SSH generation fault leaves Raspberry Pi vulnerable to hacking
Users of the increasingly popular tiny and affordable computer the Raspberry Pi may be exposed to security issues due to the operating system on the device generating weak and predictable secure shell (SSH) keys.
The flaw in the Raspbian operating system was discovered by a user named “oittaa” who revealed on the Raspberry Pi forums that the hardware random number generator was not enabled in Raspbian by default, automatically resulting in predictable SSH host keys being generated on the first boot.
“Raspbian doesn’t enable hardware random number generator by default. This causes generation of predictable SSH host keys on the first boot,” he wrote. “As soon as the systems starts up systemd-random-seed tries to seed /dev/urandom, but /var/lib/systemd/random-seed is missing, because it hasn’t been created yet. /etc/rc2.d/S01regenerate_ssh_host_keys is executed, but /dev/urandom pool doesn’t have that much entropy at this point and predictable SSH host keys will be created.”
According to the report, there are two ways developers can create random numbers, through /dev/random and /dev/urandom functions.
The /dev/random choice is said to be the better one as it requires user-generated input, such as mouse movements, keyboard input or various hardware-generated activities to create numbers; however, the function freezes the system until it has enough data to generate strong random numbers, which is why developers opt for /dev/urandom instead.
With Raspbian there is also an incorrect boot sequence that results in not enough data, not even in the /dev/urandom function, and according to ITProPortal, if the OS is set to generate SSH host keys right at startup, it will put together predictable values that are far less secure than what it would generally be needed for SSH data.
Fix
The good news is that the Raspbian and Raspberry Pi projects have worked together to put out a fix; however, given that it requires users to adapt it, the issue of cryptographically secure random numbers on Raspberry Pi devices, let alone in similar devices, will remain ongoing.
Secure random numbers may not sound like one of the more exciting aspects of cyber security, but with uses ranging from key generation, nonces, one-time pads and more, the need for reliable, safe generation, in a year in which we’ve seen a constant surge in hacking remains an important one.
Image credit: lungstruck/Flickr/CC by 2.0
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU