Don’t be stained by Raspberry PI’s

by Brett Henebery05 Sep 2017
While Raspberry Pi’s are a great tool to teach students programming and code, they can also be a serious security concern if the right precautions are not in place.

The Raspberry Pi is a series of small single-board computers designed to promote the teaching of basic computer science in schools.

However, while these devices might be a great tool to teach students programming and code, they can also be a serious security concern if the right precautions are not in place.

This is the view of Mark Verbloot, director of systems engineering, South Pacific at Aruba – a Hewlett Packard Enterprise company.

With over 30 years’ experience, Verbloot regularly contributes commentary on new trends, technical updates and adoption of technology across various industries – from education to retail and public facing enterprise.

Below, The Educator asks Verbloot about the factors schools should be aware of when implementing devices like Raspberry Pi’s, and the key technology trends taking shape across the K-12 education industry.

TE: The issue of schools opening themselves up to malicious conduct is obviously a serious one. Are there any examples you’re aware of where a school has fallen victim to this as a result of using Raspberry Pi’s without a Secure Network?
While Raspberry Pi’s are small and affordable computers that are a perfect tool to teach students programming and code, these devices could potentially cause havoc for education facilities and are a serious security concern if the right precautions are not in place.

Although Raspberry Pi’s are great education tools, they can also lend themselves as low cost hacking tools. For example, Raspberry Pi’s Zeros can be loaded with PoisonTap software.

PoisonTap is designed make the USB port on the Raspberry Pi Zero emulate a network device and allows network hijacking, cookie siphoning, remote access into web-based backdoors as well as internal router backdoor and remote access.

Whilst this is a physical attack (The Raspberry Pi needs to be plugged into the USB port of another computer) many other hacking tools can easily be found online that will allow the Raspberry Pi to connect over Wi-Fi to the network and be accessed remotely.

To reduce the likelihood that Raspberry Pi’s can be used maliciously, Verbloot pointed out some precautions to consider:
  • Set up a tightly controlled network just for “Things” - Not allowing Raspberry Pi’s to connect to the same networks used by students and staff.
  • Secure your network– With Aruba ClearPass Profiler, IT teams can identify all of the devices connected to the wired and wireless network. It gives you visibility of all device types and allows you to build much more stringent access control policies for the headless IoT devices, such as Raspberry Pi’s.
  • Consider using UEBA (User and Entity Behavior Analysis). UEBA is the new frontier in detecting anomalous behavior from users or Things by using machine learning. UEBA will baseline normal user and device behavior and report on anything outside of the baseline.
TE: What are some of the key technology trends you see developing across the K-12 education industry, and which ones do you feel are the most important to school leaders?
A major trend we’re starting to see that will have application in schools is machine learning technologies applied to the network and security.

The power of machine learning can improve the user experience by continually optimising network performance and prevent inside cyberattacks by understanding the user and entity behavior over time.

With the introduction of machine learning-based solutions, we are entering a new age of possibilities for smarter, automated networks in schools. 

With schools continually introducing new devices onto the network to support learning and teaching initiatives, machine learning will become more and more embedded in the network and security layers, easing the burden for IT teams, and further improving network security.

Related stories:
Is your school protected against cyberthreats?
Why the responsibility of schools’ cybersecurity rests with principals