The Raspberry Pi Foundation, the organisation behind the wildly popular eponymous computing platform, is rolling out a small but impactful security policy update, eliminating default usernames to cut off a potential avenue for malicious actors to conduct brute-force cyber attacks.
A brute-force attack, simply put, is a trial-and-error method of cyber attack by which a malicious actor tries all possible username and password combinations to access a system – usually using some kind of automated tool – until they hit on the right one.
This technique remains remarkably effective because so many people still choose weak passwords that can be broken in seconds, and if they are using a known default username, it becomes even more so.
Up to now, all installations of the Raspberry Pi Operating System (OS) have carried an initial default username of “pi”, but according to the foundation’s senior principal software engineer, Simon Long, this seemingly innocuous feature presents an easy opportunity for a malicious actor to exploit.
“This isn’t that much of a weakness – just knowing a valid username doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” explained Long in a blog post.
“But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any internet-connected device from having default login credentials.”
To address the loophole, said Long, the default “pi” user will be removed and users will instead have to create a user the first time they boot a newly flashed Raspberry Pi OS image.
Long acknowledged the change might cause a few issues with documentation or programs that assume the existence of the “pi” user, but since this is in line with how most current operating systems work, the Raspberry Pi Foundation felt it was “a sensible change to make at this point”.
The change will also force Raspberry Pi owners to use the setup wizard when booting a new image. Previously, using the wizard was optional because until an account was created, a user could not log into the desktop, which was not an issue if the default “pi” user existed. Now it does not exist, that option cannot exist either.
The setup wizard will now run in a dedicated environment at first boot, but is otherwise largely unchanged. It will allow users to set the username and password as “pi” and “raspberry” if they wish, although this is highly inadvisable.
At the same time as making this change, the foundation is making additional tweaks to how Bluetooth devices pair with Raspberry Pi, and for the first time making it possible to run the desktop on top of Wayland – the proposed replacement for the X Window System that underpins the majority of Unix desktops – on an experimental basis. More details of these changes, and additional setup information, is available here.
Oliver Pinson-Roxburgh, Bulletproof
Oliver Pinson-Roxburgh, CEO of Bulletproof, described the small change as a crucial step in the right direction. He cited recent research conducted by his firm which suggested that the default credentials for Raspberry Pi OS were in fact in the top 10 most regularly used default credentials by attackers.
“With over 200,000 machines on the internet running the standard Raspberry Pi OS, it was an attractive target for malicious actors. Ending the ‘pi’ default username is a good move by Raspberry Pi, setting minimum cyber hygiene standards across its devices and closing this vulnerability that had regularly put user systems at risk,” he said.
“Unfortunately, the scope of the problem of default credentials is far broader than Raspberry Pi. The term ‘default credentials’ has become almost outdated with so many users sticking with them, creating fertile ground for bad actors to exploit.
“With hackers increasingly turning to automated attack methods – [our] data showed that 70% of total web activity is bot traffic – they can rapidly use these standard credentials as a ‘skeleton key’ to chain together multiple hacks,” he added.
In the UK, the proposed Product Security and Telecoms Infrastructure Bill – which is currently in the report stage ahead of its third reading in the House of Commons – will ultimately prevent the manufacturers and retailers of connected technology products from programming default credentials into devices, among other things.
The law will apply to any device that can access the internet, such as smartphones and smart TVs, games consoles, security cameras and connected alarms, smart toys and baby monitoring equipment, smart home hubs and voice-activated assistants (like Alexa) and connected appliances.
Also in scope will be products that, while they can connect to other devices, do not directly access the internet themselves – such as smart lightbulbs and thermostats, or wearable fitness bands.
Failure to comply with the new law will result in fines of up to £10m, or 4% of global turnover, and up to £20,000 for every day in the case of ongoing breaches.