Ian Kluft, profile picture
Uploaded byIan Kluft
PDF, PPTX163 views

Securing a Raspberry Pi and other DIY IoT devices

The document presents a comprehensive overview of securing Raspberry Pi and other DIY IoT devices, emphasizing the importance of considering security from the start. It outlines various examples of Raspberry Pi applications, discusses IoT security issues, and suggests prioritizing security by utilizing risk matrices. Key security tips include using encryption, managing SSH logins, and keeping software updated, alongside recommended resources like OWASP for ongoing security advice.

Embed presentation

Download as PDF, PPTX
Securing a Raspberry Pi and other DIY IoT devices Presented by Ian Kluft ISC2 Silicon Valley Chapter Santa Clara, California February 11, 2020
What is a Raspberry Pi ● $35 credit-card sized computer ● Original Raspberry Pi 1 came out in 2012 – Raspberry Pi 4 is current ● Made by non-profit foundation for kids to learn computers cheap – Estimated market size 10,000 ● Embraced by Maker community to put a computer in any project – ~20 million made so far
Raspberry Pi encourages experimentation Examples of actual uses ● Cheap desktop computer ● Software build status display ● Internet photo frame ● Network music player ● Streaming TV system ● FreedomBox server ● Retro arcade game ● Weather station ● Security surveillance camera ● Time-lapse photography ● Autonomous boat computer ● Drone flight computer ● Hang glider & experimental EFIS ● ISS payload controller
Think about security from the start ● Experimentation is good ● Security holes are bad ● Thinking about security shouldn’t deter fun experiments ● Keep aware of security issues ● Keep project priorities in perspective We’ll look at prioritization after an overview of IoT security
Internet of Things (IoT) security issues ● Awful state of IoT security ● Consequences of neglect – Intrusion on your private network – Stolen/destroyed data – Invasion of privacy – Equipment malfunctions – Personal/company reputation damage – Attacks launched at others – etc 2018 XKCD comic https://xkcd.com/1966/
IoT security issues ● You don’t want to be part of the problem ● Two ways to think about this – Protect your device from the network – Protect the network from your device ● Many security issues in IoT devices are not unique to IoT – We can take advantage of security advice specific to our projects – Tip: OWASP (Open Web Application Security Project) cheat sheets are applicable to more than just web apps – more later
Project priorities ● Take security seriously - but avoid overload ● Overload is a security problem when anyone gives up on security ● You can filter out overload by prioritizing what matters most ● To prioritize, look at what motivates you for your project ● At work – Paycheck, business & technical goals, regulations, standards ● At home – Technical goals, learning
Project priorities: Risk Matrix ● Consider likelihood vs impact ● Likelihood – How probable is it? ● Impact – How severe is it if it happens? ● The risk matrix shows how to prioritize based on likelihood and impact of an issue Risk matrix adapted from Pilot’s Handbook of Aeronautical Knowledge & Risk Management Handbook by US Federal Aviation Administration
Setting up a Raspberry Pi: Choose OS ● Online instructions at https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up ● Select an OS – Raspbian is Debian Linux for Raspberry Pi, officially-supported OS ● Start with Raspbian if you’re new to Raspberry Pi – Other Linux distributions: ● Ubuntu – commercial edition of Debian Linux ● Fedora – Open Source base used by Red Hat Enterprise Linux ● Alpine – security emphasis, official distribution used by Docker containers – TV entertainment centers (Linux): OSMC, LibreElec – FreeBSD – RISC OS – Windows IoT or ARM64
Setting up a Raspberry Pi: Hardware ● Write your OS to a MicroSD card ● Insert MicroSD card in RasPi ● Connect USB keyboard & mouse ● Connect HDMI video ● Connect Ethernet – Optional: WiFi available on RasPi 3 & 4 ● Connect USB power – Micro USB on RasPi 1-3 ● RasPi 3 requires 2.5 amps – USB-C on RasPi 4 ● RasPi 4 requires 3 amps ● Boot up! Hardware diagram by Raspberry Pi Foundation
