10 Ways to Keep a Rogue RasPi From Wrecking Your Network
A Raspberry Pi attached to the network at NASA JPL became the doorway for a massive intrusion and subsequent data loss. Here's how to keep the same thing from happening to your network.
July 10, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt8c7cd19573a048e9/64f0d492fd64ab4431f27a06/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Since 2011, engineers, students, and hobbyists have been using a small Linux server called the Raspberry Pi (or RasPi, for short). Many of these servers, roughly the size of a deck of playing cards, are in workshops and classrooms, but their capabilities have made them popular with corporate engineers and scientists looking to solve specific problems on a small budget.
But with that popularity has come the inevitability of RasPis being attached to corporate networks, with results that can be, well, problematic. For example, a report issued last month by NASA's Inspector General on security at its Jet Propulsion Laboratory (JPL) cites a serious intrusion into the network — one that began in a vulnerable RasPi attached to the network without the approval or knowledge of the IT team.
There are now a dozen different RasPi versions, including the new Raspberry Pi 4, which includes models with up to 4 gigabytes of RAM and a powerful ARM processor. Even with the new specifications, RasPis start at $5 and top out at $55 per system.
If history is any indication, more individuals will decide they can solve problems without bothering with enterprise requisitions or approvals. So how can an enterprise security team protect the corporate network from these "rogue" RasPis?
We've collected 10 possibilities to get you started, five aimed at applying protection to the network and five aimed at making the RasPi itself less vulnerable to intrusion. Implementing any one will make your network safer. Implementing all should go a long way toward ensuring that RasPis are good, safe, citizens on your enterprise network.
(Image: goodcatfelix VIA Adobe Stock)
One of the the most frightening phrases that can come from a CISO's mouth is, "I never thought of that." The phrase is especially scary when it involves a small, powerful device attached to the network.
NIST has responded to Internet of Things (IoT) security concerns with the first in a series of papers largely concerned with the foundation of IoT security: Plan for IoT devices attaching to your network.
The plan should include topics such as defining the circumstances in which a RasPi can legitimately connect to the network, the tasks it could be used for, and the configuration required for the devices. The plan also should take into consideration differences between the RasPi and standard desktop computers, and the vulnerabilities that can exist in the various distributions of Linux available for the RasPi.
In the NASA JPL incident, an attacker exploited vulnerabilities in an unauthorized RasPi and then used that beachhead to infiltrate the rest of the organization's network. Proper network segmentation could have limited the damage to a small part of the network.
There are reasons for proper network segmentation that go far beyond a RasPi. In every case, though, segmentation limits the potential damage from a network intrusion by keeping the intruder walled off into a small logical area.
Thorough network segmentation is related to "zero-trust networking," in which authentication is required when a user or process transits through the network and its applications. While it's becoming more common in enterprise networking, it becomes more important when a network will have a powerful (and potentially misconfigured) IoT device like a RasPi attached.
A great deal of attention has been (quite properly) paid to security for Wi-Fi networks. Unfortunately, some enterprise network groups have taken this as an opportunity to ignore physical security on the cabled network, making the network accessible to anyone (or anything) that can plug into a physical network port.
Closing physical port access is a straightforward process on every managed switch, and control of the process is available from virtually every network management framework. Yes, managing open and closed ports requires effort, but there are compelling reasons for controlling the wired network with the same rigor applied to Wi-Fi.
One of the significant reasons for closing network ports until needed is that it minimizes the opportunity for unauthorized devices (like RasPis) to be attached without the security team's knowledge. In addition, controlling ports means that the type of device connecting to the network will be known as part of the authorization process, giving the security team the opportunity to properly monitor and protect both IoT devices and standard workstations.
One of the great dangers of many IoT devices is that the user or management credentials are both hard-coded and easy to guess. The RasPi allows for the same account name and password changes possible on any Linux system, but that doesn't matter if the device's owner never changes away from the default user name and password that allow for the first login.
