In that triumphant moment of getting your connected project up and running, it’s easy to forget how vulnerable IoT projects can be without taking basic security precautions. You might wonder why someone would bother taking control of you house lights, but unprotected entries to your network can provide a treasure trove of information for hackers. Protect yourself and your projects with these easy-to-implement tips.
For Raspberry Pi/Linux Boards
1. Change the default user password
All Raspbian OS installs use the same password for the default pi user. Attackers will try common and default passwords to access a system before they move on to more sophisticated attacks. Stop them by using the passwd command to change yours to a new unique and strong value.
See the Raspberry Pi user documentation for details on the passwd command that changes a user’s password. Also check out advice on creating a strong password that will be very difficult for an attacker to guess or ‘brute-force’ attack.
2. Disable password login with SSH
Even a good password is still at risk for a determined attacker to guess its value and access the machine remotely with SSH. Prevent this by using security keys to login to your board instead. These keys grant access only from other allowed computers, and they use sophisticated cryptography that’s extremely difficult to guess or break. Even better, once you set up key-based login you don’t have to remember passwords!
See the Using Key-Based Authentication section of the Raspberry Pi security documentation for more details on how to configure SSH for key-based login.
3. Keep the OS up to date
No software is perfect; inevitably, vulnerabilities or bugs will be found that could allow an attacker to access your board. Diligently use the apt-get upgrade command to keep your board’s operating system up to date with the latest security patches and fixes.
See the Raspberry Pi updating and upgrading documentation for details on how to get the latest software with the apt-get upgrade command.
4. Set up a firewall
Your IoT gadget likely doesn’t use all the services that the Pi operating system provides, such as web server, email server, and more. Use a firewall to close off access to unused services. This helps prevent an attacker from accessing your board through vulnerabilities and bugs in its services. The best approach is to turn off access to all services by default, and then only turn on services your project uses like web or other access.
See the Install a Firewall section of the Raspberry Pi security documentation for details on how to use the ufw tool to enable a firewall on your board.
5. Review Linux security best practices.
You can follow much of the same advice for securing a general Linux machine. There are great resources available like DigitalOcean’s “Introduction to Securing Your Linux VPS” and “7 Security Measures to Protect a Linux Server.” These guides explain tools like fail2ban and tripwire that go further to detect intrusions and deter attackers. The Linux security world is constantly evolving so it never hurts to periodically consult these guides for the latest tools and best practices.
For All Devices
1. Change default passwords
It bears repeating — it’s the number one vulnerability for internet-connected devices. This applies to your router, IP cameras, network printers, etc. If you can look up the password online, so can everyone else! You do not want hackers getting control of any device that’s on your internal network.
2. Keep firmware and software up to date
Stay protected from known security vulnerabilities.
3. Disable services and protocols you don’t need
If your device isn’t using SSH or RDP or FTP, etc., they should be disabled. Every way you can connect to a device is a potential security vulnerability.
4. Only expose to the internet what you need to expose
Your router’s firewall is the first line of defense and in most cases will block access to devices on your internal network unless you specifically configured it otherwise. To give yourself access to something on your internal network, you may have configured port forwarding on your router, but it’s really important to enable this only for a device that’s as secure as possible. This is a great explanation on what port forwarding is.
5. Use a VPN
A virtual private network is a secure way to access devices on your internal network without exposing them to the internet. It’s like creating a secure tunnel back into your home network. Set up a VPN, then use your laptop or phone to SSH into your Pi from anywhere in the world. PiVPN is a project for setting up a VPN for your network on a PI.
6. Obscurity is not security!
Just because you haven’t publicly shared a link to your device doesn’t mean it’s not accessible to others. There are bots that literally scan the internet looking for devices to exploit. As a rule of thumb, anything that’s exposed to the internet should have authentication on it. Enable passwords for web interfaces if they are available.
7. Use a guest network
Many modern routers support Guest WiFi networks, which provide limited access but not full access to your main network. Set up a Guest WiFi network for your IoT devices, so that even if the worst happens and one of your devices’ security is breached, your main network should remain secure.
A good guide for setting up a guest network can be found here, but the steps for your router may vary.
8. Use a third party message broker
A third-party message broker (such as Adafruit.io or even Telegram messenger) can be a more secure way of communicating with your device than exposing it to the internet. Your device connects to the broker so there’s no need for port forwarding. Most message brokers support authentication as well. They also have the added benefit of not requiring dynamic DNS setup, which most other solutions require.