Spectre and Meltdown Attacks Against OpenSSL

The OpenSSL Technical Committee (OTC) was recently made aware of several potential attacks against the OpenSSL libraries which might permit information leakage via the Spectre attack.1 Although there are currently no known exploits for the Spectre attacks identified, it is plausible that some of them might be exploitable.

Local side channel attacks, such as these, are outside the scope of our security policy, however the project generally does introduce mitigations when they are discovered. In this case, the OTC has decided that these attacks will not be mitigated by changes to the OpenSSL code base. The full reasoning behind this is given below.

The Spectre attack vector, while applicable everywhere, is most important for code running in enclaves because it bypasses the protections offered. Example enclaves include, but are not limited to:

The reasoning behind the OTC’s decision to not introduce mitigations for these attacks is multifold:

  • Such issues do not fall under the scope of our defined security policy. Even though we often apply mitigations for such issues we do not mandate that they are addressed.
  • Maintaining code with mitigations in place would be significantly more difficult. Most potentially vulnerable code is extremely non-obvious, even to experienced security programmers. It would thus be quite easy to introduce new attack vectors or fix existing ones unknowingly. The mitigations themselves obscure the code which increases the maintenance burden.
  • Automated verification and testing of the attacks is necessary but not sufficient. We do not have automated detection for this family of vulnerabilities and if we did, it is likely that variations would escape detection. This does not mean we won’t add automated checking for issues like this at some stage.
  • These problems are fundamentally a bug in the hardware. The software running on the hardware cannot be expected to mitigate all such attacks. Some of the in-CPU caches are completely opaque to software and cannot be easily flushed, making software mitigation quixotic. However, the OTC recognises that fixing hardware is difficult and in some cases impossible.
  • Some kernels and compilers can provide partial mitigation. Specifically, several common compilers have introduced code generation options addressing some of these classes of vulnerability:
    • GCC has the -mindirect-branch-mfunction-return and -mindirect-branch-register options
    • LLVM has the -mretpoline option
    • MSVC has the /Qspectre option

  1. Nicholas Mosier, Hanna Lachnitt, Hamed Nemati, and Caroline Trippel, “Axiomatic Hardware-Software Contracts for Security,” in Proceedings of the 49th ACM/IEEE International Symposium on Computer Architecture (ISCA), 2022.

Posted by OpenSSL Technical Committee May 13th, 2022 12:00 am

Source :
https://www.openssl.org/blog/blog/2022/05/13/spectre-meltdown/

Raspberry Pi removes default user to hinder brute-force attacks

An update to Raspberry Pi OS Bullseye has removed the default ‘pi’ user to make it harder for attackers to find and compromise Internet-exposed Raspberry Pi devices using default credentials.

Starting with this latest release, when installing the OS, you will first be prompted to create an account by choosing a username and password (before this change, the OS installer would only ask for a custom password).

You can no longer skip this step since the setup wizard will be launched when first booting the device (previously, you could hit Cancel to use the default pi/raspberry credentials).

While you can still choose to use a ‘pi’ username and ‘raspberry’ as your password, you will be warned that it’s not a wise choice.

“We are not getting rid of the ‘pi’ user on existing installs. We are not stopping anyone from entering ‘pi’ and ‘raspberry’ as the username and password on a new install,” said Simon Long, Senior Principal EngineerSenior at Raspberry Pi.

“All we are doing is making it easy for people who care about security to not have a default ‘pi’ user – which is something people have been requesting for some time now.”

Raspberry Pi OS account creation wizard
Raspberry Pi OS account creation wizard (Raspberry Pi ​​​​​)

When booting the image for the first time, Raspberry Pi OS Lite image users will also be asked to create a new account via command line text prompts.

If you want to run Raspberry Pi headless, you can create the user before booting into the OS by setting a username and a password via the Settings dialog before writing the image or adding a userconf file to the boot partition containing a username:encrypted-password pair.

Existing installations are not affected by this change. However, users can still switch to non-default credentials by updating their existing image and running the sudo rename-user command.

