Linux and Raspberry Pi devices are proving a major security weak link

Raspberry Pi Network Install
(Image credit: Raspberry Pi Foundation)

There are hundreds of thousands of Linux and Raspberry Pi devices connected to the internet right now, protected by nothing more than the default password

In possession of these default passwords, cybercriminals are using numerous automated bots to scan for vulnerable devices. Once they find them, planting malware becomes relatively easy.

These are the findings of a new threat report from Bulletproof, which claims “knockknockwhosthere”, “nproc”, “1”, “x”, “1234”, “123456”, “root”, and “raspberry” are among the most common default passwords out there.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> <a href="" data-link-merchant=""" target="_blank">Click here to start the survey in a new window <<

Easy attack point 

“On the list are the default Raspberry Pi credentials (un:pi/pwd:raspberry). There are more than 200,000 machines on the internet running the standard Raspberry Pi OS, making it a reasonable target for bad actors. We also can see what looks like credentials used on Linux machines (un:nproc/pwd:nproc). This highlights a key issue - default credentials are still not being changed,” said Brian Wagner, Chief Technology Officer at Bulletproof. 

“Using default credentials provides one of the easiest entry points for attackers, acting as a ‘skeleton key’ for multiple hacks. Using legitimate credentials can allow hackers to avoid detection and makes investigating and monitoring attacks much harder.”

To make the situation even worse, the report claims a quarter of the passwords attackers use today originate from the RockYou database leak that happened more than a decade ago. 

For the purpose of the report, Bulletproof’s cybersecurity researchers created a honeypot, in the form of servers in public cloud environments with deliberate security vulnerabilities, in order to attract bad actors. 

Over the course of the research, bad actors initiated more than 240,000 sessions, while in total, more than half (54%) of over 5,000 unique IP addresses had intelligence that suggested they were bad actor IP addresses.

“Within milliseconds of a server being put on the internet, it is already being scanned by all manner of entities. Botnets will be targeting it and a host of malicious traffic is then being driven to the server,” continued Wagner. “Although some of our data shows legitimate research companies scanning the internet, the greatest proportion of traffic we encountered to our honeypot came from threat actors and compromised hosts."

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.