Raspberry Pi just made a big change to improve security

Raspberry Pi has made a change to the Raspberry Pi OS operating system that removes the default username and password.

Until now, the default username and password for the small computers were “pi” and “raspberry”, respectively, which made setting up a new Pi device easy, but possibly also made the popular Internet-connected devices easier for remote attackers to attack. hack them. techniques such as password spraying.

“Until now, all Raspberry Pi OS installations had a default user called “pi”. This isn’t such a weakness – knowing a valid username doesn’t really help much if someone wants to hack into your system; they should also have your password. know, and you should have some form of remote access enabled in the first place,” explains Simon Long, a senior engineer for Raspberry Pi Trading.

“However, it could potentially make a brute-force attack a little easier, and in response, some countries are now introducing legislation to ban any internet-connected device from having login credentials by default.”

For example, the UK plans to introduce new regulations that will stop makers of Internet of Things (IoT) devices from sending them to consumers with standard usernames and passwords. Britain’s National Cyber ​​Security Center (NCSC) approved the Product Security and Telecommunications Infrastructure (PSTI) Bill as the pandemic has increased people’s reliance on internet-connected devices.

Long says the latest release of Raspberry Pi OS removes the default “pi” username and a new wizard forces the user to create a username on the first boot of a newly flashed Raspberry Pi OS image. But he also notes that not all existing documentation will match the new process.

This is consistent with the way most operating systems work today, and while it can cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to to make on this point,” he notes.

It may nevertheless mean a few changes for users when setting up a new Raspberry Pi device, as the wizard process is mandatory for a desktop setup.

“Going through the wizard is no longer optional as a user account is created this way; until you create a user account you will not be able to login to the desktop. So instead of running as an application on the desktop itself, as before , wizard now runs on first boot in a special environment.”

The main difference is that previous users were prompted for a new password. Now users will be prompted for a username and password.

Raspberry Pi still allows users to set the username to “pi” and the password to “raspberry”, but it will warn you that choosing the default settings is unwise.

“Some software may require the ‘pi’ user, so we’re not completely authoritative on this. But we’d really recommend choosing something else,” Long says.

Raspberry Pi sales spiked at the start of the pandemic as consumers sought low-cost home computing equipment. But Raspberry Pi is now facing supply constraints due to the global chip shortage. This week, Raspberry Pi chief Even Upton admitted that resellers were out of stock.

“Demand for Raspberry Pi products increased sharply from early 2021, and supply constraints have prevented us from meeting this demand, with the result that we now have significant backlogs for almost all products. In turn, our many resellers have own backlogs, which they fill when they receive stock from us,” said Upton.

Leave a Comment