“This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” Long explained.

“But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”

For instance, the UK wants to enforce new regulations asking that IoT devices no longer come with default usernames and passwords but, instead ask customers to choose custom credentials, “not resettable to any universal factory default value.”

Source :
https://www.bleepingcomputer.com/news/security/raspberry-pi-removes-default-user-to-hinder-brute-force-attacks/

Raspberry Pi OS (64-bit)

Over the past year, we’ve been trialling a beta of Raspberry Pi OS in glorious 64-bit. Now it’s time to open it up to a wider audience.

raspberry pi os 64-bit

The ARMv8-A architecture, which encompasses the 64-bit AArch64 architecture and associated A64 instruction set, was first introduced into the Raspberry Pi line with Raspberry Pi 3 in 2016. From that point on, it has been possible to run a full 64-bit operating system on our flagship products, and many third-party operating systems are available. However, we have continued to build our Raspberry Pi OS releases on the 32-bit Raspbian platform, aiming to maximise compatibility between devices and to avoid customer confusion.

ProductProcessorARM coreDebian/Raspbian ARM
port (maximum)
Architecture
width
Raspberry Pi 1BCM2835ARM1176arm6hf32 bit
Raspberry Pi 2BCM2836Cortex-A7armhf32 bit
Raspberry Pi ZeroBCM2835ARM1176arm6hf32 bit
Raspberry Pi Zero 2BCM2710Cortex-A53arm6464 bit
Raspberry Pi 3BCM2710Cortex-A53arm6464 bit
Raspberry Pi 4BCM2711Cortex-A72arm6464 bit

As you can see from the table above, it is easy to be confused about which products will support which Debian/Raspbian ports. Using arm6hf (Raspbian’s derivative of armhf with ARMv7-only instructions removed but floating-point instructions retained) provides us with an operating system which will run on every device we have ever manufactured, all the way back to 2011.

But we’ve come to realise that there are reasons to choose a 64-bit operating system over a 32-bit one. Compatibility is a key concern: many closed-source applications are only available for arm64, and open-source ones aren’t fully optimised for the armhf port. Beyond that there are some performance benefits intrinsic to the A64 instruction set: today, these are most visible in benchmarks, but the assumption is that these will feed through into real-world application performance in the future.

A more theoretical concern is that 32-bit pointers only allow you to address 4GB of memory. On Raspberry Pi 4, we use the ARM Large Physical Address Extension (LPAE) to access up to 8GB of memory, subject to the constraint that any process is limited to accessing 3GB (we reserve the top 1GB of the virtual address space for the kernel). Very few processes require more memory than this: happily Chromium, which is probably the most memory-intensive application in Raspberry Pi OS, spawns a process per tab. But some use cases will benefit from being able to allocate the entire memory of an 8GB Raspberry Pi 4 from a single process.

The 64-bit version of Chromium, installed by default, has no version of the WidevineCDM library and therefore, it is not possible to play streaming media such as Netflix or Disney+.  To instead choose the 32-bit version just do the following within a terminal window:

sudo apt install chromium-browser:armhf libwidevinecdm0

To return to the 64-bit version

sudo apt install chromium-browser:arm64 libwidevinecdm0-

So, head to the downloads page and grab your copy of 64-bit Raspberry Pi OS today. Let us know in the comments if your use case benefits (or suffers!) from the move to 64-bit.

Source :
https://www.raspberrypi.com/news/raspberry-pi-os-64-bit/

How to install and configure Ubiquiti Unifi controller on Raspberry Pi?

How to install and configure Unifi controller on Raspberry Pi?

Written by Patrick Fromagetin How-To Tutorials

If you have already managed multiple Wi-Fi access points, you should know that this can be a nightmare …
But with good choices for hardware and a controller, this becomes easier.
It’s the main goal of the Unifi controller: manage most of the tasks on a wireless network to avoid issues.
It’s available on Raspberry Pi and I will show you how to install it.