Modify RasPi settings ● Securing your system – Change passwords from default – Use encryption (SSH, TLS) ● Deny SSH root logins – Use existing software when you can ● don’t reinvent the wheel ● Install software updates – Close unused socket ports ● “netstat -nlp” or “ss -lntu” ● Shut down unneeded servers/ports ● Use iptables/nftables/ufw firewalls ● This minimizes opportunities to attack – Set SELinux to “enforcing” ● Securing your network – Use encryption ● RasPi is powerful enough to use encryption – Secure the client and server ● RasPi can be on either end – Don’t use protocols that send passwords “in the clear” – Assume anyone could be packet- sniffing the network ● A compromised RasPi can ● And you just installed a RasPi
Where to get a Raspberry Pi ● Local stores, if you can’t wait... – Central Computers ● Santa Clara ● Sunnyvale ● Newark ● San Mateo ● San Francisco – No longer at Fry’s ● Many “starter kit” packages include everything you need (cables, microSD, etc) ● Online retailers – Lowest prices (i.e. $35 for bare RasPi Model B board) are only from the manufacturer ● Newark Electronics – Also popular among Makers ● SparkFun Electronics (Boulder) ● AdaFruit (NYC) – slow UPS shipping to CA – Beware of markups by Amazon retailers!
Attack surface analysis ● The “attack surface” is all the places attacks can potentially come from ● OWASP attack surface cheat sheet https://owasp.org/www-project-cheat-sheets/cheatsheets/Atta ck_Surface_Analysis_Cheat_Sheet.html ● List of all parts exposed to potential attack ● Attack surface is not necessarily vulnerabilities – It is the list of places to look for them
What kind of target have you created? ● What data is on your device? – Passwords – Web interface ● What hardware does it control? – Cameras – Home automation – Appliances – Unlock doors ● What does it communicate with? – Routers – Risk for man-in-the-middle attack? ● What does it display? – Vulnerable to vandalism? ● The network itself is valuable – DDoS, botnets
Tip: lock down SSH logins ● Create a non-root user (substitute name and user id) useradd --comment="First Last" --create-home flast passwd flast ● Create a group for SSH logins groupadd sshlogin usermod -G sshlogin,wheel flast ● Modify /etc/ssh/sshd_config PermitRootLogin no PubkeyAuthentication yes PasswordAuthentication no AllowGroups sshlogin ● Restart sshd systemctl restart sshd.service
Tip: shut down unused services ● Find all listening network ports, either of the following: netstat -nlp ss -lntu ● For each unneeded server – Stop the program (i.e. with systemctl on systemd-based distribution) – Uninstall the software ● Repeat until port list shows only wanted software listening ● Unneeded listener processes unnecessarily add to attack surface
What else adds to the attack surface? ● Physical interfaces – Keyboard, mouse, etc ● Rogue USB devices – Who has access to the ports? ● Theft of RasPi or SD card – For convention booth or science fair display, put the RasPi in a locked enclosure ● Social engineering – Who should have access? – How do you know someone is who they say they are? – How would an attacker try to fake a valid user? – Do trusted users know how to verify other users? – Make sure all trusted users know not to discuss the security configuration
IoT security tips ● Consider security from the start – Even if there isn’t a design ● Code reviews help – Ask a friend – Offer to help friends ● RasPi is powerful enough to do encryption – use it ● Use existing software when available – Apply package updates ● If network isn’t needed, disconnect it after initial package update ● Turn on SELinux (security enhanced Linux) kernel feature
OWASP security resources ● OWASP (Open Web Application Security Project) has useful advice for more than just web apps ● OWASP IoT Top Ten – Next slide ● OWASP Cheat Sheets https://cheatsheetseries.owasp.org/ – Use like security checklists – Access Control – Cryptographic Storage – Database Security – Error Handling – Input Validation – Key Management – Password Storage – REST Security – Transport Layer Protection
OWASP IoT Top Ten, 2018 edition
Security alerts: what to watch for ● Software updates – Subscribe to RSS feeds when software developers provide them ● US CERT ● NIST NVD: National Vulnerability Database ● MITRE CVE: Common Vulnerabilities & Exposures
Questions? From Commit Strip comic https://www.commitstrip.com/en/2016/02/24/the-internet-of-things-has-gone-too-far/
Follow me @KO6YQ on Twitter for technical topics like this @ikluft on Twitter for aerospace & science topics Ikluft on LinkedIn

