Ive started this post a number of times and it never is what I want it to be. A recent discussion in the HA chat cited that the Rasberry Pi is now being exploited. Hassbian uses the default Raspberry Pi password that most distributions use and a lot of HA users are at risk. So here it is, its no perfect but it will hopefully get the message out.
TL;DR
Change the password on your internet connected devices. Hackers are exploiting the millions of devices where the default username and password for the device hasn’t been changed. These devices can then be used to shut down the internet or mine cryptocurrency.
So, change the password on your devices and where a connection outside your local network isn’t needed, block those devices from even reaching the internet using your firewall (located in your ‘router’ for most).
What’s the Problem?
Recently hackers have been exploiting the rapidly expanding number of ‘smart’ devices that are connected to the internet that, if you are reading this post, you likely have a number of in your home. The Raspberry Pi running Hassbian you’re using to run Home Assistant, for example, has a default username (pi) and password (raspberry) that everyone knows, including the hacker that is using that knowledge to gain access to your device. There are over 12.5 million Raspberry Pis out on the internet. Nest was selling around 100,000 thermostats a month at one point. Imagine all those devices connected to the internet and under the control of a ill-intentioned hacker.
One of the easiest ways hackers can take control of your devices is due to the fact that a lot of people never change the password of their device from the default or use a really easy to guess password (password123!). Using this easy point of entry hackers inject code that will eventually let your internet connected toaster to help take down the entire internet in Liberia. Now your toaster doesn’t have the computing horsepower to do this on its own, however, when combined with even a fraction of the 12.5 million Raspberry Pis out there, or even 1% of the 100,000 Nests added to the internet each month, it can become a very powerful too. Some botnets only reach a few hundred thousand, others can reach into the millions.
An older release from the Federal Bureau of Investigation stated, “The impact of this global cyber threat has been significant. According to industry estimates, botnets have caused over $9 billion in losses to U.S. victims and over $110 billion in losses globally. Approximately 500 million computers are infected globally each year, translating into 18 victims per second.”
What Should I do?
CHANGE YOUR PASSWORDS! From the default password. If the password for your Raspberry Pi is still “raspberry”, you are part of the problem.
Use a strong password. Password123 is not a good password. Use words that are not common to a dictionary, use a phrase instead of a single word, add numbers (not just at the end) and symbols. The ! is the most commonly used symbol in passwords, try something else.
Block devices that don’t need the connection to function from accessing the internet. One of the easier ways to do this is to treat your internet connected toaster like a child who hasn’t finished its chores and doesn’t get internet access. Use the parental controls on your router to block access for specific devices. You can also look under firewall settings. I have a lot of devices that after initial setup were blocked from outside internet traffic and still work wonderfully, this is one of the great things about Home Assistant, instead of each device needed an outside connection they can all connect to and be controlled from a single access point (which I’m sure you have secured nicely)