
The curious case of the Raspberry Pi in the network closet - geek_at
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html
======
alanfranz
That's an amateur job. Resin explains it - you try to do some exfiltration via
an external commercial service? Come on.

If the author had setup an encrypted partition where all the "real stuff" was
found, and the key for such partition was in-memory only, possibly going alone
one of the small rpi UPS/batteries to prevent minor electrical hiccups to make
the whole operation fail.... it would have been almost impossible to get back
at the author.

Also, using a nice "black box" that looked like a sort of electronic device,
instead of some randomly put together rpi+pieces, would have made the device
mostly invisible.

So: an amateurish hacking job.

~~~
dingaling
> Also, using a nice "black box" that looked like a sort of electronic device

Disguised as one of those generic thermostat boxes on a wall it'd go unnoticed
by 99.999% of people. Bonus points for a twiddly wheel.

~~~
theamk
Or even better: find an old ethernet switch, gut it (but keep the connectors)
and put Raspberry PI inside. You will need to solder 6 wires for ethernet and
power, but the pins are fairly large so this should be easy.

Even if discovered, most people would not bother taking it apart --- they'll
just assume it is broken and throw it away.

~~~
jordan801
This is exactly what I was thinking. Even the network admin would probably be
like, "well, I don't think so but I'd better not mess with it, just in case
it's how the CEO is getting internet". Unless of course they engineered the
network originally.

------
pjc50
I hadn't realised that the wifi->address mapping was so publicly available.
That means a list of wifi addresses that you've connected your phone to is
also a location history. :(

~~~
mosselman
I hadn't either. Also what is the deal of random people contributing to the
database at [https://wigle.net/](https://wigle.net/), why don't you mind your
own business? There is a big difference between broadcasting the SSID in a
20-50m radius and effectively broadcasting it world-wide.

~~~
ForHackernews
Google and other entities already have that data. Building open databases like
wigle.net or
[https://location.services.mozilla.com/](https://location.services.mozilla.com/)
seems good to me because:

1) It allows building alternative location providers that make it possible to
have an Android device that doesn't rely on Google maps.

2) Publicizing the existences of these databases might make the general public
more conscious of privacy and data protection issues involved.

~~~
mosselman
1) I don't find such location-providers a good addition to society.

2) That is like saying you go around kicking people in the crotch to make them
more conscious about the benefits of learning self-defence.

Update:

> Google and other entities already have that data.

How is this an argument FOR gathering sensitive information about the people
around you? Should you also look to their trash and digitise any documents
they throw away and make a website that allows you to search through these
documents? You could argue that Google or some other entity already has that
information anyway.

You could also argue that this would increase consciousness with regards to
the privacy concerns of your trash.

~~~
ForHackernews
Re: #1 I think they are a good addition to society because otherwise every
device has to rely on satellite positioning, which is slower, generally less
accurate, and prone to failure indoors or around tall buildings.

~~~
mosselman
I prefer privacy over location data to be honest.

------
godelmachine
Have two questions after reading the article

1) What are DNS logs?

2) What are RADIUS logs?

Would someone be so good as to answer?

Thanks in advance for help you could provide.

Edit :- This got downvoted. Don’t know why should anyone asking an honest
question be marked down. Am I not allowed to ask technical questions in
comments section?

~~~
taco_emoji
You probably got downvoted because you can just use Google to answer those
questions.

~~~
neetodavid
I appreciate having the question asked and answered right here in the
comments.

won't someone please think of the lurkers

------
aboutruby
Reminds me of the people getting paid to install rogue devices like this, e.g.
[https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/fou...](https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6nh61r/)

------
SCHiM
The attacker's setup is really, really bad. But it's very interesting to see a
drop device being used in the wild. I assume that if amateur solo actors are
doing this, then organized crime rings are for sure.

~~~
inetknght
Yes, very much. Not only are they doing it but they're peddling it to the
unwary.
[https://news.ycombinator.com/item?id=18919906](https://news.ycombinator.com/item?id=18919906)

------
hawski
It is possible that there is a second device that does a sniffing part. This
device may be a relay for the second device. They could be connected via
Bluetooth, hence the Bluetooth dongle.

~~~
chinathrow
I agree. Like a keylogger on a wired keyboard which exfiltrates via the
bluetooth dongle. That dongle was there for a reason.

------
walrus01
This person's wiring closet needs to have all Ethernet switch ports in a
default 'shut' state and assigned to a quarantine vlan.

