Raspberry Pi OS update beefs up security
Default user gone, Bluetooth pairing during setup, and latest LTS Linux kernel
An update to the Debian Bullseye-based Raspberry Pi OS is being rolled out with both quality-of-life improvements and one very important tweak: an overdue departure of the default user.
Previously, all installs of the Raspberry Pi OS (formerly known as Raspbian) had a default user called "pi".
This was handy for quick setups and convenience but a bit of an open goal on the security front. "This isn't that much of a weakness," insisted the Pi team, pointing out that you'd need to know the password as well to get access (and you'd need to have enabled remote access for miscreants to do their dirty work anywhere but locally) but still.
There is no getting away from the fact that its presence could expose credentials and "potentially make a brute-force attack slightly easier."
"Some countries," the team added, "are now introducing legislation to forbid any internet-connected device from having default login credentials."
With the latest update (which also adds the 5.15 Linux kernel), the default "pi" user has been removed in favor of a step in the now-compulsory setup wizard to create a user.
If a user really wants to (no doubt there are likely some apps for the diminutive computer that will take exception to a lack of "pi") the old account can still be created, although there will be the odd notification suggesting that this really isn't a good idea.
- One decade, 46 million units: Happy birthday, Raspberry Pi
- Raspberry Pis gain power to flash their own OSes with new network install function
- Out of beta and ready for data: 64-bit Raspberry Pi OS is here
- Buy 'em by the punnet: Raspberry Pi offers RP2040 chips in bulk
A mechanism has also been provided for renaming the account on existing images.
We took the new installer for a spin on both a Pi-400 and Pi 4. The overscan settings for a second monitor are particularly useful. Even more so is the ability of the wizard to pair with Bluetooth mice and keyboards.
Whoever put that code in there deserves all the beers since it means one can set up a Pi 4 without reaching for a wired keyboard or mouse. It also works with the Pi 3 and earlier with USB Bluetooth adapters, but we were unable to test this to confirm.
Other changes in this version include a peek at Wayland support, although the team cautioned that it was experimental, and listed a number of things not working at the moment, including screenshots.
Overall, this is a worthy release and the security improvements are useful (even if they might prove inconvenient for some). The move to the latest LTS Linux kernel is a welcome change, although support ending in 2023 compared to 2026 for 5.10 might give some users pause for thought. ®
- Asahi Linux
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Linux Foundation
- Palo Alto Networks
- Trusted Platform Module
- Zero trust