Policies on the RasPi's use in the enterprise should insist on reset user names and strong passwords as among the very first actions taken when the RasPi joins the network. While it's possible to implement multifactor authentication on the RasPi, the fact is that a changed user name and strong password will make the RasPi a much more difficult target for criminals.
Something else that the policy should make plain: The default user name and password should be changed, not simply ignored. Adding user names and passwords won't really help very much if the original, default user credentials are still in place and waiting for any attacker.
Raspbian Linux is a very flexible operating system that supports many different types of applications. As such, it comes complete with many different functions, services, and utilities that might not be used by a particular application within the enterprise. To cut down on the possibility of the RasPi being used as a criminal gateway or weapon, unnecessary services, apps, and utilities should be disabled or removed.
Stripping the RasPi to the minimum required configuration has a number of advantages. It reduces the attack surface on the RasPi, reduces the system's complexity, and reduces the number of system components that must be managed, monitored, patched, and updated.
As with so many of these points, if a RasPi is being used in an engineering, scientific, or product development role, then there may be legitimate reasons for leaving it "heavy" with services. Even so, the policy should be for minimum configuration so that the owner has to think about the way the system is built, justify the full complement of services, and give notice to the security team that the full system is on the network.
It's obvious that the enterprise network should have a full complement of enterprise firewalls, but if an attacker is knocking on the RasPi's door, then the person has already made it through that set of obstacles. That's why it can be important to have a firewall running on the RasPi as a last line of defense against intrusion.
There are several options for owners who would put port, protocol, and address restrictions on network traffic in and out of the Raspberry Pi. Uncomplicated Firewall (ufw) is one of the simplest to set up, though iptables is another frequently used option.
It's not important to use a particular firewall or defensive mechanism. It is important to think about defense and use some method (or, ideally, combination of methods) to protect the RasPi and the network on which it sits from criminal exploit and intrusion.
It's obvious that the enterprise network should have a full complement of enterprise firewalls, but if an attacker is knocking on the RasPi's door, then the person has already made it through that set of obstacles. That's why it can be important to have a firewall running on the RasPi as a last line of defense against intrusion.
There are several options for owners who would put port, protocol, and address restrictions on network traffic in and out of the Raspberry Pi. Uncomplicated Firewall (ufw) is one of the simplest to set up, though iptables is another frequently used option.
It's not important to use a particular firewall or defensive mechanism. It is important to think about defense and use some method (or, ideally, combination of methods) to protect the RasPi and the network on which it sits from criminal exploit and intrusion.
Since 2011, engineers, students, and hobbyists have been using a small Linux server called the Raspberry Pi (or RasPi, for short). Many of these servers, roughly the size of a deck of playing cards, are in workshops and classrooms, but their capabilities have made them popular with corporate engineers and scientists looking to solve specific problems on a small budget.
But with that popularity has come the inevitability of RasPis being attached to corporate networks, with results that can be, well, problematic. For example, a report issued last month by NASA's Inspector General on security at its Jet Propulsion Laboratory (JPL) cites a serious intrusion into the network — one that began in a vulnerable RasPi attached to the network without the approval or knowledge of the IT team.
There are now a dozen different RasPi versions, including the new Raspberry Pi 4, which includes models with up to 4 gigabytes of RAM and a powerful ARM processor. Even with the new specifications, RasPis start at $5 and top out at $55 per system.
If history is any indication, more individuals will decide they can solve problems without bothering with enterprise requisitions or approvals. So how can an enterprise security team protect the corporate network from these "rogue" RasPis?
We've collected 10 possibilities to get you started, five aimed at applying protection to the network and five aimed at making the RasPi itself less vulnerable to intrusion. Implementing any one will make your network safer. Implementing all should go a long way toward ensuring that RasPis are good, safe, citizens on your enterprise network.
(Image: goodcatfelix VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024