It's amateur hour if you can just plug in any random rpi, it gets a DHCP
lease, access to the company lan, and a route to the outside internet.

~~~
sschueller
That would be best practice.

However I don't mind being able to get LAN internet at a hotel that wants me
to pay $24 per day for wifi when they have VoiP phones that have internet
access...

~~~
walrus01
I often find that tethering to T-Mobile LTE is better than whatever
misconfigured, screwed up NAT/gateway a hotel has.

~~~
joezydeco
Agreed.

Every single hotel I’ve been to in the last year or so has pitiful bandwidth,
which is completely saturated after dark once everyone fires up Netflix and
lets it run all night long.

------
gppk
It didn't really talk about what it "logged", that would have been interesting
to know what data was being stolen.

Great article though, very interesting read.

~~~
Darkstryder
As the article concludes with "Legal has taken over, I did my part and the
rest is over my pay grade.", I think the author is not allowed to disclose
this publicly.

~~~
throwawaylolx
I think the author just doesn't know what it does. From his Reddit post [1]:

>Still no idea what it actually does except for the program being called
"logger", the bluetooth dongle and it being only feet away from secretary /
ceo office

[1]
[https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_rasp...](https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_raspberrypi_found_in_network_closet_need/)

------
willvarfar
the article makes the massive assumption that the 'gifted person' whose name
and home address were exposed is also the person who wanted it in the closet.

Either that person has phenomenally bad tradecraft, or they are actually
innocent.

There are so many plausible ways in which the 'gifted person' is not in on the
plot; for example, they may have sold the pi to the disgruntled employee
before the employee was disgruntled or with no idea of the use that the
disgruntled employee would put it too.

Have to kind of hope thats how it all ends up.

When I was young I often set up computers and stuff for others. These days I
try and get slopy shoulders when people ask me for tech support, and if there
were a young gifted wizkid nearby I'd be sending a lot of innocent business
their way....

~~~
mcv
I didn't see that assumption anywhere in the article. He just followed the
leads, collected the evidence and connected the dots. The device was set up in
the gifted kid's home, and used a webservice paid for by the gifted kid's
company. The device clearly comes from the gifted kid. Was he also the one who
wanted the device in the closet? That's the one thing we don't know. That, and
the relationship between the gifted kid and the ex-employee.

Further legal investigation will no doubt follow. Maybe gifted kid is involved
in something illegal, maybe not. Hopefully we'll hear more about this in the
future.

~~~
willvarfar
Yeah the link title here on HN is "How I got the home address of the person
that put a RasPi in our network closet"

Which is interesting, because I double-checked and the article is actually
more circumspect: "The curious case of the Raspberry Pi in the network closet
how we found, analyzed (with the help of Reddit) and in the end caught the
culprit of a malicious device in our network"

They find the home address and name of the person who prepared the pi
(although we don't know it was the person who installed the 'logger', whatever
that is etc). And they have identified the disgruntled employee who seems to
have installed it. Two separate things.

~~~
mcv
Good point. The original HN title did indeed imply the "gifted person" was the
one who put it there. I notice the the title has now been changed to the
article title.

------
usgroup
Bit of a Agatha Christie style who dun it.

Fixed number of people it could be ... and it turns out to be the ex employee
... who would have thought.

~~~
JustSomeNobody
The butler ... ahem ... ex-employee always does it.

I'm pretty shocked at how obvious they left this. Surely they knew it would be
found one day?

~~~
usgroup
Perhaps it’s more like ”Who framed Roger Rabbit”?

Always suspected that Agatha was a bit simplistic. Maybe the real bad guy
always gets away!

------
leowoo91
Plugging out is kinda bad idea, I would start with cold boot attack just in
case sd card would be encrypted.

~~~
mehrdadn
What would that involve? I'm guessing making a bookable SD card that dumps
memory, unplugging and quickly replugging the power cable, and then booting
that card? Or do you need something more specialized?

~~~
Piskvorrr
I don't think that you can, manually, swap SD cards (on a running system! That
alone would trigger all sorts of quirks, unless you're running off initramfs,
tmpfs or an external storage device.) and toggle power so quickly that the RPi
reboots but doesn't erase RAM. I mean, you might get very lucky, but the boot
process is heavily stacked against you - the bootloader on your SD card gets
executed fairly late in the boot sequence:
[https://raspberrypi.stackexchange.com/questions/10442/what-i...](https://raspberrypi.stackexchange.com/questions/10442/what-
is-the-boot-sequence)

~~~
mehrdadn
I meant you'd swap the card when the system was off, not when it was on.

