
Found hooked up to my router - empath75
https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6nh61r/
======
browsercoin
> I have a Raspberry Pi right now in my hands fron rentyouraccont.com, i have
> it running diagnostics on an Air-Gapped pc. This thing is wild. Every second
> it tries to connect to bot-net programs. It not only buys ads on facebook
> (which btw i cannot find code that it actually does this) but it is creating
> links to malware ridden embeds. It is part of a Botnet, i can say for sure.
> Every second it tries to establish a connection to the botnet, its like a
> bee thats lost its colony. Register for one and put it on an air-gap, you
> wills see excatly what im talking about. It records EVERY KEYSTROKE sent of
> the network, even SSL connection.

so this was a linked comment from a thread 3 years ago....

~~~
Pxtl
How is that even possible? How does it capture keystrokes (unless you mean
Google searches where each key is sent for autocomplete). How does it break
SSL?

~~~
ownagefool
It's probably not this attack but any WiFi device can probably be used to key
log you.

[https://threatpost.com/keystroke-recognition-uses-wi-fi-
sign...](https://threatpost.com/keystroke-recognition-uses-wi-fi-signals-to-
snoop/120135/)

~~~
austinjp
This is legitimately astonishing.

~~~
ownagefool
It's not great.

Some areas of IT are in guarded rooms, with walls of a certain thickness,
filtered power, external RF signals killed, and airgapped except for specific
patterns for transfering between external systems.

You probably just want to buy a yubikey and accept a lot of computing is built
on a house of cards with respects to trust.

[https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

------
krn
One comment in that thread[1] gives a full explanation of what such a
Raspberry Pi device hooked up to the router can do: forward all the network
traffic, replace router's stock firmware with its own, install software on the
network connected devices via known vulnerabilities, spoof websites by acting
as custom DNS server. In my opinion, it looks like "a Pi-hole[2], but for
phishing".

[1]
[https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/fou...](https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6o4tun/)

[2] [https://pi-hole.net/](https://pi-hole.net/)

~~~
amckinlay
I still don't understand how this device could steal login details. Everything
should be encrypted and authenticated through PKI when using any website that
accepts login details. Whenever I visit a website with an expired certificate,
for example, Chrome gives me a big red warning banner before allowing me to
continue to the site.

~~~
hguant
>Everything should be encrypted and authenticated through PKI when using any
website that accepts login details.

Yes, everything SHOULD be like this. I should be able to trust my neighbors
and leave my doors unlocked as well, and I should be able to have faith in my
elected officials. And yet...

The other issue is that you can connect to a website that implements HTTPS
correctly, and still be borked if that site doesn't implement HSTS properly -
there are tools that implement HTTPS downgrading on Kali.

>I still don't understand how this device could steal login details...Whenever
I visit a website with an expired certificate, for example, Chrome gives me a
big red warning banner before allowing me to continue to the site.

The problem comes when your corrupted router messes with DNS and sends you to
[https://evil.chase.com](https://evil.chase.com), which has a pixel perfect
mock up of a chase bank login screen, and a perfectly valid cert.

~~~
jugg1es
I'm disappointed that's not a real website

~~~
westpfelia
It is a real website he just got the URL wrong. Its supposed to be
[https://www.chase.com/](https://www.chase.com/)

~~~
EADGBE
I live for these kind of zingers!

------
tonyb
Is a disk image of one of these available anywhere?

I find it much more likely that these are being used for what they say they
are (basically a proxy so they can buy ads from a residential IP) than some
crazy MITM device. The "Attacker" is basically renting an IP connection or
paying a co-location fee for their little server.

Plugging a device into your network doesn't make it magically see all the
traffic. It would have to be doing ARP spoofing, DHCP hijacking, or hacking
the router config/firmware. Is it possible that it is doing some or all of
those things -- sure. But why? That could all be done via a malicious client
executable that would give you access to the network and much more and is much
more discrete than a physical box, so why would someone go through the trouble
of shipping out a box + paying the recipient? The more simple explanation is
the sender of the device is doing nefarious actions on the internet and needs
a bunch of IPs for cheap so when they get blocked they can just move on to the
next IP.

Would I put one of these on my home network - hell no. But if one of my
friends tells me they had one plugged into their network I wouldn't
immediately assume that their entire digital life was compromised. I would
tell them to unplug it though.

