Ready, Set, Get Hacked! Security and Raspberry Shake

Warning

Do not get hacked! CHANGE YOUR SSH passwords! Your Raspberry Shake Personal Seismograph is an IoT with a Debian Operating System. This means it can be hacked. So take steps to protect it. You can start by changing the ssh passwords from the defaults we ship the units with. For Linux power users, we recommend using ssh-keys, they are way more secure than passwords.

An interesting read published in NPR in 2016: An Experiment Shows How Quickly The Internet Of Things Can Be Hacked

How to change your ssh password

Open the Raspberry Shake’s webpage at http://raspberryshake.local/, click on the Actions gear icon and navigate to Actions >> Change ssh password

Username: myshake

Default ssh password: shakeme

Note

Power users will notice that we have disabled login/ssh via root.

Changed the password? Write it down!!!!! (and not on the back of your hand! That washes off ;)

Oops! I forgot my ssh password

Our lives are a tangled mess of passwords. If you forgot your ssh password, you have two options: 1) burn a new SD card image. See How to burn RPi SD card image for instructions; or 2) follow the instructions below.

  1. Power off your Raspberry Pi

  2. Remove the SD card and plug it into a Linux computer (or any OS that recognizes ext3/4 fs).

  3. Edit these files:

    /yourmountpoint/etc/shadow
    /yourmountpoint/etc/shadow-
    

The contents of these files should look like:

uucp:*:17067:0:99999:7:::
proxy:*:17067:0:99999:7:::
www-data:*:17067:0:99999:7:::
backup:*:17067:0:99999:7:::
list:*:17067:0:99999:7:::
irc:*:17067:0:99999:7:::
gnats:*:17067:0:99999:7:::
nobody:*:17067:0:99999:7:::
systemd-timesync:*:17067:0:99999:7:::
systemd-network:*:17067:0:99999:7:::
systemd-resolve:*:17067:0:99999:7:::
systemd-bus-proxy:*:17067:0:99999:7:::
messagebus:*:17067:0:99999:7:::
avahi:*:17067:0:99999:7:::
ntp:*:17067:0:99999:7:::
sshd:*:17067:0:99999:7:::
statd:*:17067:0:99999:7:::
dnsmasq:*:17113:0:99999:7:::
myshake:$6$hvlGSaAC$8PhXPPbX8B4IkIqH3nIf7HZncYeSSrogAKgO6Y2euYTDDs6gZQWmGqizrNHjiEVJH9ahN1Nmes1vmuB/GZdAN.:17123:0:99999:7:::
avahi-autoipd:*:17124:0:99999:7:::
  1. Change the myshake string to:

    $1$sdM0vfNB$ZQBLXqyXoLj02DQWfftyl1
    

Now the files should look like:

uucp:*:17067:0:99999:7:::
proxy:*:17067:0:99999:7:::
www-data:*:17067:0:99999:7:::
backup:*:17067:0:99999:7:::
list:*:17067:0:99999:7:::
irc:*:17067:0:99999:7:::
gnats:*:17067:0:99999:7:::
nobody:*:17067:0:99999:7:::
systemd-timesync:*:17067:0:99999:7:::
systemd-network:*:17067:0:99999:7:::
systemd-resolve:*:17067:0:99999:7:::
systemd-bus-proxy:*:17067:0:99999:7:::
messagebus:*:17067:0:99999:7:::
avahi:*:17067:0:99999:7:::
ntp:*:17067:0:99999:7:::
sshd:*:17067:0:99999:7:::
statd:*:17067:0:99999:7:::
dnsmasq:*:17113:0:99999:7:::
myshake:$1$sdM0vfNB$ZQBLXqyXoLj02DQWfftyl1:17123:0:99999:7:::
avahi-autoipd:*:17124:0:99999:7:::
  1. Unmount the SD card

  2. Return the SD card to the Raspberry Pi

  3. Power On. Now the password is: 12345678.

    Note

    Do not forget to change this password when the system boots up.

More notes about Security and the Raspberry Shake

Computer security is an important issue now that the internet has evolved to what it is today. While we all regularly hear that keeping the OS up-to-date is important in keeping systems secure, the non-standard aspect of the Raspberry Shake operating environment means there a few things all Raspberry Shake users should be aware of:

  • Using the auto-update mechanism, the operating environment of the Raspberry Shake is fully maintained by the team here at OSOP. We strive to guarantee that systems are up-to-date and any known security issues are fully mitigated.

  • The Linux OS typically does not expose itself to security holes with any frequency that must be actively guarded against. This is differentiated from specific applications, (like a browser, for example), that can create their own security issues regardless the flavor of OS they run on. But since these types of programs are not running on the Raspberry Shake boxes, this is not a problem.

  • Rather, security threats occur, by in large, through the use of public-facing programs or services where the computer is directly exposed to incoming requests from the internet. While an OS update also does updates of individual programs that may have holes, these types of security breaches are not possible with the Raspberry Shake since:

    1. The recommended installation configuration is to have the Raspberry Shake box on a LAN and not directly exposed to the WWW WAN.
    2. No public services are being provided to any end-user or computer beyond the LAN on which the Raspberry Shake itself resides, i.e., it is not acting in the capacity of a server to the internet at large. This means that for someone to break into the Raspberry Shake they would first need to get through the LAN’s router, and onto the LAN itself, before being able to break into the Raspberry Shake unit.
    3. We also recommend that the Raspberry Shake’s password be changed upon receiving the unit (see above). While this currently requires an operation be done “by hand”, an update is planned for the near future that will do this through the front-end configuration interface.
    4. Additional security measures to lock down the Raspberry Pi are available when you like: for example, install your own ssh keys and rules to further restrict access to only specific users and/or computers.
    5. Communications between the Raspberry Shake and the AM network data server are instigated by the Raspberry Shake unit itself and not the server. What this means is that there is no open door made available to the world at large by forwarding Raspberry Shake data off your LAN to another computer.
  • We are confident that when the above guidelines are enacted and enforced, regardless if the OS is regularly updated or not, the risk of a break-in is very near zero.

That said, we actively monitor the state of any security threats of relevance to the Raspberry Shake system and will respond accordingly when necessary.

Warning

We do not recommend updating the Raspberry Pi’s OS The problem with updating the OS, without regard to the operating environment it supports, is that the possibility exists for the update to break some instance of infrastructure on which the executing system relies. It is possible that the Raspberry Shake unit will simply stop functioning and you won’t know why. Rather, it is preferred that the maintainer of the system fully understand the implications of any OS update on the system itself before allowing such an update to take place. Only once an OS update has been fully vetted (vs. all activities it is required to support) should it then be rolled out to individual units in the field.

fail2ban

If you plan to expose your Raspberry Shake to the Internet at large, we recommend using a tool similar to fail2ban, a program that scans log files (e.g., /var/log/apache/error_log) and bans IPs that show malicious signs such as failed login attempts.