As a tech news follower, you may recall the major distributed denial-of-service attack last October that involved hijacking millions of insecure Internet of Things (IoT) devices to create a powerful botnet that took down several top websites. This was not the first botnet attack, and it absolutely will not be the last. As attacks become more rampant, some companies such as the Raspberry Pi Foundation are taking the initiative to help protect your IoT device by default and prevent the next Botnet Zombie Apocalypse.
Secure Raspbian OS
Following the last major DDoS attack, Raspberry Pi made the choice to better secure Raspbian Pixel OS with a few important updates. For most, these changes that were announced last November will go unnoticed. However, for those who are perhaps attempting to SSH like I was, you will discover some slight modifications. No worries, though! These are not major user burdens and will likely go a long way in protecting the Pi.
So what has changed? SSH will now be disabled by default on images. This Secure SHell networking protocol allows users to log into a Linux computer and remotely control it from a command line. It is most often used with the Pi to install headless, meaning without a monitor or keyboard, and control it from another PC. Previously, SSH was enabled by default, and those wanting to switch it off needed the Pi to be connected to a screen and keyboard.
Enable SSH on Raspberry Pi
Now that SSH is off by default, how can you enable SSH before an image is booted? Raspberry Pi has provided a simple method for this! To enable SSH in a new install, put a file called ssh in the /boot/ directory. It doesn’t matter what, if anything, is in the file – just as long as you have the ssh name. When you boot up the Pi, it will look for this file, enable SSH if found, and then delete the file. Of course you can still turn SSH on or off via traditional means, this is just a nifty method added for headless convenience.
Anything else? To encourage changing the default password when enabling SSH, warnings have been added. Whether you boot the Pi to the desktop or command line, if SSH is enabled and the default password has not been changed, you will get a warning pop-up message telling you to set a new password.
Image 1: Warning message when attempting to enable SSH on a Raspberry Pi without changing the default user account name and password.
Raspberry Pi Default Credentials: Ways to Improve Security
Why is keeping the default credentials a risk? Typically if a Pi is on your private home network, it is unlikely an attacker can reach it. The greater concern arises if you plan on putting your Pi on a public network. There are two main things a hacker needs to access and log into an open SSH port: the user account name and password. An out-of-the-box Raspbian install defaults to user name ‘pi’ and password ‘raspberry’. It is very highly (can’t emphasize this enough) recommended that you change the default login if you plan to enable SSH. Hence, the newly added warning messages from your Pi!
It is the goal of the Raspberry Pi Foundation to keep their Pi as open and as user-friendly as possible. But with the increased exploitation of product loopholes enabling hackers to gain control of IoT devices, it is commendable to see Raspberry Pi proactively working to protect the Pi world from botnets. Hopefully this move will encourage others in the IoT space to take similar strides toward securing their devices.
For full details on the security update and the features included in the latest Raspbian Pixel OS, check out the official Raspberry Pi website.