The Raspberry Pi Foundation is deprecating the default username policy
The Raspberry Pi Foundation, the organization behind the hugely popular computing platform of the same name, is rolling out a small but impactful security policy update that eliminates default usernames to cut off a potential path for malicious actors to carry out brute-force cyberattacks.
Put simply, a brute force attack is a trial and error method of cyberattack in which a malicious actor tries all possible username and password combinations to access a system – usually using some sort of automated tool – until he hits the right one.
This technique remains remarkably effective because so many people still choose weak passwords that can be cracked in a matter of seconds, and when they use a known default username it gets even worse.
Until now, all installations of the Raspberry Pi Operating System (OS) have had a default initial username of “pi”, but according to the Foundation’s Senior Principal Software Engineer Simon Long, this seemingly innocuous feature presents an easy opportunity for an attacker to exploit.
“That’s not a major weakness – just knowing a valid username doesn’t really help much if someone wants to hack into your system; They would also need to know your password, and you would need to have some form of remote access enabled in the first place,” Long explained in a blog post.
“Nonetheless, it could potentially make a brute force attack a little easier, and in response, some countries are now introducing laws banning any internet-connected device from having default credentials.”
To close the gap, Long said, the default user “pi” will be removed and users will have to create a user instead when they first boot a freshly flashed Raspberry Pi OS image.
Long acknowledged that the change could cause some issues with documentation or programs assuming the existence of the “pi” user, but since this is how most current operating systems work, the Raspberry Pi Foundation felt it was “a reasonable change do at this point”.
The change also forces Raspberry Pi owners to use the setup wizard when booting a new image. Previously, using the wizard was optional as a user could not log into the desktop until an account was created, which was not an issue if the default user ‘pi’ was present. Now they don’t exist, this option can’t exist either.
The setup wizard now runs in a dedicated environment on first boot, but is otherwise largely unchanged. It allows users to set the username and password as “pi” and “raspberry” if they wish, although this is highly inadvisable.
Concurrent with this change, the Foundation is making additional optimizations to pairing Bluetooth devices with Raspberry Pi and, for the first time, allowing the desktop to run on Wayland – the proposed replacement for the X Window System underpinning the majority of Unix desktops – on an experimental basis . More details on these changes and additional setup information can be found here.
Oliver Pinson-Roxburgh, bulletproof
Oliver Pinson-Roxburgh, CEO of Bulletproof, described the small change as a crucial step in the right direction. He cited recent research conducted by his company that suggested that the Raspberry Pi OS default credentials were actually among the top 10 most common default credentials used by attackers.
“With over 200,000 computers on the internet running the standard Raspberry Pi operating system, it was an attractive target for malicious actors. Ending the default username “pi” is a good move by Raspberry Pi, which sets minimum standards for cyber hygiene on its devices and closes this vulnerability that has regularly compromised user systems,” he said.
“Unfortunately, the scope of the default credential problem is much larger than Raspberry Pi. The term ‘default credentials’ is almost obsolete with so many users clinging to them, creating fertile ground for bad actors to exploit.
“With hackers increasingly turning to automated attack methods – [our] Data showed that 70% of all web activity is bot traffic – you can quickly use these standard credentials as a “skeleton key” to chain multiple hacks together,” he added.
In the UK, the proposed Product Safety and Telecoms Infrastructure Bill – currently in the review phase ahead of its third reading in the House of Commons – will prevent manufacturers and retailers of connected technology products from programming default credentials into devices, among other things.
The law applies to all devices that can access the internet, such as smartphones and smart TVs, gaming consoles, security cameras and connected alarms, smart toys and baby monitors, smart home hubs and voice-activated assistants (like Alexa), and connected home appliances.
Also within the scope are products that can connect to other devices but do not directly access the internet themselves – such as smart lightbulbs and thermostats or wearable fitness bands.
Failure to comply with the new law will result in fines of up to £10m or 4% of global sales and up to £20,000 per day for persistent breaches.