More Related Content

PDF
CheapSCAte: Attacking IoT with less than $60
byRiscure
 
PDF
Secure Coding in Perl
byIan Kluft
 
PDF
Software Attacks on Hardware Wallets
byRiscure
 
PDF
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
byRiscure
 
PPTX
LAS16-300K2: Geoff Thorpe - IoT Zephyr
byShovan Sargunam
 
PDF
Bypassing Secure Boot using Fault Injection
byRiscure
 
PDF
BUD17-TR01: Philosophy of Open Source
byLinaro
 
PDF
Riscure Assurance for Premium Content at a glance
byRiscure
 
CheapSCAte: Attacking IoT with less than $60
byRiscure
 
Secure Coding in Perl
byIan Kluft
 
Software Attacks on Hardware Wallets
byRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
byRiscure
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
byShovan Sargunam
 
Bypassing Secure Boot using Fault Injection
byRiscure
 
BUD17-TR01: Philosophy of Open Source
byLinaro
 
Riscure Assurance for Premium Content at a glance
byRiscure
 

What's hot

PDF
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
byPriyanka Aash
 
PDF
Chapter 8 security tools ii
bySyaiful Ahdan
 
PDF
PEW PEW PEW: Designing Secure Boot Securely
byNiek Timmers
 
PPTX
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
PDF
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 
PPTX
Bypass Security Checking with Frida
bySatria Ady Pradana
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
PDF
Efficient Reverse Engineering of Automotive Firmware
byRiscure
 
PDF
Hardware Reverse Engineering: From Boot to Root
byYashin Mehaboobe
 
PDF
Java Card Security
byRiscure
 
PDF
Silabus Training Reverse Engineering
bySatria Ady Pradana
 
PPTX
PyTriage: A malware analysis framework
byYashin Mehaboobe
 
PDF
Understanding Hacker Tools and Techniques: A live Demonstration
byEnergySec
 
PDF
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
byCODE BLUE
 
PDF
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
byCodemotion
 
ODP
Malware analysis
byxabean
 
PDF
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
byCODE BLUE
 
PDF
Securing the Internet of Things - Hank Chavers
byWithTheBest
 
PDF
Farewell, Stagefright bugs!
byTsukasa Oi
 
PDF
Predicting and Abusing WPA2/802.11 Group Keys
byvanhoefm
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
byPriyanka Aash
 
Chapter 8 security tools ii
bySyaiful Ahdan
 
PEW PEW PEW: Designing Secure Boot Securely
byNiek Timmers
 
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 
Bypass Security Checking with Frida
bySatria Ady Pradana
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
Efficient Reverse Engineering of Automotive Firmware
byRiscure
 
Hardware Reverse Engineering: From Boot to Root
byYashin Mehaboobe
 
Java Card Security
byRiscure
 
Silabus Training Reverse Engineering
bySatria Ady Pradana
 
PyTriage: A malware analysis framework
byYashin Mehaboobe
 
Understanding Hacker Tools and Techniques: A live Demonstration
byEnergySec
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
byCODE BLUE
 
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
byCodemotion
 
Malware analysis
byxabean
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
byCODE BLUE
 
Securing the Internet of Things - Hank Chavers
byWithTheBest
 
Farewell, Stagefright bugs!
byTsukasa Oi
 
Predicting and Abusing WPA2/802.11 Group Keys
byvanhoefm
 

Similar to Securing a Raspberry Pi and other DIY IoT devices

PPTX
Raspberry Pi ppt.pptx
byushabharathisb1
 
PDF
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
bydino715195
 
PPTX
Capstone_Project.ppt
byDhruvkumar Panchal
 
PPTX
Raspberry Pi ppt.pptx
byushabharathisb1
 
PPTX
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
bymahendrarm2112
 
PDF
Raspberry Pi By Example 1st Edition Pajankar Ashwin Kakkar Arush
byfaqotdfh44
 
PDF
Learn raspberry pi programming with python
bySANTIAGO PABLO ALBERTO
 
PDF
Hack one iot device, break them all!
byJustin Black
 
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
byRapid7
 
PPTX
Iot(security)
byShreya Pohekar
 
PPTX
RaspberryPi + IoT - Lab to switch on and off a light bulb
byJeff Prestes
 
PDF
Who needs iot security?
byJustin Black
 
PDF
Lecture 7 - Security
byAlexandru Radovici
 
ODP
Rete di casa e raspberry pi - Home network and Raspberry Pi
byDaniele Albrizio
 
