3

I would like to use Raspberry Pi 3 as a dedicated machine for online banking, but I am not sure if it can be made secure enough.

I think about using Raspberry Pi with raspbian. It would be connected to internet. I will type all paswords by hand (no password manager or remembering passwords in browser). It also seems that it is quite ease to reinstall system from scratch, which imho is good for security.

Now there are two main security threats that cames to my mind: 1. Somebody steals my machine, In my opinion it is not a big threat because I am not going to have my passwords saved anywhere on this machine. 2. Somebody hacks my raspberry from internet. This Is what I am afraid most. I konw that I should change default user and user password and set up firewall. I am also not going to use this machine for anything else that banking. I am also not going to use this machine remotely.

Right now I am using the same windows PC for banking and everyday activity, so I would like to compare using Raspberry as a dedicated machine with my current set up.

So I would like to know: * If Raspberry Pi can be reasonably secure to use as a dedicated machine for online banking? * What changes in configuration one should make to secure it?

Edit I read about security in topics linked below. Which gives me sense that raspbian can be made fairly secure. But still maybe online banking is too serious for that and there are reasons why for example I should rather buy second laptop.

What should be done to secure Raspberry Pi?

How can I protect against intrusion and malware before connecting it to the internet (especially on a public IP address)?

r_fan1
  • 31
  • 1
  • 3
  • 1
    "I am not sure if it can be made secure enough." -> Hardware wise, there's nothing that makes it any more or less suitable than the average laptop. Software wise it is essentially identical to the average laptop, although you cannot run the same range of operating systems on it. – goldilocks Jun 10 '18 at 11:59
  • @goldilocks That's a bit of a simplistic generalisation. There can be security bugs in either the firmware or in the physical hardware itself. See this for an e.g. that makes the RPI hardware more secure than the average laptop. In software there are differences too. The average laptop is x86 based while the RPI is ARM based. Can you be sure there are no architecture-dependent bugs? Finally, you're relying on a different set of people to maintain security updates for your OS. – JBentley Jun 10 '18 at 18:21
  • I explicitly wrote that in response to the O.P.'s concern about being "not sure if it can be made secure enough", the point being that if you would consider "the average laptop" something that probably could meet your needs, then there was no particular reason to see a Pi in a different light. If you want to pursue an infinite regress of qualifiers, then of course "the average laptop" is wishy-washy, as is "x86" -- different processors implementing x86-64 from Intel have different vulnerabilities. – goldilocks Jun 10 '18 at 19:52
  • ...Most smartphones are ARM based, but they do not all have the same vulnerabilities either and most people are, I would guess, comfortable doing online banking with their phone. I made an assumption what "fairly secure" means based on that, namely that the Pi is not "unusually insecure" or anything. If the OP had something more specific in mind, I do not see it in the question. You could start by checking CVEs for a particular hardware/software combination etc. – goldilocks Jun 10 '18 at 19:52

1 Answers1

5

I don't see any reason why a properly secured Pi should be any less safe than a Windows machine; probably the Pi would be marginally safer.

Recent versions of Raspbian (e.g. Stretch) come with SSH disabled by default, which reduces the chance of remote intrusion significantly. Since you don't need remote access, that simplifies that problem massively—just leave SSH off.

Changing the password is obviously vital, though if you don't actually have any remote access enabled, even that might not make much difference in the end.

You can install ufw, the Uncomplicated Firewall, with sudo apt install ufw. By default this will block all incoming connections and allow any outgoing connections (i.e. your web browser connecting to a remote server). You can make sure it's enabled after installing with sudo ufw enable.

Other than this, your system shouldn't have too many feasible attack vectors other than operating system/browser bugs or any malicious software you download yourself. If you are only downloading packages from apt, you can be fairly certain that malware isn't a problem. By only navigating to your bank's website you also rule out most malicious sites.

You could consider antivirus as linked to in the questions you found, but plenty of people get by without antivirus on Linux—as you're getting all executables from a trusted source, the potential for attack is far lower.

The Pi isn't any less secure than a normal computer could be, and the defaults are generally reasonable. Buying a new laptop would seem like a waste of money to me as it's no more or less secure (I suppose Windows has more viruses and malware targeted to it, but the only real way it can get in is through bugs, you downloading it or someone accessing remotely).

Aurora0001
  • 6,308
  • 3
  • 23
  • 38
  • I agree with Aurora, but have some additional suggestions:
    No remote access, use USB/HDMI to login and work.<br>Use wired keyboard/mouse, not wireless.
    Use netstat to check for software listening for connections. Disable them.     – Chad Farmer Jun 15 '18 at 16:30
  • @Chad You should post that below in your own answer; they're good suggestions. As you can see the comment formatting isn't too flexible (it hasn't handled your line breaks), and comments are really meant for clarifying rather than adding additional information to answer the question. – Aurora0001 Jun 15 '18 at 17:07