The Raspberry Pi, Beagle-bone, and the countless other Single Board Computers (SBCs) out there are making their way into everyday life. When you see a digital menu board at a fast food restaurant it’s likely a SBC behind it, when you see the flight information on an Airport terminal (if it’s safe to fly ever again! ) it too is likely a SBC. In fact even on board planes themselves, many seat-back entertainment devices are based on small ARM computers. So how do you go about securing these devices in a commercial setting? Or for that matter how does a home hobby or semi-pro user do the same? Keep reading for some tips and tricks.
Physical (or asset) security
The physical security aspects really depend on your data. As these SBCs generally cost under US$50 (Amazon link to current SBC prices) the overall cost of having one stolen probably isn’t in the value of the hardware, but in the value of any data or the loss of use (for example in our digital menuboard example, your customers won’t know what they can order!) The data itself is usually stored on an SD card, or on a USB flash storage (or ins some cases spinning disk storage). As the device itself offers no physical security, it’s up to you to put it in a lockable enclosure, or ensure that it’s phycially located in a hard to get to place. In many cases the whole unit may boot over the network (not really stand alone then is it?) and so there is no data to secure, just being mounted to a monitor high on the wall may be sufficient security. Most single board computers don’t have such things as BIOS protection (like a TPM) or secure boot, so they probably aren’t the best choice in places where this is a problem. There are several small computers that do include these protections, although they tend to cost closer to US$250 or more, but if you need data integrity where an evil doer might have access to your machine it might be worth the cost.
“Real” Stand Alone, Network connected, or occasionally network connected.
Speaking of stand alone, there are three sort of definitions. Some folks call a fully network connected machine “stand alone” if it just sits at the end of a network and passively displays information, or has a simple touchscreen (like for selecting movies in a plane, or directions in a mall). You r security needs will be different in these scenarios. The network connected device needs the most attention. SBCs are still real full computers, often running full versions of Linux, and therefore vulnerable to any bug that effects a desktop linux computer (with the same packages installed). There are plenty of reasons to worry about security even if the computer is displaying low value items. You many not care if the flash storage gets locked with ransomware (just throw it out and start over!), but how would you feel if a script kiddie (hobby hacker) were to make you screens all display inappropriate material? Depending on the jurisdiction an angry parent could sue, or at the very least you’d be embarrassed by the situation. So on a network connected machine, ensure that you follow all the patches, updates, firewalling, etc that you would on your main desktop machine.
If your machine is network detached, security is still critical. Famously the Iran centrifuges were allegedly hacked by a USB update or careless USB drive swapping (the truth is only known to the Iranians and the organization that hacked them). So if you are using SBCs to run a critical process, you still need to be very sure your updates are proper by checking hashes with the developers/distributers. Again if you are displaying a menu board, perhaps the risk is worth it. Keep in mind managing risk at all times to determine the amount of effort that is appropriate for you. If your machine runs a hospital appliance the will kill someone with a malfunction then use all the security. If your machine is displaying boba tea prices, then somewhat less.
In our case of using the SBC to control a process that someone may want to break, you still need to be sure on insider threats. Again these boards have very little physical security, and an insider may have a copy of the key to get in the SBC lock box. In these cases you must worry about vetting your people, or instituting multi-person control (for example a server/machine room that has two locks, and no one person has both keys) thus minimizing you chances of a single rouge actor having access and being able to disable your equipment. In many cases (like our fast food worker) your insiders might be bored and looking to play a prank (all drinks are 10 cents today only!), but they need far less security.
Cheap general purpose SBCs are probably not best for applications that require extreme security as they don’t have many security features built in; however, Linux (and other common SBC OSes) do support things like full disk encryption and are updated regularly against threats (unlike some proprietary machine/ RealTime OSes). So for moderate and low security needs they are an ideal, and very cheap solution.