NEWS
NEWS
NEWS
SSH generation fault leaves Raspberry Pi vulnerable to hacking
Users of the increasingly popular tiny and affordable computer the Raspberry Pi may be exposed to security issues due to the operating system on the device generating weak and predictable secure shell (SSH) keys.
The flaw in the Raspbian operating system was discovered by a user named “oittaa” who revealed on the Raspberry Pi forums that the hardware random number generator was not enabled in Raspbian by default, automatically resulting in predictable SSH host keys being generated on the first boot.
“Raspbian doesn’t enable hardware random number generator by default. This causes generation of predictable SSH host keys on the first boot,” he wrote. “As soon as the systems starts up systemd-random-seed tries to seed /dev/urandom, but /var/lib/systemd/random-seed is missing, because it hasn’t been created yet. /etc/rc2.d/S01regenerate_ssh_host_keys is executed, but /dev/urandom pool doesn’t have that much entropy at this point and predictable SSH host keys will be created.”
According to the report, there are two ways developers can create random numbers, through /dev/random and /dev/urandom functions.
The /dev/random choice is said to be the better one as it requires user-generated input, such as mouse movements, keyboard input or various hardware-generated activities to create numbers; however, the function freezes the system until it has enough data to generate strong random numbers, which is why developers opt for /dev/urandom instead.
With Raspbian there is also an incorrect boot sequence that results in not enough data, not even in the /dev/urandom function, and according to ITProPortal, if the OS is set to generate SSH host keys right at startup, it will put together predictable values that are far less secure than what it would generally be needed for SSH data.
Fix
The good news is that the Raspbian and Raspberry Pi projects have worked together to put out a fix; however, given that it requires users to adapt it, the issue of cryptographically secure random numbers on Raspberry Pi devices, let alone in similar devices, will remain ongoing.
Secure random numbers may not sound like one of the more exciting aspects of cyber security, but with uses ranging from key generation, nonces, one-time pads and more, the need for reliable, safe generation, in a year in which we’ve seen a constant surge in hacking remains an important one.
Image credit: lungstruck/Flickr/CC by 2.0
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