~~~
Piskvorrr
Power off, swap cards, power on? That's a multi-second task, even if SDRAM
didn't reset during boot stages.

~~~
Piskvorrr
I mean, you _could_ swap the cards live, but I'd be worried about the
electrical end, not the debounced and processed signals coming from the OS -
although if I were writing a malicious package, device tree changes would also
trigger all sorts of alarms. (Had a bad contact on an SD card once - the
effect of disconnect-reconnect on the running OS was...spectacular, but in a
bad way. In the better case, it fluctuated the board voltage enough to
reboot.)

------
gfisher
On the Reddit post this originated from [0], it says that the motivation from
the ex-employee was "help us identifying wifi problems and tracking users in
the area around the Managers office". Makes me wonder if it was malicious or
just stupidity.

[0]
[https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_rasp...](https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_raspberrypi_found_in_network_closet_need/)

------
morpheuskafka
I'm shocked they used a commercial service to store their entire codebase.
That could be easily subpeonad and if its a paid plan they will be dead in the
water.

------
kfihihc
Well, Co-founder of Makerdiary is here :)

I love this article, and I wanna promote our works in this thread :)

We are build some little Nordic nRF52-based widgets for maker with a lot of
documents, you can find more wiki at here[1][2]. And we are try to use MESH
network technology to protect our IoT data, here is some tutorial for BLE
MESH[3] and OpenThread MESH[4].

BTW, if you are intersted in FIDO U2F security key, please check here[5], an
open source FIDO U2F implementation on nRF52 SoC.

[1]: [https://wiki.makerdiary.com](https://wiki.makerdiary.com)

[2]: [https://blog.makerdiary.com](https://blog.makerdiary.com)

[3]: [https://blog.makerdiary.com/getting-started-with-
bluetooth-m...](https://blog.makerdiary.com/getting-started-with-bluetooth-
mesh-development/)

[4]: [https://blog.makerdiary.com/build-a-thread-network-with-
nrf5...](https://blog.makerdiary.com/build-a-thread-network-with-
nrf52840-mdk/)

[5]:
[https://github.com/makerdiary/nrf52-u2f](https://github.com/makerdiary/nrf52-u2f)

------
deepsy
You guys just killed wigle.net :(

------
cm-t
Intereseting, at every hint found in the blogpost, i was trying to guess the
next steps, fun !

------
bdamm
It might have been better to call the FBI as soon as nobody could identify the
device. However, the conclusion was quite satisfying.

------
angry_octet
This is a textbook case where of amateur sleuthing is a bad idea. We're not
all Tsutomu Shimomura.

If there is a criminal (or civil) case, there has been no chain of custody. If
you find something like this, don't even touch it, get someone qualified.

Secondly, it seems highly likely the person who created the image is not the
person who emplaced it. The use of a VPN is hardly an indicator of evil
intent. At least the author did not put any names in their publication.

~~~
angry_octet
[https://www.sans.org/course/advanced-incident-response-
threa...](https://www.sans.org/course/advanced-incident-response-threat-
hunting-training)

[https://brettshavers.com/brett-s-blog/entry/digital-
forensic...](https://brettshavers.com/brett-s-blog/entry/digital-forensics-is-
really-easy)

------
taneq
Mr Robot, this 'gifted' kid is not.

------
dmitripopov
CSI: Cyber :)

------
vectorEQ
nice detective work :D cool

~~~
mirimir
Yeah, and a big F for that "gifted person".

~~~
tapland
To the ex-employee.

There was no conclusion drawn as to the involvement of the gifted kid other
than the pi initially being set up by them.

~~~
mirimir
Yeah, but it was the setup that included all that information about him.
That's why I said "F". An OPSEC fail. For the ex-employee, it was failure in
judgment. And also OPSEC failure, for not checking the device for compromising
information.

------
ktpsns
> Legal has taken over, I did my part and the rest is over my pay grade.

Wow, I never wanted to work in a company where I had to say this. Really, if
the pay grade decides which human you are, I better get no money but can do
whatever I want, like go to that person, ring on its door and ask it about its
plans.

~~~
shawabawa3
"beyond my pay grade" is just an expression, it doesn't really refer to pay
exactly, it just means it's someone else's responsibility

~~~
beaconstudios
though if I remember correctly, it comes from the military where seniority
(and thus decision-making capability) and pay grade are explicitly linked.

