CEO of KernelCare, an innovator responsible for the strategic direction of the company and all products within the CloudLinux brand.
Getty
In computer security, all it takes for catastrophe to strike is a small opportunity, a small slip in your security regime. Even when you think a device or an application poses an extremely small risk, you could still find yourself the victim of a motivated attacker seeking an opportunity.
The Raspberry Pi is a roaring success — finding a role everywhere, from home users and enthusiasts right through to the enterprise IoT environment. Last year, the foundation announced that it sold 650,000 units in March 2020 alone, with a total of 36 million Raspberry Pi devices sold by the end of 2020.
For Raspberry Pi users, it can be tempting to take a relaxed approach to securing the device simply because, in a non-commercial role, a Raspberry Pi does not appear to pose much of a threat.
It’s a dangerous assumption.
In this article, I explain why even non-commercial IoT devices can pose a threat and why these devices must be protected. We’ll use the Raspberry Pi as an example.
A Quick Look At The Raspberry Pi
Launched in 2012, the Raspberry Pi is a fully functional computer built on a single printed circuit board that’s about the size of a credit card. Think CPU, RAM and all necessary controllers for much less than $100 apiece.
The Raspberry Pi project was started by a team at the University of Cambridge to address a decline in the numbers of students applying for computer science courses — and the skill levels of the applicants.
Raspberry Pi’s sponsors wanted to make learning about computing more accessible. It worked. The Raspberry Pi’s small size, low price and customizability made it very popular. It empowered creativity and encouraged experimentation — exactly what the creators at Cambridge University intended.
IoT, Linux And More — All With The Raspberry Pi
The Raspberry Pi is really easy to use and versatile. With just basic computing skills, you can set up a Raspberry Pi as an affordable AirPlay receiver, or you can use the foundation’s Ubuntu Appliance portfolio to harness your Raspberry Pi in any one of many IoT roles at home, from home automation through to building a remote-controlled robot.
Raspberry Pi devices are also great for experimenting with Linux. A cheap Raspberry Pi lets you try out Linux in a native environment without relying on virtualization, or wiping a PC that you depend on for everyday activities.
In fact, the default Raspberry Pi OS is based on a Linux distribution called Debian, so the Raspberry Pi is really all about Linux. It provides access to a dedicated Linux environment that opens learning opportunities whether you’re a beginner or an experienced programmer.
There is a risk, however. Linux is a fully functioning OS and carries with it the full range of OS vulnerabilities.
Why Your Raspberry Pi Is A Security Risk
It is tempting to think that you don’t need to spend the time securing non-commercial IoT devices — such as your Raspberry Pi. After all, you’re just using it at home; it is not connected to commercial networks and doesn’t host commercial data. Right?
Here’s the problem. Just like any other device connected to your network, your hobby IoT device can act as an entry point. It could be the wedge that opens the door to a very costly attack.
And don’t rule out an attack on your Raspberry Pi. Researchers have documented a whole range of Raspberry Pi vulnerabilities. An unpatched Raspberry Pi running Linux is an open goal post because it is just as exposed as any PC or server that runs Linux.
So, an unpatched Raspberry Pi could be the single, critical weak point in your home network. In turn, that could be a doorway into your corporate network. It should be clear to you where that can lead.
Patching Your Raspberry Pi
You must act, but keeping a non-essential IoT device patched can seem like a low priority. Why lose time trying to patch a device that you are just experimenting with? Why patch the Raspberry Pi that’s controlling your toy robot?
Simply put, you don’t have a choice. You must patch your non-commercial IoT devices as religiously as your commercial devices.
Keeping a Raspberry Pi patched isn’t hard if you’re using the popular Raspberry Pi OS. Just use a terminal session to log in to your device and run a couple of instructions. That said, remembering to patch frequently enough to catch patches when released is a different story. And if you skip a patch, your Raspberry Pi will remain vulnerable.
There is also a problem with reboots. If the patch is a kernel patch, a reboot will likely be required; but if consistent patching and reboots are a challenge for you, there is an alternative option. Consider using an automated Raspberry Pi patching tool from a third-party vendor. With the latest technology, you can even perform a kernel update without rebooting your Raspberry Pi.
Automated patching saves you time, and because you’re patching consistently, it goes a long way to mitigating the security risks of your Raspberry Pi. The same goes for any other non-commercial IoT device that you use.
Always Patch Your IoT devices
IoT security is undoubtedly a flashpoint, with Gartner Research suggesting that 20% of companies have detected an IoT-based attack in recent years. Non-commercial IoT devices are similarly vulnerable, even if your home-based project is ultimately less likely to be targeted. Nonetheless, a vulnerable non-commercial IoT device can have implications that you didn’t consider.
So, I have a simple suggestion for you. If it is connected to the internet, secure it — end of story. Don’t have the time to patch? Consider automating your patching instead.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