~~~
wstuartcl
Well if they are willing to break TOS to sell ads on facebook how much further
do you need to go to rationalize auth capture, rootkit injection or any other
malicious activity.

"Plugging in the device on your network doesn't make it magically see all of
the traffic" ... Assuming it has not been constructed to do all of the things
you list (or more) does not magically make it not see all of your traffic
either. There is no magic involved, it is either constructed to capture/inject
or not -- the only way to know is to review the actual bits and firmware.

~~~
gpm
> Well if they are willing to break TOS to sell ads on facebook

What TOS? Facebooks? Why would they be bound by it?

------
qualsiasi
If someone would ship this to our office with a note like "attach this to a
LAN port" chances are it will get attached. And we're a software house. People
tend to pay attention to viruses, etc.. but not physical security.

~~~
Merad
At a previous employer (Fortune 500, not a software co.) the IT security team
would sometimes seed the parking lots with thumb drives that were "infected"
with a program that would phone home to them if plugged into a PC on the
corporate network. IIRC there was a depressingly high (> 50%) rate of them
being plugged in.

~~~
sjwright
So these IT genuises at a Fortune 500 company were clever enough to test their
employees' computer security acumen (and get the predicted result) but they
weren't clever enough to simply block all use of USB mass storage devices on
their corporate operating system distribution?

Surely by now all corporate desktops should be configured to not respond to
any USB devices other than the generic HID for mouse and keyboard, plus a
whitelist of approved devices (e.g. fingerprint readers, Yubikeys). Inserting
a USB mass storage device into a corporate workstation should result in
nothing. Plug-and-play shouldn't be triggered. The mass storage driver should
not load.

~~~
Merad
I don't think I've ever heard of a company that actually does this in
practice. I suspect it ends up simply being more trouble than it's actually
worth. I know at that company the list of approved device would probably end
up being dozens of pages long... and yeah, thumb drives and USB hard drives
were used a decent amount, especially outside of IT.

~~~
sjwright
Maybe someone needs to invent a USB-based thumb drive reader that only allows
generic mass storage devices to be attached but does not work as a hub, rather
as a proxy device.

Bonus points: don't mount the drive directly, instead connect it to a
centralised server on the corporate network that scans for threats and mounts
a sanitised version of the drive's contents as a network share.

Triple word score: audit everything contained on every drive and everything
that is copied on and off.

Sell that for $200 per unit to Fortune 500 companies and paranoid government
agencies worldwide... and you'll retire early.

~~~
thecatspaw
isnt that a NAS basically?

~~~
TheOtherHobbes
A consumer (i.e. workplace for people who don't know better) NAS is usually
Linux with a few hard drives attached via a cheerful and brightly coloured web
UI - occasionally useful, some way short of secure.

I expect someone sells hardened ultra-secure corporate NAS boxes, but I've
never seen any in the wild.

~~~
gargravarr
The trouble is, the sort of people who would buy a pre-hardened NAS are also
the sort of people who would be suspicious of a pre-built unit. I know for
sure I wouldn't trust anything off the shelf, I'd take the base OS and build
something around it.

Whoops, my tin-foil hat appears to have slipped.

------
code4tee
In the days when USB sticks were more common it was an easy tactic for someone
to drop one in a company parking lot labeled “salary data” and with almost
certainty that thing would get plugged into a device on the corporate network.
The biggest security vulnerability in most cases is still users doing dumb
things.

~~~
dabockster
USB sticks are still pretty common.

~~~
ObsoleteNerd
As are USB stick attacks.

------
adamconroy
I don't see how this 'man' in the middle could actually intercept passwords,
except for http, but who runs auth over http anyway. For https, the 'man'
would have to substitute its own certificate and then the browser / client
software wouldn't trust the cert/domain combination without the end user being
extremely stupid (and knowledgeable enough to achieve the stupidity).

~~~
krn
What about DNS spoofing[1] at the local network level?

[1]
[https://en.wikipedia.org/wiki/DNS_spoofing](https://en.wikipedia.org/wiki/DNS_spoofing)

~~~
adamconroy
it might redirect to a malicious web page, but https would still prevent a
problem. perhaps read the article you posted.

~~~
krn
The user can just be redirected to another similar looking site with a valid
TLS certificate.