How to install and configure Unifi controller on Raspberry Pi?
Start by adding the Ubiquiti server to the list of repositories for Raspberry Pi OS.
Then, the Unifi controller can be installed with apt and managed as a system service.

The installation is straightforward, you can install it like any Debian package.
But the access points configuration is not so easy and I saw no article explaining this.
As I’m using it at work, I can show you all the configuration steps with real access points and clients.

Before switching to Ubiquiti products, I remember having tested many brands to solve my issues, but none of them could not support over 10-20 users simultaneously (I even tested a fireproof model from D-Link, something like this one on Amazon ^^). So I definitely recommend trying Ubiquiti, this is cheap compared to other famous brands but works very well.
Let’s see how to do this!

Table of Contents

Ubiquiti Networks products

Ubiquiti Networks introduction

Ubiquiti Networks is an American company, selling hardware for wireless technologies like access points, routers and cameras.
They started with wireless devices, and they are now diversifying upon a broader range of products.
The latest innovative product concerns the solar technology, they help you to manage solar farms.

Anyway, the product that interests us today is a software: Unifi controller.
The goal of this product is to manage access points and wireless devices from a unique web interface.
From the interface, you can see all the access points and broadcast a unique SSID.
The controller will handle the roaming between access points and load distribution.

Raspberry Pi Course
Sale: 10% off today. Take it to the next level.
I’m here to help you get started on Raspberry Pi, and learn all the skills you need in the correct order.YES, I WANT TO IMPROVE

Why do I need these products?

These products target mainly companies and large areas but you can have the same needs at home if you get some issues with your Wi-Fi connection (rooms with no network, roaming, stability, etc.).
If you need over one access point to cover all the house, it could be interesting to install these products at home.

For example, let’s say you install three access points and the controller somewhere.
You’ll have only one Wi-Fi SSID in all the area (outdoor included).
And you can move from one side to another without disconnection.

Ubiquiti products

Ubiquiti products are distributed by resellers, but are also available on several e-commerce websites:

To test these products, you don’t need many things.
Just buy one or more access points and build your professional wireless network.
Here is the link: Ubiquiti Unifi AP on Amazon.

You have several packages available: Only one, 2 AP (access point), 4 AP, etc.
Choose the one you prefer, but there is not a big saving by taking big packs, so you can try with one or two, and order the others after.

If you have a PoE Switch (this one for example on Amazon), you can plug them only to the network cable. An Ubiquiti switch is not mandatory, this one from Cisco is cheaper for example. It depends on what you want to do with it and how many AP you have.

Whatever your choice, a PoE switch will make the installation easier
If you want to start without it, there is a last option.
Ubiquiti provides an adapter with the AP (power cord + network = PoE Network), but you need a power outlet and two RJ45 cables instead of only one cable for everything.
Here is the link to the PoE injector on Amazon, make sure to check the AP power requirements are they are not all the same (a Pro AP needs PoE-48 for example).

Unifi controller installation

Now that you understand what are the Unifi products, we can move to the controller installation.

Installation on Raspberry Pi OS

As for any tutorial on this site, you firstly need to install Raspberry Pi OS on your Raspberry Pi.
Any version will do the job (I’m doing it with Raspberry Pi OS Lite).
If you don’t know how to do this, read my article on How to install Raspberry Pi OS on your Raspberry Pi.

Once installed, update it and reboot:
sudo apt update
sudo apt upgrade
sudo reboot

And enable SSH access with:
sudo service ssh start
This way you can follow this tutorial from your computer (if needed, check this post to learn more about this).

Set a static IP address

As our Raspberry Pi will be like a server on our network, we need to use:

  • A wired connection
    If you want a fast Wi-Fi network, you need to have your controller and your access point on a good connection.
    So, I don’t recommend setting up the controller with a Wi-Fi connection (at home it’s probably ok).
  • A static IP address
    The Raspberry Pi will become an important node on your network, so we need to fix its IP.
    By default, the Raspberry Pi use the DHCP to get a random IP among those available.

For the static IP, you can either fix the IP in the DHCP server (your Internet router probably), or set a static IP in the Raspberry Pi configuration.

