Raspberry Pi Distro’s Root Login
Have you ever set up a Raspberry Pi using one of the popular Linux distributions like Raspbian or LibreELEC and worried about adding a potentially insecure device into your home network? We’ve seen dozens of cases were IoT devices were more of a use to criminals (e.g. as part of a botnet attacking other systems) than to their “physical” owners. There are several reasons for that, but one definite cause is called “insecure defaults”. Examples for insecure defaults are default root passwords and other insecure configurations.
Some distributions provide guidance on how to secure your Raspberries, including Raspbian, who explain the importance of security and how to improve the systems setting and prevent attackers from easily gaining access. The problem is: Who really reads any of these articles before completing their setup?
Why don’t these devices and distributions just come with “security enabled by default”? Would you read an article about how to enable your car’s breaks before jumping in and driving around your neighbourhood? Well, that is exactly what is expected from end-users with a lot of software being published at the moment.
The question about secure defaults is usually answered by somebody representing the vendor or product by explaining that security cannot be built-in because of usability issues. But would generating a secure password for the user during the installation procedure really represent an unacceptable trade-off?
This is for the vendors and communities: You really need to try harder and stop finding excuses.
And for the users: Read the guides on how to secure your Raspberries and if you can, open-source-communities are always looking for active members to improve their software.