I’m a software engineer but don’t really know much about the hardware side. Did a math degree in college so I’m lacking in comp sci knowledge, to get my software job I jumped into fintech and learned the important software bits, design patterns, etc.
Anyways I want to make some gadgets using RPi or similar chips. For example I want to make a gadget with an e-ink screen that hits a public weather API endpoint once every 15 minutes and updates the screen with some weather info. Then I can put it in an encasement and just have it sitting on my desk and always have the weather info at a glance.
But when I started looking into this I saw all sorts of articles about securing you RPi and it seems like if you do it wrong you can introduce a security risk on your network. Is there a simple, even if heavy handed, solution to this? Such as, configuring my router to only allow that RPi device to make requests access certain endpoints, and not allow incoming requests at all?
You must log in or register to comment.
Nothing inherently insecure about RPi in specific. Same rules apply to any device in your network: if you expose services to the internet, you are introducing potential security risks. Does it have to be open to everyone? Should you limit access to specific known trusted clients? Can you use VPN rather than exposing it to internet? Is your authentication scheme robust? What data does the device have access to and does it NEED to have access to all of it?
If your device only makes outgoing requests then your main concern is whether you trust the service its polling.
A raspberry pi is extremely overkill for such a task. You could easily do this with an E-Ink display connected to an ESP32 or maybe an ESP8266. These have about 4mb of memory (depending on what board you buy) and onboard wifi/bluetooth. They cost about $5.
It kinda depends on how “professional” you want to implement that. There are ways to quickly hack together a proof of concept and there are ways to build a super secure and safe solution.
Some questions you should ask yourself
- how is it supplied via network / does it have interenet access?
- How is it initially configured?
- How many devices and locations are we talking? How do you want to manage those?
- Can you access it if you need to re-configure it? (e.g. when it is supplied via Wifi and the password changes) Or is it placed in a remote location?
- Is it a problem when someone opens it and thinkers with it? (do you have some keys stored on the device, for example to update the weather info, could those be abused?)
Can your API be abused to a degree where it is a problem for you or someone else?
Do you maybe have som sentivie or paid data there? - How do you want to do firmware/software updates?
- Is it a problem when one device gets compromized?
- How long should it survive? Temperature range/environmental conditions? Time? (think of limited lifetime of flash storage)
- How much power do you have available or shall it be battery powered?
An esp32 could be an adequate solution. An RPI should also be useable.
With the esp32 you can encrypt the flash and sign the images. It also offers a/b paritioning which is good when one image fails to boot or the update process gets interrupted.
I’d personally go with the esp32 as it seems to be better fitting the situation. Just keep in mind that the effort on your side is probably higher.
Implement some configuration interface, get used to the environment.
But if you write your app in C I guess it should be possible to run on both.
It might even make sense to slap together a proof of concept with an rpi because this will take less time and then switch to an esp32.