If you don’t know how to do this, I already explained it at the end of this article: Set a static IP address on your Raspberry Pi.

Master your Raspberry Pi in 30 days
Sale: 25% off today. Download the eBook.
Uncover the secrets of the Raspberry Pi in a 30 days challenge.GET IT NOW!

Unifi controller installation

Now we are ready to start the installation.
For these steps you have two choices:

  • Download and install directly the official Debian package from the website.
  • Add a new repository to manage the Unifi package with apt.

On the Ubiquiti downloads page you can find the Debian package to install the controller.
You can download it and install it on your Raspberry Pi.
But I don’t recommend it.

Because the Controller has many updates, about every month you have to download and install a new version manually.
There is a repository available and it’s easier to manage all updates with apt rather than doing everything manually.

  • Connect with SSH to your Raspberry Pi.
  • Add the repository in the apt configuration file:
    echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
  • Add the key to the trusted keys:
    sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
    This allows us to use software from the previous repository
  • Run apt update to update the available packages list :
    sudo apt update
  • And finally, install the Unifi package:
    sudo apt install unifi
    Answer yes and wait a few seconds for the installation process to finish.

This is the end of the installation procedure, but your controller may not work yet.
You can check the service status with:
sudo service unifi status
If you get an error like this one on a fresh Raspberry Pi OS installation:

Starting Ubiquiti UniFi Controller: unifi
Cannot locate Java Home

Then you need to install Java to start the Unifi service.
Currently, the Unifier controller requires Java 8.
You may already have it from another application, but if you have this error, here is how to fix it:
sudo apt install openjdk-8-jre
And finally start the Unifi service:
sudo service unifi start
You can find more details about Java in this tutorial.

Check the status again if you want:

If everything is ok, you can move on to the next part to know how to use the software.You may also like:

Unifi controller configuration

First access

To access the web interface, go to https://<IP>:8443
For example, in my case it’s https://192.168.1.25:8443/
You’ll get a browser warning because we don’t have a secured certificate for the moment.

Accept the exception and move to the next page to configure everything you need to get started:

  • Step1: Start by giving a name to his controller and click on “Next”
  • Step 2: Choose if you want to enable the cloud interface (default) or not (advanced).
    It depends on what you are trying to do.
    If you are always on the same network (home or in a company), you don’t really need the cloud panel. But it can be useful for remote sites.
    • If you keep the default option, fill the form to create an Unifi account.
    • On the advanced option, you have a form like this:

      If you enable one option, you need to create a cloud account AND a local account.
      I don’t need it for my test, so I disable everything.
  • Step 3: Sign in or configure options.
    This step is also different depending on your choice in the previous step
    You may need to sign in your account, or just to configure two additional options (auto backup and auto-optimize).
    Keep them enabled if asked.
  • Step 4: Configure your devices.

    You can just skip this, it’s not required for now. You can add devices at anytime in the interface
  • Step5: You can finally configure your Wi-Fi settings now.

    You can also change this in the interface, so just pick something to get started.
  • Step6: Finally, you also need to review your settings and you are ready to go.

Good job! You will now be redirected to the web panel.
We can finally see it and configure more things if needed.

Web interface overview

Once logged in the web interface, you’ll get many submenus to manage everything.
For the moment, it should be pretty empty, but in the left bar you can see:

  • Dashboard: Here you can have a preview of your network performance (number of APs and clients).
    Most of this dashboard needs the Unifi Security Gateway, so it’s not an important page.
  • Statistics: In this page you can monitor clients and traffic in the whole network.
    For the moment, nothing here 🙂
  • Map: In this one you can upload a map of your building, and place all APs on it.
    This way you can know where they are and see the global Wi-Fi coverage (approximately).
  • Devices: This page shows you all the Unifi devices you have on your network.
    It’s the most important page, you will manage APs from here.
  • Clients: Same thing for the clients. You’ll see here all the connected clients with information about them (IP, AP, network usage, …):
  • Insights: Here you can see miscellaneous information.
    I’m using this mainly to see known clients (not connected now, but you can check the history, block or unblock them).
  • Events: This window shows you all the recent logs on your network
    This can be clients connections, AP upgrades, roaming, …
  • Alerts: Same thing with errors and warnings.
  • Settings: And this is the page where you’ll configure everything.
    We’ll use it to create the wireless network.
  • Chat support: If you need help from Unifi, you can ask for help here.

