The Raspberry Pi Foundation has recently announced the launch of a new product; the Raspberry Pi 400. This is an excellently integrated device whereby the computer is embedded in a compact keyboard with a 1.8GHz ARM CPU – slightly faster than the previous Raspberry Pi model. Additionally, the device comes with 4GB of RAM, Wi-Fi, Bluetooth 5.1, Bluetooth low energy and Gigabit Ethernet. A microSD card is used for the operating system and to store data. This new design takes most of the work out of setting up a Raspberry Pi 4 as a computer, with the user only needing a few cables, a monitor and a mouse to use the Pi 400. Plugging the keyboard into a monitor using one of its two micro HDMI ports, inserting a microSD card, and attaching a power cord and a mouse is all that needs to be done to set up the device.
The design, and price (only $70) of this device is intended to make it more attainable and user-friendly – great for those wanting to learn how to code or continue a hobby. But what about when it is used by malicious actors? The device, not only being relatively inexpensive, looks extremely unsuspecting, thus making it an appealing tool to use by bad actors seeking to cause damage. Increasing its appeal is the fact that, when plugged in, it is recognized as a genuine HID by the computer, thereby not raising any alarms. Moreover, many hacking and pen testing tools are optimized for Raspberry Pi devices, meaning that an attack using such a device is easy to carry out – and the Pi 400 is able to carry out a variety of perilous attacks that can have major consequences for the victim. Hence, the Raspberry Pi 400 presents a major cyber security risk to enterprises and awareness of the tool is imperative, especially due to its manipulative characteristics. Without visibility into hardware assets, an attack can last months, if not years; and no organization is immune – just ask NASA.
History has shown that attackers are fully aware of specific “blind’ spots that enterprises have when using platforms like Raspberry Pi. One such incident happened when the US Federal Agency was hacked in 2019 by a Raspberry Pi whereby 500 megabytes of data from 23 different files were stolen. The attack went unnoticed for almost a year, causing a significant data breach and resulting in two linked organizations choosing to disconnect from the agency’s – not to mention the reputational damage that was done. By accessing NASA’s network with the Raspberry Pi, the attackers were able to move freely between the various systems within the network, intensifying the damage caused by the attack. The considerable depth in which the attackers went provided them with access to several sensitive operations which could have caused a major national security risk. Because of NASA’s reduced visibility into devices connected to its network, the attackers were able to successfully infiltrate the agency for a long period of time. Evidently, device visibility is essential for all organizations to ensure that they know what they have and can protect what they own. Hence, Hardware Access Control should be a vital part of any enterprise’s cyber security scheme to enhance protection and avoid attacks conducted by malicious hardware devices. So, to answer the question in the title of this blog – no, the Raspberry Pi 400 is not 100x safer than Pi 4. In fact, when in the wrong hands, it might just be 100x more dangerous.