HotHardware.com is reporting that there's a Linux malware in the wild that takes over Raspberry Pi devices and uses them to mine for cryptocurrency...
Linux.MulDrop.14 [scans] for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed. After that, the malware installs ZMap and sshpass software, and then it configures itself... to make digital money for someone else, namely the author or the malware, using your Raspberry Pi.
The article focuses on how much your power bill will go up in the course of making money for someone else due to the 100%-CPU-usage nature of mining software.
The existence of such a malware raises the question: Are there enough Raspberry Pi devices connected to the network, but not really monitored, such that there are enough to mine a single unit of cryptocurrency? ARM dev boards are not known for processing power, and the RPIs are no exception.
On the subject of default root passwords for devices intended to be connected to Internet, must this be the case with the RPI, or could they take the route of having an actually installable GNU/Linux instead of an image of an already installed system with insecure passwords?
(Score: 2, Informative) by Booga1 on Monday June 12 2017, @02:37AM (7 children)
Well, leave your default passwords on default usernames on internet connected devices and there really shouldn't be any surprise if it gets taken over.
Until people are forced to change passwords on first use, this isn't going to change. Doesn't matter if it's the router, the Pi, the webcam, or any internet-of-things toys.
(Score: 2) by frojack on Monday June 12 2017, @03:58AM
I can't imagine writing any malware trying to take over a Pi. Even if you hack half a million of them, you still don't have any crypto powerhouse at your disposal. They would all melt down if you put them to that much work. They need heat sinks [broadviewtech.com] for that kind of work.
That said I'm posting this from a Pi 3 Model B, which makes a passable web browser email reader chat platform. Its behind a router on cat5, and since it has wifi built in it is also serving as my backup wifi gateway in my office. Runs Chrome and Claws.
No, you are mistaken. I've always had this sig.
(Score: 2) by VLM on Monday June 12 2017, @12:23PM (5 children)
Technically you can change the pi password on every boot automatically, then automatically insert that pi password into the console login screen because anyone with physical access essentially has root anyway. The first time you run passwd successfully, this "scramble at every reboot" can be disabled. As a gross simplification every boot you'd eat the output of `pwgen -N 1` into a shell variable then run passwd on it and insert the new password into a newly generated /etc/issue file (making some huge assumptions about the base install of a pi...) Obviously anyone who can read /etc/issue has access to the box, so try to prevent that. Also I'm sure systemd has replaced getty so by description of how to do it on a Unix-like OS is no longer applicable to a non-Unix-like OS. However windows does it is probably how systemd does it, and presumably its possible somehow.
Another interesting solution is nobody gets to SSH in remotely until the password is set, but by playing some games with PAM libraries the physical console login can for all time be "raspberry". As a side dish its probably possible to create a "special" PAM library that causes auto-fail if the uname/pword is the unchanged default and insert that into just the sshd pam file. Probably.
I could do either solution later in the day but I'm sleepy right now. PAM is arcane wizardry and I need to obtain a sacrificial chicken before doing battle with PAM although the first option sounds relatively simple...
(Score: 2) by VLM on Monday June 12 2017, @12:24PM
Ah I got a better idea about 2 seconds after I hit "submit". Leave the scrambler in for all eternity to encourage the use of key based authentication.
(Score: 2) by requerdanos on Monday June 12 2017, @12:52PM (3 children)
The Raspberry Pi folks almost, but not quite [raspberrypi.org] figured this out according to a Nov. 2016 post on the official Raspberry Pi blog:
So their current solution is to tell the novices that the product is intended for, "dude, you should, like, really change your password or something."
I am sure many respond with "Well, that's like, just your opinion, man."
(Score: 2) by VLM on Monday June 12 2017, @01:20PM
Ouch, that's a highly questionable design choice. Like did some Russian or acronym organization pay for it, level of questionable.
(Score: 2) by maxwell demon on Monday June 12 2017, @07:52PM (1 child)
Of course if you are operating your Pi headless, you'll never get to see this boot message in the first place ...
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by requerdanos on Monday June 12 2017, @11:23PM
Yes, the message is displayed on any login. If your login is GUI, there's a message box; if not, then it's above the initial prompt, according to their blog post. I don't know the mechanism of delivery.