Secure Your Digital Assets
Encrypt your filesystem, data and credentials. Protect from cyberphysical attacks.
Your digital assets are worth much more than a $35 Pi!
Raspberry Pi is no longer just the purview of educational establishments and hobbyists; Pis of all flavors, and in particular Raspberry, have graduated to commercial applications with millions deployed in the field and many more in the pipeline. This growth should be no surprise given the generation of coders who are growing up on Pi and the accessibility enabled by a low price, expansive ecosystem and robust supply chain. Expect more Pis to show up in thin clients, digital signage, kiosks and more!
A higher standard of security is expected
Pi developers is that they are increasingly being held to a high standard of security by customer CISOs who care about penetration of their networks and by their company CEOs who care about securing the intellectual property that sits on the removeable SD card. At a recent meeting with an executive of a public company who uses Raspberry Pi (yes they do) we were asked the question “So what specifically is worth securing on our Pi?”.
This was a serious question on her part, motivated by a proactive strategy of securing her company’s digital assets and her customers' infrastructure. The answers we discussed are the motivation for this post.
Secure your intellectual property - secure you SD card.
Most people would agree that a $1M SD card is worth securing.
Typical commercial applications contain man-years and more likely man decades worth of software development. In business terms this represents a dollar asset on the balance sheet with the promise of generating recurring revenue for years to come. If you lose exclusivity of that asset – by someone copying it – then your business will lose valuable revenues and worse still your entire business can be put at risk. It happens often and particularly when your products are placed in distant countries, are unattended and serviced by unknown contractors. By the time you find out it’s often extremely hard, if not impossible, and expensive to remedy. This is particularly true of Pi's because it’s very easy to remove the SD card and copy the contents, but it's also true of other unattended IoT devices in general.
Secure your infrastructure - secure your credentials
If your application connects to external cloud services, then you will be using credentials for access and probably for encryption too.
On the Raspberry Pi, these credentials have to be stored on the SD card, usually in the same file location (/etc) making them easy to find and usually ”in the clear” (not encrypted) making them easy to read. It’s a simple task to remove the SD card, copy the credentials and then gain access to a host network and upstream services. Any CISO is going to demand that these credentials are locked down, obscured and not directly accessible.
Secure your revenue streams - secure your data
Often the data generated by applications is a valuable source of revenue (either directly or in a derivative form) and storing it “in the clear” on an SD card is the equivalent of leaving cash on the front door step. The value is particularly high if data is unique and irreplaceable as in medical records, proprietary as in industrial process control, or a direct proxy for cash as in the count of products dispensed from a vending machine. Unlike data in flight which benefits from TLS and other encryption protocols, data at rest is often not encrypted. Not encrypting data at rest is a bad strategy especially when devices are unattended, in some distant location beyond the control of a CISO’s security firewall.
Solar data logger by Brian Dorey
Secure your digital assets - secure your Pi
Convinced that her business had digital assets worth securing, our customer asked the question, "How can I secure my Raspberry Pi?"
The following are generic recommendations we would give for any Pi that is destined to live in the real world, especially ones that are unattended and only periodically connected to cloud services.
- Encrypt everything you can – data, files, credentials
- Store keys and credentials in a secure place – preferably an independent hardware root-of-trust device
- Use strong device-identity based authentication to access keys – measured hardware & software fingerprint
- Add physical security - tamper detection, power quality monitor, shock & orientation
Zymkey security module for Raspberry Pi
Zymkey is the only security module designed specifically to secure digital assets on Raspberry Pi. It can also be used on other flavors of Pi, depending upon the OS distribution being used.