Update Policy Security Issue


I just wanted to look at the Heli plots on my rs because of the Peru event. I realized that my RS is obviously not working properly, because I first got a blank site at the heli page and short time later my rs rebooted. Currently I cannot reach my rs at all.

I checked for updates and saw that the last update was in March 2019. I then realized that since update .v12 the updates are forced to the all RS without any further user action. On the first sight it seems to be a great feature because it ‘just works’ and nothing has to be done.

However, as I just realized this is also dangerous. Not only do I get used to not checking my shake as regular as I should. The second much more problematic point is, that as soon as the ‘update server’ is hijacked all rs in the world are hijacked as well. As most people won’t have the option to separate their rs in a another network/vnet or so this thread actually puts an ‘attackers’ computer right into your network.

I would suggest to implement a default setting, where people can initiate the update process from the web-frontend on their RS. This adds another more savety and control to the owner of thers. Additionally, an ‘automatic update’ option could be given so people can use this if they want/need to.

I will now reboot my shake an get everything up and running again.



thanks for the inquiry. from what i am able to deduce, your unit has entered some sort of non-functional state (which “feels” like a possible SD card corruption), where you suspect that this has something to do with the update procedure. while this is possible, it is not likely.

in any case, let me take this opportunity to address your other concerns:

  1. you mention a change to the update procedure (since v0.12), but i can assure you that quite to the contrary no part of the overall procedure has been modified since v0.1. rather than being “forced”, each individual unit calls home once per week to check if an update is available. when the answer is “YES”, the update is downloaded and applied.
  • so intentionally designed, no Shake server, or other computer for that matter, is able to initiate and make contact with any Shake unit. all Shake’s communicate in a one-way direction, out to the WAN (e.g., to send its data to the data server when so configured). any communications going the other direction must be arranged by the owner of the Shake themselves, where only she has this access information.
  1. since our recommendation is to change the password immediately upon installation, easy to do from the front-end configuration interface, and since ‘root’ user itself is disabled, break-in attempts will fail.

  2. and while it is impossible to make claims that no computer is able to be broken into forever into the future, the idea that the Shake update server could be compromised without our knowing about it, while the bad actor then commandeers all Shake units all over the world, over the course of a week (remember, there is no ‘pushing’ of updates), to further compromise other machines on your LAN (which, i would presume, are also properly password-protected) is not only highly unlikely, but really quite impossible, for many reasons. one primary reason being that there is simply not enough of a reward to be bothered to take the time to figure it all out, to then end up with nothing for all the effort. hackers are overrated.

our original intent when designing the Raspberry Shake was to create an IoT unit that, at once:

  • does something interesting (and so is necessarily a bit complex)
  • requires as little effort as possible on the part of the end-user to get it up and running
  • requires no effort at all to receive any and all future updates, so that through the miracle of programming and the internet, your original investment actually gets better over time

as of this writing, in the 2.5 years since the system has been released into the wild, i can report not a single Shake unit has been compromised, no Shake server has been hacked, and no end-user’s LAN has been infiltrated.

after you rebooted your machine, did it successfuly upgrade to v0.15, and everything is again running okay?

i hope i have addressed your concerns, in that i am quite confident our system is overall secure and free from any potential external harm.

warm regards,