PDF
IoT Development from Prototype to Production
byMender.io
 
PDF
Raspberry pi overview
byMatthew Karas
 
PPTX
Coffee & Pi - Fall into Pi
byBrad ☼ Derstine
 
PDF
Raspberry pi: Aspectos básicos del servidor Raspberry pi 2 de piotr j. kula.
bySANTIAGO PABLO ALBERTO
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
PDF
Protecting your home and office in the era of IoT
byMarian Marinov
 
Raspberry Pi ppt.pptx
byushabharathisb1
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
bydino715195
 
Capstone_Project.ppt
byDhruvkumar Panchal
 
Raspberry Pi ppt.pptx
byushabharathisb1
 
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
bymahendrarm2112
 
Raspberry Pi By Example 1st Edition Pajankar Ashwin Kakkar Arush
byfaqotdfh44
 
Learn raspberry pi programming with python
bySANTIAGO PABLO ALBERTO
 
Hack one iot device, break them all!
byJustin Black
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
byRapid7
 
Iot(security)
byShreya Pohekar
 
RaspberryPi + IoT - Lab to switch on and off a light bulb
byJeff Prestes
 
Who needs iot security?
byJustin Black
 
Lecture 7 - Security
byAlexandru Radovici
 
Rete di casa e raspberry pi - Home network and Raspberry Pi
byDaniele Albrizio
 
IoT Development from Prototype to Production
byMender.io
 
Raspberry pi overview
byMatthew Karas
 
Coffee & Pi - Fall into Pi
byBrad ☼ Derstine
 
Raspberry pi: Aspectos básicos del servidor Raspberry pi 2 de piotr j. kula.
bySANTIAGO PABLO ALBERTO
 
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
Protecting your home and office in the era of IoT
byMarian Marinov
 

More from Ian Kluft

PDF
PiFlash: Linux utility to flash SD cards for Raspberry Pi computers
byIan Kluft
 
PDF
Code Generation in Perl
byIan Kluft
 
PDF
New Perl module Container::Buildah - SVPerl presentation
byIan Kluft
 
PDF
Command Line Arguments with Getopt::Long
byIan Kluft
 
PDF
Aerospace applications of Perl
byIan Kluft
 
PDF
Geographic Computation in Perl
byIan Kluft
 
ODP
Geographic Computation in Perl
byIan Kluft
 
ODP
Stratofox Aerospace Tracking Team presentation at Space Access 2013
byIan Kluft
 
PDF
Black Rock Desert Impact Theory
byIan Kluft
 
ODP
Exception Handling in Perl
byIan Kluft
 
PDF
"#AprilFools Hijinks" at SVPerl April 2021 meeting
byIan Kluft
 
PDF
Best Practices for Recovering Rocket & Balloon Payloads
byIan Kluft
 
ODP
Pacificon 200905
byIan Kluft
 
PiFlash: Linux utility to flash SD cards for Raspberry Pi computers
byIan Kluft
 
Code Generation in Perl
byIan Kluft
 
New Perl module Container::Buildah - SVPerl presentation
byIan Kluft
 
Command Line Arguments with Getopt::Long
byIan Kluft
 
Aerospace applications of Perl
byIan Kluft
 
Geographic Computation in Perl
byIan Kluft
 
Geographic Computation in Perl
byIan Kluft
 
Stratofox Aerospace Tracking Team presentation at Space Access 2013
byIan Kluft
 
Black Rock Desert Impact Theory
byIan Kluft
 
Exception Handling in Perl
byIan Kluft
 
"#AprilFools Hijinks" at SVPerl April 2021 meeting
byIan Kluft
 
Best Practices for Recovering Rocket & Balloon Payloads
byIan Kluft
 
Pacificon 200905
byIan Kluft
 

Recently uploaded

PDF
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
PPTX
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
PDF
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
PDF
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
PDF
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
PDF
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
PDF
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
PDF
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 
PDF
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
PDF
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 
PDF
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
PDF
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
PPTX
Presentation4.pptx space it's exploration
byvarung3424
 
