There are some serious security issues with the WiPy. In summary, they are:

  1. No support for encrypted communications like SCP, SSH, SFTP, and HTTPS. As a result, you should not expose this device to the Internet and log into it remotely. The telnet and ftp protocols are unencrypted, so your login and password are sent in clear text. Anyone sniffing the network between you and the WiPy will be able to log in on your WiPy and take complete control of it.
  2. If the attacker has physical access to the board, they can do either of two things. First, they can reset the board to factory settings and log in with the default credentials. Second, they can just steal the SD card to get access to programs and data stored there.

These two problems are serious enough that you can use the WiPy as a development environment on a trusted network, but you should not use the board as an IoT platform where it is in an untrusted/uncontrolled environment where you might need to access the device remotely. This might be fixed in a future release of the firmware, but I haven't found a way around them yet. Use care and carefully consider risk when you use these devices.

This guide was first published on Aug 31, 2016. It was last updated on Aug 31, 2016.

This page (Security) was last updated on Jan 12, 2021.

Text editor powered by tinymce.