IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Raspberry Pi OS update bolsters security against brute force attacks

The security change was made in line with increasing number of countries choosing to outlaw default credentials

Raspberry Pi has announced a new change to the device’s operating system that aims to improve its defences against cyber attacks.

First-time set up processes for Raspberry Pis have previously required users to set a custom password, but the latest change will mandate a custom default user name too.

Although developers have said that obtaining a common default user name, which was previously set to “pi” unless changed, isn't all that useful to hackers, they believe this change should help prevent brute force attacks and password spraying attempts.

“Just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” said Simon Long, senior principal engineer at Raspberry Pi.

“But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”

The UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced in 2021 but drew criticism from experts who argued the Bill did not go far enough to ensure adequate protection for internet-connected devices.

The PSTI’s scope does not cover desktop and laptop computers, among an array of other devices, Martin Tyley, head of cyber security at KPMG UK, said to IT Pro earlier this year - a category under which Raspberry Pis would fall.

Related Resource

Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture

Orange whitepaper cover with image of someone at a laptop on a video conference call with other people smiling backFree Download

Long said the change to Raspberry Pi OS may introduce “a few issues” where software and its accompanying documentation assumes a default “pi” user is present, though “it feels like a sensible change to make at this point”.

After flashing a new OS image, users will be presented with a new, but familiar, Raspberry Pi OS set up wizard, which will no longer be optional. Users could previously press ‘cancel’ and were not forced to use it.

If users choose to manually set their user name and password to ‘pi’ and ‘raspberry’ respectively, the previous default credentials, they will be met with a warning prompt but such a configuration won’t be prohibited.

There are also alternative options for users who cannot work through the first-time set up wizard, should they wish to bolster the security of their devices.

For users running a headless Raspberry Pi, there exists an option to preconfigure the OS image with a user account. Raspberry Pi has instructions on how to do this.

Existing Raspberry Pi installations can also configure their default user name by first updating their OS and then running the ‘sudo rename-user’ command. Users will be prompted to reboot and then a more basic version of the first-time set up wizard will appear, allowing users to set default credentials at this stage.

As part of the new set up wizard, users will also be able to pair Bluetooth peripherals without requiring an initial USB connection. The update removes the need for USB cables at any stage of connection, an occurrence Long said was "a bit irritating".

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022