Thursday, 1 November 2018

Cybersecurity class challenged to hack a Raspberry-Pi-enabled "smart pumpkin"

Frequent Boing Boing contributor Sean O'Brien and his colleague Scott J Shapiro built a Raspberry Pi-enabled smart pumpkin and then challenged their Yale cybersecurity students to hack it.

The exercise looks like lots of fun, and the instructors have documented their process on Github, along with sourcecode for your own "Pumpkin Pi."

The Pumpkin sat on a table in class, with the red and yellow LEDs simulating a candle. The objective I gave to students was to trigger the green lights, rather than just shutting the LEDs / the Pumpkin down (someone did anyway, which was interesting and followed by an explanation about objectives in hacking and security research...) Physical access was not allowed.

The first step was to figure out what we were trying to hack. Using "nmap", we tried to detect the operating system and other useful details. The students were then tasked to evaluate their target.

They quickly realised that this was a Raspberry Pi (MAC matching) running an up-to-date Linux. Therefore, it would be difficult to exploit.

As we all know, many administrators do use weak credentials, and luckily, the PumpkinPi administrator set a very weak and seasonal password. Using "hydra" and a wordlist, the students were able to brute force the password and gain access to the device.

However, this was not enough! As mentioned before, I set a specific objective while not denying the root user any rights. Indeed, one student just used the "shutdown" command and turned off the Pi. I then explained that in hacking and security research, it is important to know one's objectives and not simply "break things", while restarting the PumpkinPi.

The Pumpkin Pi Project [Sean O'Brien/Github]