Reply to post:

‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app

doublelayer Silver badge

That really depends what the user or buyer is worried people might do. For example, if this is public facing, could a member of the public do something to interfere with it? For example, can a user connect a USB device or activate and thereby attack your management system? If they can, that's an attack surface you have to deal with.

Then we get this: "And the user/password is well known (say the default RPi user/password). because the screen logs in automatically on boot."

That's insecure. Here's why. First, don't have something log in automatically unless you need to. Have an account run the UI on boot but don't give that a logged-in desktop session if the user can manage to close your UI. If this is an appliance, you likely don't even need to give them any way out of it, so don't let a desktop environment circumvent that. Also, change the passwords. Yes, SSH is off for now, but you still have other security to worry about. If they get a login window somehow, you don't want anyone who guesses pi/raspberry to have root access. Similarly, disable the pi user's no-password sudo rights. This is a potential issue and you can fix it very quickly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon