Raspberry Pi Malware Infects Using Default Username and Password

Security Hole
(Image credit: Shutterstock / Sergey Nivens)

When it comes to Raspberry Pi, it’s easy to think this simple single-board PC is rather insignificant in the grand scheme of the internet. But don’t let its small size fool you, these little devices can be a gateway for hackers to make their way into your network. Today we’re taking a closer look at a vicious piece of malware that infects Raspberry Pis. YouTuber John Hammond released a video this week, looking at the malicious code line by and dissecting exactly how it works as well as how it spreads to vulnerable Raspberry Pis.

Hammond said that he first began investigating this malware when a user submitted an email to him. They explained that the Pi was using the default username and password combination that comes with Raspberry Pi OS. He was logged into an SSH session for only about 30 minutes when the session dropped. Every time he reset the password, it would change again after the Pi was restarted.

The user submitted the strange file to Hammond for investigation, leading to the video he shared with us this week. Hammond took the time to look through this mysterious file line by line. The file is a type of trojan, more specifically a remote access trojan that uses IRC. It’s self-propagating so once released it can continue to spread itself across the internet to other vulnerable Raspberry Pis.

Although this video was just shared and the user recently infected, it’s worth noting that this particular piece of malware has floated around for some time. While researching different aspects of the code, Hammond found references to the file going all the way back to 2017. While this trojan may not be something new, it’s still an active threat that users should be taking seriously.

The best way to avoid this type of hack is to get into the habit of regularly changing your password. Even if your project is an offline project, this habit is a good one to get into. Never use the default login credentials that come with Raspberry Pi OS when opening your Pi to the internet. You expose not only your Pi, but your personal network to the world with this vulnerability.

Check out the original video shared by Hammond to see exactly what the trojan does and how it propagates. If you’re looking for something a little more light-hearted, visit our list of Raspberry Pi projects to see what you can do to with your Pi once you’ve secured it.

Ash Hill
Contributing Writer

Ash Hill is a contributing writer for Tom's Hardware with a wealth of experience in the hobby electronics, 3D printing and PCs. She manages the Pi projects of the month and much of our daily Raspberry Pi reporting while also finding the best coupons and deals on all tech.

  • bit_user
    This piece is an important reminder! No device is too insignificant to be used as an attack vector or in a bot net. If it has a network stack, it should be considered a target.

    The practice of having default user accounts and passwords is way beyond obsolete. Upon installation, I change not only the password of my pi user account, but also the username.

    More importantly, if you have a wifi router, definitely change any default password on it.
    Reply