Network Security with the RPI

[jb63]

This may have come up in the past, but in any event, it's still a relevant 'concern'.

With many of us having one or more RPIs connected, one begs the question how secure is the RPI's OS? A related question: How can one improve security? My RPIs are connected to my wifi, and I have other computers connected to the same home network. Two of my RPIs are running OSMC, and even though they're not streaming (TV off), I still see a lot of LED activity on the USB dongles. For sure, this could be many things (need a tool to monitor traffic), but just want to make sure.

Any Thoughts?

[Saahilj]

Maybe try using wireshark?

[Heater]

Some thoughts:

Raspbian on the Pi is hopefully as secure as Linux on anything else.

Check the sha-1 hash of the OS images you download.

Have your Pi on a local LAN behind a router that only forwards a few required ports to the machines inside.

Don't have any services running on the Pi you don't need. CUPS, SAMBA, whatever.

Don't run X on any machine that does not need a display.

Don't install Java. Remove any Java installed by default.

Create a new user for yourself on the Pi and remove the Pi user.

Use strong passwords.

Use ssh for remote management. Preferably use ssh keys for authentication. Preferably put a password on he keys. Don't allow root logins over ssh.

Ensure any web server you run on the Pi responds only to HTTPS.

Take all the usual precautions in securing your web services https://www.owasp.org/index.php/Web_App ... heat_Sheet

Don't go adding weird sources to you /etc/apt/sources.list in order to install software that is not in the Raspbian repos.

Don't install anything from untrusted locations. Like drop box accounts of forum users you don't know and trust.

Do update your packages occasionally.

Do keep an eye on the news in case of security alerts that may call for a package upgrade.

Keep an eye on your logs, like /var/log/auth.log, /var/log/apache2/ ...

Security is not a technology or software or a configuration, it's an ongoing process, a vigil.

[Chips4PIs]

@jb63 if you have the budget you might look at http://www.infineon.com/cms/en/product/ ... iot-demos/

you can get a TPM Iridium board from https://rutronik-tec.com/optiga-family/
or http://www.ebv.com/products/product-det ... 5-60-65-70
or if you know about TPMs buy the chip.

But it depends what type of secure network you are trying to build.

[jb63]

Thank you for the links. Seems I have some learning ahead.

My concern stemmed from a basic thought: As the RPI platform is fairly open source AND affordable, it seems the prime candidate for hacking and malicious activities. I'm not too concerned about what would happen to the RPI itself, but the RPI can be used as a gateway to access other computers on the home network (LAN). Not sure what the foundation is doing about this though, but if the RPI is meant to be a networked device (as it is in most useful applications I've seen), then some effort needs to come from the RPI Foundation to address such basic concerns, or at least, such is my hope/expectation.

Any thoughts/feedback?

[Heater]

I'm not sure the Pi Foundation has to or can do much.

Perhaps the best thing is a big red warning banner on the down loads page "WARNING: These operating system images are totally insecure by default."

And put up a tutorial on security issues. Raise awareness of the issues.

One could argue that the OS should not run until the user has set a decent password. Or that ssh access should not be enabled by default (hmm..it's not is it, I forget). And so on.

But the where do you draw the line? How do you know when the thing is secure when you have no idea what the users are doing with it?

I must say it was interesting to put a Pi on the net and see how quickly it was found and how many log in attempts for user "pi" started to come in.

You are welcome to try and hack my Pi here: https://035cfbc42452d7eeed7d5430e00a048 ... ndevice.io

[Chips4PIs]

@ Heater,
I think you are right - videte malos operarios- applies. The Pi Foundation is not going to offer security options as it would defeat the object of offering an open platform to all.

BTW check out www.thingful.net to find your local connected RPi - or for that matter anywhere in the world.

@JB63 Too many RPi systems can be attacked as they are wide open, but ask yourself why would anyone want to get inside or crash your network?
To be clear , you may need to develop a threat profile for your network. Starting with, like any TV crime perpetrator; Motive, Opportunity and Method(s). There is huge amount on the web on detailed network security analysis. If you are protecting something of value, either build in some tested security or get a comprehensive insurance policy and get ready to hire a team of lawyers.

