14

It's no secret that thousands of $35 Raspberry Pi (Model B) computers have just shipped to people around the world. With these, and other similar types of computers becoming cheaper and more available, what are the security implications?

So as to not leave this question too open-ended, I'll specify: I'd like to know what practical applications such mini-computers have in IT security, or what role they could play in cyber-defense, network analysis, etc.

And on the flip-side, what risks might they introduce to a local network environment that should be considered? Remember that they can hide in small places, operate without noise, and are powered by something as common as a cell phone charger.

Note that I'm not referring to portable USB utilities that need a host system on which to run or boot into, but I mean actual stand-alone hardware devices.

Matt
  • 3,192
  • 2
  • 21
  • 26
  • Make yourself a cheap air-gapped computer for generating keys. Keep in safe. – Neil McGuigan May 15 '15 at 22:11
  • Here's a [recent article that talks about Raspberry Pi in the security field](http://www.vulture.com/2015/07/mr-robot-usa-hacking-unusually-accurate.html). – Matt Jul 25 '15 at 22:59

6 Answers6

12

There was a presentation at BlackHat yesterday where they used a Arduino to open hotel rooms that are using a certain kind of lock: http://www.h-online.com/security/news/item/Arduino-used-as-master-key-for-hotel-rooms-1652281.html

As devices get smaller and more powerful, that are getting better suited to be used as pentesting drop boxes. Examples are:
MiniPwner, http://www.minipwner.com/index.php/what-is-the-minipwner or
PwnPlug, http://pwnieexpress.com/products/elite-plug
PwnPi, A pen test drop box distro for the raspberry pi, http://sourceforge.net/projects/pwnpi/

twobeers
  • 1,079
  • 5
  • 10
  • The PwnPlug is awesome. Saw Kevin Mitnick tweet about it a couple days ago. – Polynomial Jul 26 '12 at 11:59
  • These are some great resources that I'll have to look into more. Thanks for the links – Matt Jul 26 '12 at 13:55
  • There's another one that's made to look (and work) like a regular surge strip. I'll have to find it. Mitnick also tweeted about that one, I believe. – Iszi Jul 27 '12 at 12:58
  • 1
    @Iszi Saw that on Google+ the other day. I think this is what you're thinking of. http://pwnieexpress.com/products/power-pwn – Matt Jul 28 '12 at 00:17
4

Just to add on other answers too. Such devices make it relatively cheap to build a sensor network. Granted it is not a general sensor network in that it cannot sense stuff outside WiFi, Ethernet and Bluetooth, but it is a sensor network. So imagine where (and why) you want a sensor for and imagine deploying such a network in a whole building, or even cars, etc. Imagine even installing such a device inside a tower PC.

You could also have a bunch of them in a drawer and use them as emergency DHCP servers, DNS servers and stuff for small environments or in a situation where a quick and cheap hack is needed.

adamo
  • 163
  • 9
3

In my opinion the implications are new possibilities, as you've hinted towards. Presumably a person can plug a wifi usb adapter into one of after installing linux (all for around $55-$65 bucks) and start monitoring networks. How it would send a report, is not clear, it would rely on the device first being able to crack the wifi network. That doesn't sound too hard if the device is configured correctly and has enough time undetected. If it was placed in an unprotected wireless network it could potentially log everyone's passwords that uses that network to log into other sites and then either be accessed remotely or send reports to an email or server. This certainly brings the price of hacking down, but serious hackers may not worry too much about that and have already been using micro computers for things like what I just described. As far as I understand. The plus side for hackers is that if they get discovered they only lose about $60, so long as they don't leave direct traces.

tl;dr with the proper software installed these devices can be used as cheap hackerware, but require being hidden well enough to go undiscovered.

rofls
  • 335
  • 3
  • 7
3

IPFire has been released for the Raspberry Pi, which opens it as a nice IDS/IPS/firewall solution. I'll be adding some of these to my network as wireless N routers, and one as an IDS.

Diarmaid
  • 133
  • 4
1

Something of a risk: it takes roughly one second to replace the SD card on Raspberry Pi. You could easily replace someone's OS with a tampered one without them noticing, getting them to enter their password to a compromised system.

1615903
  • 127
  • 7
1

As was said on this site, if you replace the SD card in a powered-down Raspberry Pi and then start it again, nothing that has infected the old SD card can manifest anywhere in the system and influence the system you have after replacing the SD card. This means that you can use the same machine for doing banking and for trying random software from the internet – just use different SD cards and you should be safe.

If you do this on a normal PC, you have to worry about the attacker replacing your BIOS or the firmware of one of the devices in your computer, and even if you use VMs, it could be that the attacker has an exploit for breaking out into your host OS.

This is the reason I bought a Raspberry Pi – both a secure banking computer and a machine on which I can play around.

Community
  • 1
thejh
  • 290
  • 2
  • 6