compute module and I/O board aren't really meant to work together as a finished product. Instead the IO board is for you to test your ideas on before you design and mass produce your own carrier boards.

With the IO board, the compute module's on-board memory can be accessed via USB and changed to hack in. Obviously you'd disable that facility if you designed your own board.
Unreadable squiggle

mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Re: Raspberry Pi Security

Sat Aug 31, 2019 1:05 pm

fruitoftheloom wrote:
Sat Aug 31, 2019 12:53 pm
mattg31 wrote:
Sat Aug 31, 2019 12:48 pm
Ok i'm seeing the value in securing the SD card, I suppose I was trusting that the people who have access to the devices are trusted, but that can never be guaranteed.
I'm assuming the pi will outlive the SD card by several factors, so this is probably not the best plan, but using epoxy to secure the SD is probably going to be my plan. If the card dies in 2 years, I suppose I will just supply another pi.

This isn't the topic of the conversation, but is the raspberry pi compute module a better plan because it uses onboard memory vs SD card?

Depends on the "product" you are selling, do you have the capability to manufacture a base board & case ?

https://www.raspberrypi.org/documentati ... /README.md

For my current product I have manufactured the enclosure for the pi, and have made a simple "hat" circuit board with some relays and sensors. Is this what you mean by base board and case?
Last edited by mattg31 on Sat Aug 31, 2019 1:10 pm, edited 2 times in total.

mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Re: Raspberry Pi Security

Sat Aug 31, 2019 1:09 pm

rpdom wrote:
Sat Aug 31, 2019 12:57 pm
The compute module and I/O board aren't really meant to work together as a finished product. Instead the IO board is for you to test your ideas on before you design and mass produce your own carrier boards.

With the IO board, the compute module's on-board memory can be accessed via USB and changed to hack in. Obviously you'd disable that facility if you designed your own board.
Oh ok, I see, thanks for the input everyone!
Well for now, while volumes are low, I will epoxy the cards until I can migrate to the compute module for the next generation device.

fruitoftheloom
Posts: 24063
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Raspberry Pi Security

Sat Aug 31, 2019 1:09 pm

fruitoftheloom wrote:
Sat Aug 31, 2019 12:53 pm

Depends on the "product" you are selling, do you have the capability to manufacture a base board & case ?

https://www.raspberrypi.org/documentati ... /README.md
For my current product I have manufactured the enclosure for the pi, and have made a simple "hat" circuit board with some relays and sensors. Is this what you mean by base board and case?

The Compute Module is not a standalone product:

https://www.element14.com/community/com ... ute-module
Thinking outside the box is better than burying your head in the sand...

pica200
Posts: 219
Joined: Tue Aug 06, 2019 10:27 am

Re: Raspberry Pi Security

Sat Aug 31, 2019 1:21 pm

As advised above WiFi is not so good. If you can then connect it over ethernet. Otherwise make sure the network at least uses WPA2-PSK (AES) with strong password. WPA2 Enterprise is even better.

The compute module is not going to help you much and with custom board design you will probably pay much more than using a regular Pi or Pi Zero. As said above with physical access everything is possible.

tpyo kingg
Posts: 840
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Raspberry Pi Security

Sat Aug 31, 2019 2:57 pm

mattg31 wrote:
Sat Aug 31, 2019 12:48 pm
I'm assuming the pi will outlive the SD card by several factors, so this is probably not the best plan, but using epoxy to secure the SD is probably going to be my plan.
There are decent cases which require dealing with screws to access the microSD card.

If it may be asked, what types of service(s) do you plan to run from the Raspberry Pi and what will it be connecting to out on the net?

mattg31
Posts: 79
Joined: Fri Jan 05, 2018 9:55 pm

Re: Raspberry Pi Security

Sat Aug 31, 2019 7:25 pm

Yes, my plan is to make it tamper resistant so that it is obvious someone has attempted to/has accessed SD card.

The device is taking measurements from 4 sensors, and sending these measurements to a web API using python requests.

tpyo kingg
Posts: 840
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Raspberry Pi Security

Sun Sep 01, 2019 5:50 am

There are good cases available which leave the microSD card inaccessible from the outside. If you want to see if a case has been opened, a lazy way is to paint the screws with some fancy nail polish. However, that just means they have to buy some of the same nail polish to cover over entry. But depending on the situation, that might be a high enough barrier. Another way would be to use sealing wax and a custom seal.

bjtheone
Posts: 916
Joined: Mon May 20, 2019 11:28 pm
Location: The Frozen North (AKA Canada)

Re: Raspberry Pi Security

Sun Sep 01, 2019 2:42 pm

Fancy security stickers are a slightly more professional way to do this. Obviously will not prevent tampering but will deter/make it obvious if it has occurred.

If you want to secure the SD the only real way is epoxy it in or encase the Pi in a barrier case and epoxy the case screws. Even then you are just raising the barrier to entry. In the dark days of pay cable boxes "people" used to modify them to get free channels. The providers started potting the boards to stop the modifying. It certainly raised the bar, but people still modified the cable boxes.

Andyroo

Re: Raspberry Pi Security

Sun Sep 01, 2019 4:41 pm

Have a look at these on eBay The advantage is you can put the install or image date on with dots so at a glance you can tell what should be on it vs what is on it...

The disadvantage is that I have known folk buy the same same stickers and replace them :twisted: so I ended up with a bill from https://www.seton.co.uk/ and unique labels...

tpyo kingg
Posts: 840
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Raspberry Pi Security

Mon Sep 02, 2019 7:08 am

jcyr wrote:
Mon Sep 02, 2019 3:38 am
Any Pi on public Internet will probably have ssh enabled for remote access. In that case the 1st thing to do is disable password based login. This and lots of good tips here https://securitytrails.com/blog/mitigat ... -practices
Yes, disabling password-based authentication is the first thing to do and probably the most effective.

As to the link above, points 4 (no root login), 6 (keys with strong passphrases), and 10 (SSHGuard, Fail2ban, or DenyHosts) are quite helpful. Points 1, 2, and to a certain extent also 3 are not up to date:

1. Putting SSH on a non-standard port is a bad idea in general, or an ineffective one at best. It will do a little to quiet the logs but otherwise running SSH on weird ports won't actually hide you from any one.

2. OpenSSH stopped supporting TCPd aka TCPwrappers a long time ago. TCPwrapper support was removed in OpenSSH 6.7, back in 2014, and Raspbian Buster is already on 7.9p1, in 2019. Almost all of its reason for existence has been replaced by ipchains^Wiptables^nftables now with rate limiting. However, since most attacks are distributed, classical rate limiting using iptables^nftables has almost no benefit.

3. It is silly to limit access to the Pi only to known IP addresses if remote access is a priority, especially if mitigations 4 (no root login), 6 (keys with strong passphrases), and 10 (SSHGuard, Fail2ban, or DenyHosts) have been implemented. Point 6 is especially important.

As far as I can tell, in regards to running OpenSSH on the Raspberry Pi, the single best mitigation tactic is to use SSH key-based or SSH-certificate based logins with password authentication disabled. Most bots seem to be able to determine this and back off on first contact, regardless of which port SSH is listening on.

Return to “General discussion”