Now that you have visited the whole interface, we can move forward to configure the access point.

Add the first access point

Physical preparation

There are two possibilities for the access point cabling.

With a PoE switch:

  • Plug the access point to the POE Switch with an RJ45 cable.
  • Basically, that’s it.
    The status light should turn on and you can move to the next step.

Without PoE switch:

  • You must have a POE adapter like this:
    unifi poe adapter(it’s available on Amazon if you don’t have one with your access point: check it here).
  • Connect the LAN port to your switch or wall network socket.
  • Connect the POE port to the access point.
  • If the access point LED starts to blink, it’s ok.

Software configuration

Now that we powered on the access point, we can go back to the Unifi web interface for the next steps:

  • Access the web interface: https://IP:8443.
  • Click on “Devices” in the left menu.
  • You should now see your access point in the list:
    unifi ap pending adoptionThe controller is seeing it, but we need to tell that it’s an access point for this controller.
  • Click on “Adopt” at the end of the line.
    The adoption process starts, after a few seconds, you should get the “Connected” status.
    unifi ap connected
  • If needed (probably), you can upgrade the AP firmware to the latest version by clicking “Upgrade”.
    Your access point will take a few minutes to download and update the firmware.
    unifi ap upgrade

Anyway, the first access point is ready, and we can now create the wireless network (SSID).

unifi ap properties

You can click on the line to see and change other settings for the access point (on the right).

unifi set alias access point
unifi access point new name

For example, you can set an alias for each access point to know which one is which.
In the properties window, click on the config tab and set an alias.

Change everything you want on the access point and move to the SSID creation.

Create your wireless network

Creating a wireless network is basically setting an SSID, a password and a security type.
You can do this in the “Settings” menu from the left bar:

  • In settings, click on “Wireless Networks”.
  • Then click on the “Create a new wireless network” button:
    create new network
  • In the new window, choose an SSID, a security type and a password:
    new wireless network creationChoose WPA-Personal for security, WEP is not secure.
    And prefer a long password (ideally a phrase from 15 to 30 characters).
  • Click “Save”.

The access points will restart with the new settings.
After a few seconds, the new wireless network is available for all your devices.

unifi wifi windows

Connect to it and check that everything works fine.
By default, the Unifi controller will give you an IP address within your main network.
You have nothing else to do, but you can change it in Settings > LAN.

Then go back to the different menus to see information and statistics about your device.
Enjoy 🙂

Related questions

Do I need to keep the Raspberry Pi on? Not really. As soon as the Raspberry Pi stops, the controller is no longer available but the access point continue to work. You can still access the Wi-Fi network, but you lose controller’s features like roaming between APs.

Do the Unifi controller have advanced features you don’t talk about? Yes, a lot. I made a quick tutorial, but you can do a lot more: schedule downtimes, create guest access with VLAN or not, Radius with Active Directory, filter MAC address, block and unblock clients, etc …

How to reset an Unifi access point? If you lose access to an access point or have strange scenarios in the adoption process, you can reset it to factory defaults. To do this, use the reset button near the RJ45 socket. While the access point is on, let the button pressed for 10 seconds and then wait for the reset.

Conclusion

That’s it, you know how to install and configure an Unifi controller on your Raspberry Pi.
This controller is running perfectly on my Raspberry Pi (3B+ and 4).
I don’t know how many clients it would handle, but at home it’s more than enough.

If you have questions on this topic, leave a comment below and I’ll help you.
I’m using this software at work for five years now, so I may have the answer 😉

Source :
https://raspberrytips.com/unifi-controller-raspberry-pi/