PPTX
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
Presentation4.pptx space it's exploration
byvarung3424
 
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 

Securing a Raspberry Pi and other DIY IoT devices

  • 1.
    Securing a RaspberryPi and other DIY IoT devices Presented by Ian Kluft ISC2 Silicon Valley Chapter Santa Clara, California February 11, 2020
  • 2.
    What is aRaspberry Pi ● $35 credit-card sized computer ● Original Raspberry Pi 1 came out in 2012 – Raspberry Pi 4 is current ● Made by non-profit foundation for kids to learn computers cheap – Estimated market size 10,000 ● Embraced by Maker community to put a computer in any project – ~20 million made so far
  • 3.
    Raspberry Pi encouragesexperimentation Examples of actual uses ● Cheap desktop computer ● Software build status display ● Internet photo frame ● Network music player ● Streaming TV system ● FreedomBox server ● Retro arcade game ● Weather station ● Security surveillance camera ● Time-lapse photography ● Autonomous boat computer ● Drone flight computer ● Hang glider & experimental EFIS ● ISS payload controller
  • 4.
    Think about securityfrom the start ● Experimentation is good ● Security holes are bad ● Thinking about security shouldn’t deter fun experiments ● Keep aware of security issues ● Keep project priorities in perspective We’ll look at prioritization after an overview of IoT security
  • 5.
    Internet of Things(IoT) security issues ● Awful state of IoT security ● Consequences of neglect – Intrusion on your private network – Stolen/destroyed data – Invasion of privacy – Equipment malfunctions – Personal/company reputation damage – Attacks launched at others – etc 2018 XKCD comic https://xkcd.com/1966/
  • 6.
    IoT security issues ● Youdon’t want to be part of the problem ● Two ways to think about this – Protect your device from the network – Protect the network from your device ● Many security issues in IoT devices are not unique to IoT – We can take advantage of security advice specific to our projects – Tip: OWASP (Open Web Application Security Project) cheat sheets are applicable to more than just web apps – more later
  • 7.
    Project priorities ● Take securityseriously - but avoid overload ● Overload is a security problem when anyone gives up on security ● You can filter out overload by prioritizing what matters most ● To prioritize, look at what motivates you for your project ● At work – Paycheck, business & technical goals, regulations, standards ● At home – Technical goals, learning
  • 8.
    Project priorities: RiskMatrix ● Consider likelihood vs impact ● Likelihood – How probable is it? ● Impact – How severe is it if it happens? ● The risk matrix shows how to prioritize based on likelihood and impact of an issue Risk matrix adapted from Pilot’s Handbook of Aeronautical Knowledge & Risk Management Handbook by US Federal Aviation Administration
  • 9.
    Setting up aRaspberry Pi: Choose OS ● Online instructions at https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up ● Select an OS – Raspbian is Debian Linux for Raspberry Pi, officially-supported OS ● Start with Raspbian if you’re new to Raspberry Pi – Other Linux distributions: ● Ubuntu – commercial edition of Debian Linux ● Fedora – Open Source base used by Red Hat Enterprise Linux ● Alpine – security emphasis, official distribution used by Docker containers – TV entertainment centers (Linux): OSMC, LibreElec – FreeBSD – RISC OS – Windows IoT or ARM64
  • 10.
    Setting up aRaspberry Pi: Hardware ● Write your OS to a MicroSD card ● Insert MicroSD card in RasPi ● Connect USB keyboard & mouse ● Connect HDMI video ● Connect Ethernet – Optional: WiFi available on RasPi 3 & 4 ● Connect USB power – Micro USB on RasPi 1-3 ● RasPi 3 requires 2.5 amps – USB-C on RasPi 4 ● RasPi 4 requires 3 amps ● Boot up! Hardware diagram by Raspberry Pi Foundation
  • 11.
    Modify RasPi settings ● Securingyour system – Change passwords from default – Use encryption (SSH, TLS) ● Deny SSH root logins – Use existing software when you can ● don’t reinvent the wheel ● Install software updates – Close unused socket ports ● “netstat -nlp” or “ss -lntu” ● Shut down unneeded servers/ports ● Use iptables/nftables/ufw firewalls ● This minimizes opportunities to attack – Set SELinux to “enforcing” ● Securing your network – Use encryption ● RasPi is powerful enough to use encryption – Secure the client and server ● RasPi can be on either end – Don’t use protocols that send passwords “in the clear” – Assume anyone could be packet- sniffing the network ● A compromised RasPi can ● And you just installed a RasPi