~~~
tedunangst
How?

~~~
ktta
[https://gmail.com.inbox-redirect.pro](https://gmail.com.inbox-redirect.pro)

This will seem like a valid website, especially if the phishing site is done
well. Not just non-technical users, I'd wager some tech familiar users would
be fooled too.

The focus always being on the lock icon might not always cover it.

Safari will prevent this though.

~~~
aaron_m04
Isn't that why browsers visually distinguish the TLD and the part before it
from the rest of the URL?

------
petemill
Whilst it's certainly a scam to do with advertising [0], I doesn't look like
there's any evidence that the scam has anything to do with 'stealing' anything
from network / network traffic:

> Facebook has several mechanisms in place to protect your account. We make
> every attempt to work within the these constraints. In order to keep your
> account from being locked we use a small device called a Raspberry Pi. This
> device allows us to connect to Facebook advertising APIs from your home
> network and avoids the hassle of your account being locked due to unfamiliar
> activity. Learn more about the Raspberry Pi below.

[0]
[https://www.reddit.com/r/Scams/comments/2vd1g8/scam_rentyour...](https://www.reddit.com/r/Scams/comments/2vd1g8/scam_rentyouraccountdotcom/?st=jmilt3ow&sh=592d9a78)

~~~
konschubert
>Why do you need my account? Why not use your own? We have plenty of our own
accounts. We need you because no matter how many accounts we have internally,
Facebook limits the amount we can spend per account. By working with people
like you, we are able to scale our business.

Can somebody explain if this makes sense? Why are there limits on account
spending?

~~~
NickBusey
Because the ad spends are fraudulent in nature? Just a guess.

------
erredois
I wish he would not destroy it and send to a security researcher to identify
what it really does and what information is collected.

------
walrus01
If I had to guess, it's providing VPN endpoint/relay services to scammers (CC
fraud, etc) who need actual residential IPs to buy things from. Or to use to
set up accounts/sockpuppet accounts for things like automated reddit vote
manipulation.

It's obviously located "inside" the residential end user's router/NAT, on
their wifi, so it'll have something like an openvpn or ipsec daemon on it that
initiates a connection to an endpoint elsewhere on the internet, building a
tunnel for the botnet operators to control it remotely. Or via tor to a tor
hidden service somewhere, like many purely software trojan botnets for
win32/win64, but in this case it will have the vpn or tor binaries running on
its own dedicated raspberry-pi class device.

If you have a botnet of several thousand devices which can be made to look
indistinguishable from legitimate "ordinary non technical user sitting at home
on their comcast connection with their laptop or tablet", you can do all sorts
of things. Relay http/https traffic for a click farm in Bangladesh where
people are upvoting reddit comments en masse to promote a product, sockpuppet
facebook account comments for political campaigns and pushing political
agendas (russian internet research agency, anyone?), etc. The goal here is to
make the traffic look like legit single end user residential internet traffic
and _not_ traffic that's coming from netblocks of major colocation/dedicated
server/VPS/VM hosting companies, whose ARIN/RIPE/APNIC space is all documented
as such.

There's fraud detection systems which will trigger if you're trying to buy
something like amazon gift cards from a /20 netblock of an ISP in Bulgaria,
but are less "suspicious" if your traffic and useragent, etc, are all coming
from a Frontier, Centurylink, Comcast etc netblock in a major American city.
Stuff like the maxmind geolocation data correlating closely with the billing
zipcode/shipping zip code of what you're trying to buy with a stolen credit
card, or other identify theft type scams.

If you're doing some variation on a massive vote manipulation service, there's
also fraud/botnet detection systems which will trigger on large volumes of
upvotes (or similar manipulation) all coming from the same geographical
location and netblocks. Your traffic look more like legitimate end users if it
is geographically distributed across many states and provinces, many english-
speaking countries (AU, NZ, CA, UK, etc), and across many ISPs and several
different common end user browser useragents (edge, chrome, firefox, etc).
Imagine if you threw 500 darts at a map of the USA on a wall and distributed
all your botnet devices randomly around the map, vs having 300 devices all on
the same network in the Chicago metro area, for instance.

~~~
webdevetc
There are companies out there that offer proxies from 'real' US resident IP
addresses. I think these companies use tactics like this to be able to offer
real residential IPs (and not IP ranges belonging to hosting companies)

This is the first one that came up on google -
[https://stormproxies.com/](https://stormproxies.com/) \- I'm not saying that
specific company is in any way related to this device or tactic (it is just
the first on google for 'residential address ip proxy', but I think it is
companies similar to this that will pay people for access to their routers and
sell that access.

