I love the Internet of Things, so much so that I have built a career around writing about the so-called IoT for various websites, and for that I am thankful. Unfortunately, the IoT is not all fun and games as a lot of us would like to believe. As with everything that is connected to the internet, there are countless individuals in the world who dedicate their lives to finding a way to exploit the security flaws. Granted, not all of these individuals are nefarious in nature, and are just looking to find flaws so that they can be fixed, but their are a great number of individuals who are looking to utilize those internet connected things for malicious things.

A big example of how vulnerable IoT devices are was brought to light with the major DDoS attack that took place a few weeks back on the 21st of October 2016. The Dyn DNS service was the direct target of the DDoS attack, with the goal of making some of the biggest websites on the internet invisible to people world wide. I won’t go into much detail on the attack because that is not what this article is about, but the website WeLiveSecurity.com has a excellent article on the attack, how it worked, and what allowed it to happen. I will mention though, that the attack was the result of hackers being able to easily access tens of thousands, if not hundreds of thousands of IoT devices such as IP Cameras, consumer network routers, and potentially even hobbyist devices like Raspberry Pi, Beagle Bone, and Intel Edison IoT development boards that retained their stock login credentials.

“The attackers employed thousands of such devices that had been infected with malicious code to form a botnet. The software used to crawl the internet to find unsecured devices is freely available. Even though some of these devices are not powerful computers, they can generate massive amounts of bogus traffic to swamp targeted servers, especially if you abuse a large numbers of them at once.” ~ Stephen Cobb, WeLiveSecurity.com

Today the Raspberry Pi foundation released a blog post that clued us in on what they are doing to alleviate the threat of your Raspberry Pi becoming victim to a hacker, and the next node in a botnet. The blog post says that Raspbian, the official Raspberry Pi OS, has one major flaw, and that is that it has SSH enabled out of the box. For those of us who like to run our Raspberry Pi boards headless, this is a very helpful thing because we can set up our Pi boards without the use of a display for the first boot. Unfortunately, this also opens up the Raspberry Pi to intrusion from outsiders who may have access to your home network. Since the default username and password for root access to Raspbian is the same for every install, those who are able to access the Pi on the network are just an SSH connection away from full control of the device.

“With the Pi, we’ve always tried to keep it as open as possible. We provide a default user account with a default password, and this account can use sudo to control or modify anything without a password; this makes life much easier for beginners. We also have an open SSH port by default, so that people who are using a Pi remotely can just install the latest Raspbian image, plug it in, and control their Pi with no configuration required; again, this makes life easier.

Unfortunately, hackers are increasingly exploiting loopholes such as these in other products to enable them to invisibly take control of devices. In general, this has not been a problem for Pis. If a Pi is on a private network in your home, it’s unlikely that an attacker can reach it; if you’re putting a Pi on a public network, we’ve hoped that you know enough about the issues involved to change the default password or turn off SSH.

 

But the threat of hacking has now got to the point where we can see that we need to change our approach. Much as we hate to impose restrictions on users, we would also hate for our relatively relaxed approach to security to cause far worse problems. With this release, therefore, we’ve made a couple of small changes to improve security, which should be enough to make it extremely hard to hijack a Pi, while not making life too difficult for users.”

 

To alleviate this security flaw, the Raspberry Pi Foundation has made the decision to not enable SSH by default on all Raspbian releases moving forward. In fact, the current version of Raspbian with PIXEL has SSH disabled by default already. So what does this mean for those of us who run our Raspberry Pi boards headless 90% of the time? Not much other than the fact that we have to take a couple of extra steps when we load Raspbian onto our SD cards before the first boot. This fix from the foundation is mostly designed to protect those who use their Pi in conjunction with a Display, and never SSH into their Pi from a remote machine.

Once the latest Raspbian image has been installed onto an SD card, you will have to open the SD card, access the /boot/ directory, and simply drop in a blank text file titled “SSH” and when the Raspberry Pi boots for the first time, it will see this file, and enable SSH, then automatically delete the file. I know what you are thinking, “But doesn’t that put us in the same situation as before?” and the answer is a resounding YES! Basically, if your Raspberry Pi has SSH enabled, and you are running the default root login credentials, you are still as venerable as before. So you MUST change the default password for the Root user to something unique and secure. You can do this by entering Raspi-Config, and changing it there. The command below will open raspi-config.