  • 12.
    Where to geta Raspberry Pi ● Local stores, if you can’t wait... – Central Computers ● Santa Clara ● Sunnyvale ● Newark ● San Mateo ● San Francisco – No longer at Fry’s ● Many “starter kit” packages include everything you need (cables, microSD, etc) ● Online retailers – Lowest prices (i.e. $35 for bare RasPi Model B board) are only from the manufacturer ● Newark Electronics – Also popular among Makers ● SparkFun Electronics (Boulder) ● AdaFruit (NYC) – slow UPS shipping to CA – Beware of markups by Amazon retailers!
  • 13.
    Attack surface analysis ● The“attack surface” is all the places attacks can potentially come from ● OWASP attack surface cheat sheet https://owasp.org/www-project-cheat-sheets/cheatsheets/Atta ck_Surface_Analysis_Cheat_Sheet.html ● List of all parts exposed to potential attack ● Attack surface is not necessarily vulnerabilities – It is the list of places to look for them
  • 14.
    What kind oftarget have you created? ● What data is on your device? – Passwords – Web interface ● What hardware does it control? – Cameras – Home automation – Appliances – Unlock doors ● What does it communicate with? – Routers – Risk for man-in-the-middle attack? ● What does it display? – Vulnerable to vandalism? ● The network itself is valuable – DDoS, botnets
  • 15.
    Tip: lock downSSH logins ● Create a non-root user (substitute name and user id) useradd --comment="First Last" --create-home flast passwd flast ● Create a group for SSH logins groupadd sshlogin usermod -G sshlogin,wheel flast ● Modify /etc/ssh/sshd_config PermitRootLogin no PubkeyAuthentication yes PasswordAuthentication no AllowGroups sshlogin ● Restart sshd systemctl restart sshd.service
  • 16.
    Tip: shut downunused services ● Find all listening network ports, either of the following: netstat -nlp ss -lntu ● For each unneeded server – Stop the program (i.e. with systemctl on systemd-based distribution) – Uninstall the software ● Repeat until port list shows only wanted software listening ● Unneeded listener processes unnecessarily add to attack surface
  • 17.
    What else addsto the attack surface? ● Physical interfaces – Keyboard, mouse, etc ● Rogue USB devices – Who has access to the ports? ● Theft of RasPi or SD card – For convention booth or science fair display, put the RasPi in a locked enclosure ● Social engineering – Who should have access? – How do you know someone is who they say they are? – How would an attacker try to fake a valid user? – Do trusted users know how to verify other users? – Make sure all trusted users know not to discuss the security configuration
  • 18.
    IoT security tips ● Considersecurity from the start – Even if there isn’t a design ● Code reviews help – Ask a friend – Offer to help friends ● RasPi is powerful enough to do encryption – use it ● Use existing software when available – Apply package updates ● If network isn’t needed, disconnect it after initial package update ● Turn on SELinux (security enhanced Linux) kernel feature
  • 19.
    OWASP security resources ● OWASP(Open Web Application Security Project) has useful advice for more than just web apps ● OWASP IoT Top Ten – Next slide ● OWASP Cheat Sheets https://cheatsheetseries.owasp.org/ – Use like security checklists – Access Control – Cryptographic Storage – Database Security – Error Handling – Input Validation – Key Management – Password Storage – REST Security – Transport Layer Protection
  • 20.
    OWASP IoT TopTen, 2018 edition
  • 21.
    Security alerts: whatto watch for ● Software updates – Subscribe to RSS feeds when software developers provide them ● US CERT ● NIST NVD: National Vulnerability Database ● MITRE CVE: Common Vulnerabilities & Exposures
  • 22.
    Questions? From Commit Stripcomic https://www.commitstrip.com/en/2016/02/24/the-internet-of-things-has-gone-too-far/
  • 23.
    Follow me @KO6YQ onTwitter for technical topics like this @ikluft on Twitter for aerospace & science topics Ikluft on LinkedIn