~~~
joshmn
Luminati.io merely uses the Hola extension to power a massive residential IP
network. Hardware is so 2000.

~~~
r1ch
They've gone well beyond the extension now. These days you have no idea if
that "free" app you've installed has made a deal with Luminati to sell your
bandwidth to the highest bidder. They also have an Android SDK too. I've
received several emails like the following:

> My name is Lior and I lead the SDK partnerships at Luminati.​ I assume your

> software earns money by charging users for a premium subscription or by
> showing

> ads - both models do not pay out much and harm the user experience.

>

> We now offer you a third option.

>

> Luminati’s monetization SDK for Windows desktop provides your users the
> option

> to use the software for free, and in exchange we pay you $30,000 USD per
> month,

> for every 1M daily active users.

> More information is available on
> [http://luminati.io/sdk_win](http://luminati.io/sdk_win).

~~~
walrus01
That is sketchy and unethical as fuck.

I would like to give them an A+ rating for whatever graphic artist drew their
artwork and did the CSS/webpage layout, however.

~~~
abraae
I dunno, to me the icon is reminiscent of the Hades character from the Disney
movie:
[https://vignette.wikia.nocookie.net/disney/images/c/cf/Hercu...](https://vignette.wikia.nocookie.net/disney/images/c/cf/Hercules-
disneyscreencaps.com-6022.jpg)

------
ChuckMcM
A somewhat dated reminder that "Social engineering is the best engineering."
when it comes to getting around security blocks. As Natasha said to Boris, "I
said system is 'Idiot proof' not 'Moose proof'!"

------
Jeremy1026
Time for a new roommate.

~~~
paultopia
For serious. the kind of idiot who would hand over facebook credentials, bank
account info, and physical network access for fifteen bucks a month to a total
rando is also the kind of idiot who will dig up their roommate's social
security card to help them out when the nice person from the IRS calls about
back taxes.

~~~
dingaling
I'd quite happily pimp out my unused fake Facebook profile for $15.

Lock the 'device' into its own subnetted VLAN so it can't see any local
traffic and it's easy money paid into a deposit-only savings account...

~~~
SmellyGeekBoy
How do you know that your router doesn't have a 0day that allows them to
escape the VLAN?

------
samstave
This just made me think of an interesting idea:

Imagine a small loop-back-like device which is plugged into all open network
ports - if any of them are removed from a network port, an alert is generated
stating "device from port 48 on switch 1 in closet 0 was removed"

~~~
walrus01
In general it's best practice to leave unused ports on managed switches in an
admin down/shut state until something you know is connected. Or live, but in a
quarantine VLAN.

Your idea, however, is not totally uncommon to have a raspbery pi sized device
at an offsite location, specifically _not_ plugged into any sort of UPS, which
is monitored by various alerting systems. In addition to the alerts that one
should get during a grid power failure event from managed UPS and automated
generator transfer switch systems, the disappearance of your "UPS canary" can
indicate that something is going on at an unattended site.

~~~
abraham_lincoln
My college used to do similar. If you did not register your MAC address, you
would be DHCP assigned into a walled-garden IP block.

We found we could run an IP scanner on the authorized subnet (from a computer
with a whitelisted MAC), and find the unused IPs, and just set those
statically for 'visitors'.

No need to register any more MAC addresses.

~~~
dev_dull
I doubt they were very concerned with you or your friends. 80/20 solutions.

~~~
abraham_lincoln
Only had problems when a classmate was running routed.

Oh, and all authorized IPs were in a public address space.

------
novaRom
The board is Nano Pi NEO. It costs $15 and contains quad-core Cortex A7 along
with two USB (2.0) ports and 100 Mbit Ethernet. It is about 25% of size of
RaspberryPi.

By the way, the same Chinese company now offers a much more powerful board
called Nano Pi M4 which is just a bomb with respect to RaspberryPi B+ if you
look at its specifications.

------
planb
This is overblown, isn't it? That thing can't do anything that a public wifi
couldn't, and yet everyone connects their laptops to those without hassle. SSL
is nearly everywhere now...

~~~
dirkt
Test how many SSL connections go the extra mile and secure themselves against
Man in the Middle attacks. You'll be surprised.

