Announcement

Collapse
No announcement yet.

Note for Raspbian Bullseye users

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Note for Raspbian Bullseye users

    Worth a watch if you are a Raspbian Bullseye user

    https://m.youtube.com/watch?v=2DVDKU0I9fs

    #2
    Thanks for posting this. I'm really surprised that HST's devices are shipped with a common user password as well as a common root password. On top of that, root SSH is allowed with a password.

    We dealt with California SB-327 requirements over 2 years ago when they went into affect in January 2020. This came from the Asus router hacking and the Ring door camera fiasco. (b)(1) and (b(2) both apply. Technically, HST is breaking CA law if they sell a hub product to anyone in CA.


    THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

    SECTION 1. Title 1.81.26 (commencing with Section 1798.91.04) is added to Part 4 of Division 3 of the Civil Code, to read:

    TITLE 1.81.26. Security of Connected Devices

    1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
    (1) Appropriate to the nature and function of the device.
    (2) Appropriate to the information it may collect, contain, or transmit.
    (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
    (b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
    (1) The preprogrammed password is unique to each device manufactured.
    (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

    Here's the link to the entire text if anyone is interesetd: https://leginfo.legislature.ca.gov/f...201720180SB327


    "if I have seen further [than others], it is by standing on the shoulders of giants." --Sir Isaac Newton (1675)

    Comment


      #3
      The UK has new laws coming in on stopping manufacturers using default user/passwords on IOT and other connected devices:

      A consumer connectable product is an internet-connectable or network-connectable product. The government has stated that the security requirements will apply in relation to products including:
      • smartphones
      • connected cameras, TVs and speakers
      • connected children’s toys and baby monitors
      • connected safety-relevant products such as smoke detectors and door locks
      • Internet of Things base stations and hubs to which multiple devices connect
      • wearable connected fitness trackers
      • outdoor leisure products, such as handheld connected GPS devices that are not wearables
      • connected home automation and alarm systems
      • connected appliances, such as washing machines and fridges
      • smart home assistants
      Our regulator will have the power to fine companies up to £10m ($13m) or 4% of their global turnover, as well as up to £20,000 ($26,000) a day for ongoing contraventions.

      I expect the RPi foundation is covering themselves for this and other laws around the world.

      For example, Homeseer would not be permitted to sell their hubs here with default user/passwords when this becomes law.

      More info: https://www.bbc.co.uk/news/technology-59400762

      Jon

      Comment


        #4
        This will be a worldwide directive. The EU have also implemented this directive. To be honest it’s long overdue. Too many bad habits have creeped into the Linux world via the Raspbian OS.

        Comment


          #5
          For those who prefer a 10 minute read on the subject https://www.raspberrypi.com/news/ras...te-april-2022/

          Comment


            #6
            Unfortunately the solutions they are implementing don't help the systems integrator, like HST, very much. HST will have to take the base OS, create an account, load HS4, mono, etc and make any other mods, wipe the account they created, and then provide a mechanism for the end user to create a new account after purchase.

            For HST, the other option would be to leave the homeseer user but force the password to be changed at first login, before the hub can be used. Also, IMHO, homeseer should own /usr/local/HomeSeer, not root. Forcing a user to be root to run/modify an application is a bad thing. Again, IMHO.

            EDIT: This could also be built-in to the HS4 setup and be browser based.
            "if I have seen further [than others], it is by standing on the shoulders of giants." --Sir Isaac Newton (1675)

            Comment


              #7
              I’ve no comment to make at this time other than to say the devs are now aware of the situation if they weren’t already aware by now so if any changes need to be made they are proactive rather than reactive. While I do run my HS system on an SBC it’s not on the RPI platform.

              Comment


                #8
                To all those it may concern...that is with older versions of raspbian do the below commands :

                sudo su
                • Copy and paste the following commands:
                  sed -i s/pi/<new_user>/g /etc/passwd
                  sed -i s/pi/<new_user>/g /etc/shadow
                  sed -i s/pi/<new_user>/g /etc/group
                  sed -i s/pi/<new_user>/g /etc/sudoers
                  sed -i s/pi/<new_user>/g /etc/gshadow
                  mv /home/pi /home/<new_user>
                  reboot

                <new_user> = your preferred (chosen) user name

                </source> : https://raspberrytips.com/change-raspberry-pi-username/

                Note : If your raspberry pi runs Node-RED, read this : https://nodered.org/docs/faq/customising-systemd-on-pi

                This too may apply to any other application you may have which use the user pi so change accordingly based on their instructions...



                Eman.

                TinkerLand : Life's Choices,"No One Size Fits All"

                Comment


                  #9
                  In the newer HS4-Pi images, user "pi" is disabled. It's either "homeseer", which is a sudoer, or "root. Both are accessible via ssh and both have published default passwords. The default passwords should be changed with the 'passwd' command at first login. Also, IMHO, 'PermitRootLogin yes' should be changed to no in /etc/ssh/sshd_config.
                  "if I have seen further [than others], it is by standing on the shoulders of giants." --Sir Isaac Newton (1675)

                  Comment


                    #10
                    Originally posted by kenm View Post
                    In the newer HS4-Pi images, user "pi" is disabled. It's either "homeseer", which is a sudoer, or "root. Both are accessible via ssh and both have published default passwords. The default passwords should be changed with the 'passwd' command at first login. Also, IMHO, 'PermitRootLogin yes' should be changed to no in /etc/ssh/sshd_config.
                    Yes true in that regard... else the OP's comments were for the "device's" general protection at OS initial installation...


                    Eman.
                    TinkerLand : Life's Choices,"No One Size Fits All"

                    Comment

                    Working...
                    X