Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
7/10/2019
09:00 AM
50%
50%

10 Ways to Keep a Rogue RasPi From Wrecking Your Network

A Raspberry Pi attached to the network at NASA JPL became the doorway for a massive intrusion and subsequent data loss. Here's how to keep the same thing from happening to your network.
Previous
1 of 11
Next

Since 2011, engineers, students, and hobbyists have been using a small Linux server called the Raspberry Pi (or RasPi, for short). Many of these servers, roughly the size of a deck of playing cards, are in workshops and classrooms, but their capabilities have made them popular with corporate engineers and scientists looking to solve specific problems on a small budget.

But with that popularity has come the inevitability of RasPis being attached to corporate networks, with results that can be, well, problematic. For example, a report issued last month by NASA's Inspector General on security at its Jet Propulsion Laboratory (JPL) cites a serious intrusion into the network — one that began in a vulnerable RasPi attached to the network without the approval or knowledge of the IT team.

There are now a dozen different RasPi versions, including the new Raspberry Pi 4, which includes models with up to 4 gigabytes of RAM and a powerful ARM processor. Even with the new specifications, RasPis start at $5 and top out at $55 per system.

If history is any indication, more individuals will decide they can solve problems without bothering with enterprise requisitions or approvals. So how can an enterprise security team protect the corporate network from these "rogue" RasPis? 

We've collected 10 possibilities to get you started, five aimed at applying protection to the network and five aimed at making the RasPi itself less vulnerable to intrusion. Implementing any one will make your network safer. Implementing all should go a long way toward ensuring that RasPis are good, safe, citizens on your enterprise network.

(Image: goodcatfelix VIA Adobe Stock)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ereardon
50%
50%
ereardon,
User Rank: Apprentice
7/26/2019 | 8:14:47 PM
Re: Pretty much done with darkreading
I really do enjoy the information provided here, it's good information. DarkReading does need to fund themselves and if using a slide show format to help keep themselves operational is how they succeed good for them... they keep on providing good content... I'll click through the slideshow and support them.

 
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/26/2019 | 7:48:58 PM
Re: Pretty much done with darkreading
eternjohnson,

All I can say is wow to the comment you made below, these people are writing and devoting their time to material that could be used to address significant cybersecurity problems. For someone to call this site "clickbait", that just goes beyond disrespectful. If you don't like the articles and the way they are laid out, then just remove yourself from the list, but don't disrespect people like that on a security blog, this for all people.

It is amazing, people express themselves in such a way that is belittling and disparaging on a public site and they hide behind the veil of the internet, but when you walk up to them on the street, then it is a different story.

T

 

 
peternjohnson
50%
50%
peternjohnson,
User Rank: Strategist
7/26/2019 | 2:06:57 PM
Pretty much done with darkreading
Always appears that it is going to be a good article that I can read, but I never find out because it's a slideshow. No thank you. dark reading used to be a good source of relevant information.

Maybe you should put your slideshows on facebook with the rest of the clickbait.

 
JamesS94103
100%
0%
JamesS94103,
User Rank: Apprentice
7/26/2019 | 12:50:20 PM
Likely a good article ..... BUT
I'm not interested in a revinew generating slide show.  DNR
websitejk
100%
0%
websitejk,
User Rank: Strategist
7/16/2019 | 4:12:55 PM
Re: Pi not RasPi
Concur
websitejk
100%
0%
websitejk,
User Rank: Strategist
7/16/2019 | 4:04:10 PM
Re: Pi not RasPi
Concur 💯
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/14/2019 | 7:40:28 AM
Re: Network Segmentation
To BradlyRoss,

They had Network Segmentation in place, that was not the problem (review the link and the satellite layout). Their labs, production, admin, mgmt aspect of the network was in place; the problem was that they got lax and the tools the had in place reported on its existence, no one from the security team, admin or development team identified this system as being a problem especially when you have applications that are associated with internal systems (i.e. hardware - NMS, SIEM, IPS, etc).

Remember, this device was in place for 10 months on a production network (did not matter if the network was segmented, they had time to run Wireshark or tcpdump, with all of the Ph.ds and engineering staff; they could not find this device listed as a blimp on the "network radar". You have to ask yourself, NASA has numerous layers of security, why was this ignored, it took an audit team to go through the network to find this device. That is why NSA needs a NAC (Network Access Control) device along with mac address and port filtering configured on the network.



Satellite, GSS and Network Architecture

Todd
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
7/13/2019 | 2:15:06 PM
Network Segmentation
I think that the only reasonable approach is to divide your network into multiple subnets with firewalls between them.  One should be the production subnet with strict physical controls over what can be attached and rules for configuration.  Another should be a development area where it is difficult to control what is attached or the software configuration.  Another network would be used for administration of the system, and still another would be used for normal users.  You may be able to have firewall rules enforce connections based on IP addresses and port numbers, but antivirus software can't be counted on to stop malicious software and access.
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/12/2019 | 5:48:53 PM
Raspberry PI Concerns
It's not important to use a particular firewall or defensive mechanism. It is important to think about defense and use some method (or, ideally, [the] combination of methods) to protect the RasPi and the network on which it sits from criminal exploit and intrusion.

I am not so sure I agree with the ending comment made by the presenter, secuirty controls are put in place at various layers but it is knowledgebase, human interaction and device set to limit the organizations area of penetration (attack vector). However, I do think the best way of addressing this issue would be to setup a NAC (Network Access Control) system that limits what can run on the existing network. This should have been one of the first options along with:
  • Port Management/Access
  • MAC Address Control

These two methods disable the port (Port Mgmt) and MAC address policies so as not to allow unauthorized devices on the network.

Also, they should have had an NMS (Network Management System) in place to identify the systems on the network by their MAC addresses. I think this was more about incompetence and lack of attention to detail than anything else (the human factor is what we need to be focusing on). The NASA hack went on for about 10 months.

T

 
schopj
100%
0%
schopj,
User Rank: Strategist
7/12/2019 | 4:52:22 PM
Pi not RasPi
RasPi might look good on paper, but say it out loud.  Ive never heard anyone call a Pi a RasPi.  Its just a Raspberry Pi, or a Pi.  Pi 1, Pi2, etc.  

 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8369
PUBLISHED: 2019-10-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2019-18224
PUBLISHED: 2019-10-21
idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
CVE-2019-16985
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
CVE-2019-16986
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
CVE-2019-16987
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.