~~~
thegeomaster
All of them, since that's an explicit design goal of SSL/TLS?

~~~
cube00
If a user wants their free wifi enough they'll be happy to click through those
pesky warnings that the root cert is not trusted. They'll probably not think
anything of it if it loads as normal, even with a big angry red cross. The
speed at which users rip though Windows UAC warnings is astonishing.

------
tedunangst
How is this thing intercepting all his Facebook and bank traffic?

~~~
ghaff
I don't think it is.

Here's another thread which may be for the same thing or something similar.
[https://www.reddit.com/r/Scams/comments/2vd1g8/scam_rentyour...](https://www.reddit.com/r/Scams/comments/2vd1g8/scam_rentyouraccountdotcom/?st=jmilt3ow&sh=592d9a78)

It's apparently a "rent a Facebook account" scam. (The roommate apparently
also provided his Facebook credentials.)

~~~
tedunangst
That is 10x more informative.

~~~
astronautjones
It's also three (!) years old, which is crazy to think someone has been
mailing these out and running the same scam on FB without getting caught,
particularly from 2016 on, with the scrutiny placed on FB's illegitimate
political ads

~~~
SmellyGeekBoy
Surely it would be fairly easy for FB to fingerprint the "browser" running on
these device and see that it isn't a regular user? At the very least get them
to jump through some hoops or enter a CAPTCHA or something?

------
Animats
Strangely, Reddit cut off comment on the topic, before the device was clearly
identified.

~~~
tedunangst
Yeah, I have no idea how it could accomplish what is alleged. Just lots of
very bad no good end of world comments. Have none of these people ever used
public wifi?

~~~
PhantomGremlin
_Have none of these people ever used public wifi?_

This situation is totally totally unlike public wifi!

When I connect to public wifi, the attack surface into my laptop is the
external interface of the latest MacOS, with firewall on. Perhaps there are
exploits against that, but they're not common. The Mac does have pf, but I'm
sure it's a way out of date version! :)

OTOH, "this thing" on the inside of a router/firewall has complete
unrestricted access to the LAN. At my house I have (and I just checked) 35
active IPs behind my firewall. It's not hard to get to that number for 4
people: iPhones, TiVos, laptops, desktops, access points, printers, gaming
consoles.

I confess I don't secure my LAN computers very well. I have, e.g. 3 letter
passwords. That's simply to keep my kids from accidentally going where they
shouldn't be.

I'm not alone in my lax security. I do occasionally peruse exit traffic and
check firewall logs, which probably puts me somewhere in the most secure 1% of
"typical" households.

And even if I were totally paranoid, what can I do about the Internet of shit?
Am I supposed to strictly segment everything? At what point does prudence and
caution drift into paranoia?

~~~
ryandrake
My rule of thumb is: if i have root on the device, it can go behind my private
LAN firewall. If I don’t have root, but the device requires Internet, it goes
in the guest network which gets throttled and has no access to my LAN. I also
scrutinize outbound more on this network. If I don’t have root and it doesn’t
need Internet? It stays airgapped.

~~~
xoa
Decent rules of thumb, though even with root I'd base it more on whether the
device really _needs_ general access or not. Speaking of which, a corollary I
use is: if an IOT device _requires_ internet access it's automatically bad and
I won't even consider it. If they want to offer some built-in but fully
optional "access away from home" that wants to use their cloud that's fine, I
can just block that anyway and use VPN. If it wants to access one specific
address for updates (though you don't have to) or as an optional passive
information feed I can see that. But anything IOT that depends on remote
resources for its core functionality is right out.

That eliminates a surprising number of IOT devices, but given the flood of
crap I think that's no bad thing. These days being able to have something be
LAN only with zero service tie-ins seems a decent low pass filter to narrow
down choices before diving any deeper.

------
KiDD
You will pay me to give you fake information and a free Raspberry Pi Nano?

~~~
King-Aaron
Where do I sign up?!