[stderr]

Don't go adding weird sources to you /etc/apt/sources.list in order to install software that is not in the Raspbian repos.

Since the repo software isn't updated for anything except perhaps security, you are then left to downloading source code from weird sources you don't know. Of course at least under Linux, you don't have the reality that Windows and Android have that nearly every application you download is compromised by something in some way, even if "just" spyware.

[stderr]

With many of us having one or more RPIs connected, one begs the question how secure is the RPI's OS? A related question: How can one improve security?

If you have the pi account with the default password, then anyone who figures out you have a pi and can get a log in prompt can log in. If ssh is enabled, it is by default now isn't it?, than that is anyone who is on your network.

My RPIs are connected to my wifi,

And if this is open or WEP, basically anyone within wifi range can get on your network.

I still see a lot of LED activity on the USB dongles. For sure, this could be many things (need a tool to monitor traffic), but just want to make sure.

The suggestion to get wireshark and put it between your network and the outside and log everything makes sense. Some time ago doing this with the original pi, I had some trouble with its ability to keep up throughput. But you can investigate using more current hardware and I recall I was using wifi and ethernet at the same time which added a burden and the sdcard probably wasn't that fast.

[Heater]

An open platform, as in Free and Open Source software, does not imply it cannot
be secure. In fact I would suggest it is quite the opposite.

Whether it is delivered in a secure configuration is another matter.

[ejolson]

Thank you for the links. Seems I have some learning ahead.

My concern stemmed from a basic thought: As the RPI platform is fairly open source AND affordable, it seems the prime candidate for hacking and malicious activities. I'm not too concerned about what would happen to the RPI itself, but the RPI can be used as a gateway to access other computers on the home network (LAN). Not sure what the foundation is doing about this though, but if the RPI is meant to be a networked device (as it is in most useful applications I've seen), then some effort needs to come from the RPI Foundation to address such basic concerns, or at least, such is my hope/expectation.

Any thoughts/feedback?

From your original post, you are running Open Source Media Center and not Raspbian. As the Raspberry Pi Foundation has nothing to do with OSMC, there is nothing they can do to make that software more secure.

Most of the replies here focus on Raspbian, which is a different software. For Raspbian, it would help security for the operating system to insist that the default password for the "pi" user be changed before allowing installation of the openssh-server package, but maybe this is the case already.

[seniorsTPM]

Hello all,
I am using Raspberry Pi 3 model B in my project and I want to use Trusted Platform Module with the Raspberry Pi. The TPM suggested up (by Chips4Pis) is OPTIGA™ TPM SLB 9645. However the infineon site mentioned it can be used with Raspberry Pi 2, I wanted to confirm if it works with Raspberry Pi Model 3. ?
Thank you

The link is here:
https://rutronik-tec.com/optiga-tpm-slb ... erry-pi-2/

[ktb]

Hello all,
I am using Raspberry Pi 3 model B in my project and I want to use Trusted Platform Module with the Raspberry Pi. The TPM suggested up (by Chips4Pis) is OPTIGA™ TPM SLB 9645. However the infineon site mentioned it can be used with Raspberry Pi 2, I wanted to confirm if it works with Raspberry Pi Model 3. ?
Thank you

The link is here:
https://rutronik-tec.com/optiga-tpm-slb ... erry-pi-2/

The page you linked says "compatible with Paspberry Pi 2 & 3 40-pin Header."

Now I'm not sure if a "Paspberry" Pi 3 is the same thing as a Raspberry Pi 3 B, but probably .

If you don't trust that information, your best option is probably directing your question to the website selling that product.

[321]

Some thoughts:
Security is not a technology or software or a configuration, it's an ongoing process, a vigil.

Ideal for AI to monitor.

[Heater]

321,

Ideal for AI to monitor.

Might help I guess.

How do you know when you have trained your AI well enough?

How do you know your AI has not been hacked?

How do you even know what your AI is doing?

[321]

Considering humans get hacked they are good questions to ask.