Do not get hacked! CHANGE YOUR SSH passwords! Your Raspberry Shake Personal Seismograph is an IoT with a Debian Operating System. This means it can be hacked. So take steps to protect it. You can start by changing the ssh passwords from the defaults we ship the units with. For Linux power users, we recommend using ssh-keys, they are way more secure than passwords.
An interesting read published in NPR in 2016: An Experiment Shows How Quickly The Internet Of Things Can Be Hacked
To change the password on your unit:
$ ssh firstname.lastname@example.org $ passwd
Note that we have disabled login/ssh via root.
You’ll need to download and install a program called PuTTY, which allows you to access your Raspberry Shake over an Internet connection. To download PuTTY for Windows, visit www.putty.org and follow the links for Windows users.
You’ll be given the option of downloading either a 32-bit or a 64-bit version of the installation software. If you already know which kind of computer you have, download away! Otherwise, we’ll make a quick check of your computer.
Right-click on the Windows logo in the bottom-left corner of your screen. Then, choose “System” from the menu that pops up.
The menu that pops up will tell you whether you have a 32-bit system or a 64-bit system.
Download and install the version of PuTTY that matches your system type.
Start PuTTY by double-clicking its desktop icon. You’ll be prompted to enter your Raspberry Shake’s IP address. Type in your Raspberry Shake’s IP address, and make the port is set to 22. Your “Connection type” should be SSH.
Your computer might display a well-intentioned warning alerting you that this kind of thing is highly irregular, and asking whether or not you wish to proceed. You do! Choose the option that lets you continue the connection process.
Congratulations! You’ve now made a connection to your Raspberry Shake using the “secure shell” (SSH). You’re now speaking directly with your Raspberry Shake, and it’ll ask you to log in.
Enter the default login information for your new Raspberry Shake. The default login information is:
User: myshake P: shakeme
(Note: The text of your password won’t be visible as you type; it’s an added security measure.)
The very next step that you should take is to change your password to something more secure. To do this, type the command:
$ passwd myshake
You’ll then be prompted to enter your new password (twice). Type in a secure password, and write it down in a secure place. Securely.
Computer security is an important issue now that the internet has evolved to what it is today. While we all regularly hear that keeping the OS up-to-date is important in keeping systems secure, the non-standard aspect of the Raspberry Shake operating environment means there a few things all Raspberry Shake users should be aware of:
Using the auto-update mechanism, the operating environment of the Raspberry Shake is fully maintained by the team here at OSOP. We strive to guarantee that systems are up-to-date and any known security issues are fully mitigated.
The Linux OS typically does not expose itself to security holes with any frequency that must be actively guarded against. This is differentiated from specific applications, (like a browser, for example), that can create their own security issues regardless the flavor of OS they run on. But since these types of programs are not running on the Raspberry Shake boxes, this is not a problem.
Rather, security threats occur, by in large, through the use of public-facing programs or services where the computer is directly exposed to incoming requests from the internet. While an OS update also does updates of individual programs that may have holes, these types of security breaches are not possible with the Raspberry Shake since:
- The recommended installation configuration is to have the Raspberry Shake box on a LAN and not directly exposed to the WWW WAN.
- No public services are being provided to any end-user or computer beyond the LAN on which the Raspberry Shake itself resides, i.e., it is not acting in the capacity of a server to the internet at large. This means that for someone to break into the Raspberry Shake they would first need to get through the LAN’s router, and onto the LAN itself, before being able to break into the Raspberry Shake unit.
- We also recommend that the Raspberry Shake’s password be changed upon receiving the unit (see above). While this currently requires an operation be done “by hand”, an update is planned for the near future that will do this through the front-end configuration interface.
- Additional security measures to lock down the Raspberry Pi are available when you like: for example, install your own ssh keys and rules to further restrict access to only specific users and/or computers.
- Communications between the Raspberry Shake and the AM network data server are instigated by the Raspberry Shake unit itself and not the server. What this means is that there is no open door made available to the world at large by forwarding Raspberry Shake data off your LAN to another computer.
We are confident that when the above guidelines are enacted and enforced, regardless if the OS is regularly updated or not, the risk of a break-in is very near zero.
That said, we actively monitor the state of any security threats of relevance to the Raspberry Shake system and will respond accordingly when necessary.
We do not recommend updating the Raspberry Pi’s OS The problem with updating the OS, without regard to the operating environment it supports, is that the possibility exists for the update to break some instance of infrastructure on which the executing system relies. It is possible that the Raspberry Shake unit will simply stop functioning and you won’t know why. Rather, it is preferred that the maintainer of the system fully understand the implications of any OS update on the system itself before allowing such an update to take place. Only once an OS update has been fully vetted (vs. all activities it is required to support) should it then be rolled out to individual units in the field.
If you plan to expose your Raspberry Shake to the Internet at large, we recommend using a tool similar to fail2ban.