------
quickthrower2
Interesting that it is "worth" $15/month. Maybe they were never going to pay
up. But if they were, that seems expensive when they could just use
compromised PCs and devices for ... whatever they are going to do? Plus they
had to buy and supply the dongle.

~~~
abraham_lincoln
I wonder what the average time the user will disconnect it after they don't
get paid?

It may be worth it to just sacrifice it after a month. I am sure it is
profitable, but as people become more aware, it will be harder for them to do
this.

------
arayh
It seems like they're fishing for gullible Facebook users on Craigslist. I
found an example of a Craigslist posting that tries to "rent" your Facebook
profile:

[https://image.ibb.co/dzT9j9/rent_facebook.png](https://image.ibb.co/dzT9j9/rent_facebook.png)

~~~
wstuartcl
My guess would be either a MITM auth capture, rootkit inject or someone (even
a nation state) trying to attribute sources of illicit facebook ads/posts to
unsuspecting citizens.

I would not touch that with a 10 foot pole.

------
SmellyGeekBoy
I'd understand why someone would be tempted to install something like this for
$1500... Maybe even $150. But $15!? If you're that desperate why not get 3
friends to donate $5 each or something? I'm sure they'd understand if it was
truly life-or-death.

------
espeed
Here is the list of pinned domains [1] in Chrome:

Chrome Pinsets
[https://cs.chromium.org/chromium/src/net/http/transport_secu...](https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json)

[1] [https://www.chromium.org/sts](https://www.chromium.org/sts)

[https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning)

~~~
rocky1138
Makes me happy seeing my domains in there.

------
curiousgal
Free pi!

~~~
Topgamer7
Appears to be a nano pi neo
[https://www.friendlyarm.com/index.php?route=product/product&...](https://www.friendlyarm.com/index.php?route=product/product&product_id=132)

------
z3t4
Besides malicious intends and security disasters. These mini-servers could be
used for all kind of cool _decentralized_ "self-hosted" services.

~~~
walrus01
a completely legitimate and valuable network engineering resource is run by
RIPE using small devices running openwrt:

[https://atlas.ripe.net/landing/probes-and-
anchors/](https://atlas.ripe.net/landing/probes-and-anchors/)

a RIPE atlas probe is a small tp-link device that needs a LAN port on your
network and USB power. It forms a vpn back to RIPE, and uses traffic outbound
via the default gateway it gets via DHCP to reports metrics like uptime,
latency to various destinations on the internet, what its external IP is
outside your NAT, what ASN it's on, whether your ASN is having reachability
issues to the "whole" internet, etc.

many medium and large sized ISPs host RIPE probes at different geographic
locations in their networks.

~~~
swiley
I've had one of these running forever... I should go check and see what sorts
of queries I'm allowed to run on the collected data at this point.

------
King-Aaron
I guess this touches on rules 1 & 3 of the Ten immutable laws of security.
Maybe rule 4 to an extent as well.

[https://blogs.technet.microsoft.com/rhalbheer/2011/06/16/ten...](https://blogs.technet.microsoft.com/rhalbheer/2011/06/16/ten-
immutable-laws-of-security-version-2-0/)

------
stcredzero
They Might Be Giants: "What's that blue thing doing here?"

[https://www.youtube.com/watch?v=HXmBs1OppXw&t=91](https://www.youtube.com/watch?v=HXmBs1OppXw&t=91)

------
swiley
Want to see what's in the initramfs. It almost certainly doesn't have his data
on it (it looks to me like it never writes anything to the sdcard, at least
not that partition)

------
amelius
Most of whatever their router sees, their ISP sees as well.

So I understand they are upset, but the panic is not warranted.

------
homero
It could be doing viruses and all that but they'd be better off using it for
proxying, scraping and ddos

------
dev_dull
Being a privacy nightmare, I can see how this data can be quite useful for
advertisers simply by sniffing DNS traffic:

* What sites do they visit?

* How long do they spend on each site?

* What apps do they use? (apps make http requests, after all)

* How long do they spend on these apps (providing it's making consistent http requests)

* What devices are they using to access these sites/apps?

Kind of like Neilson ratings but for the web.

------
the_clarence
Can someone post the image here? I have blocked reddit on my phone.

~~~
cupar
[https://i.imgur.com/W30vAXk.jpg](https://i.imgur.com/W30vAXk.jpg)

------
negamax
The other roommate deliberately installed this for snooping!

------
myth_buster
Two extremes as displayed on same day:

a. Gizmodo says Facebook Is Giving Advertisers Access to Your Shadow Contact
Information and HNers are concerned

b. IRL, Roommate also gave them their Facebook email and password (for
$15/mth)

~~~
hiccuphippo
So Facebook doesn't care about people's privacy and people themselves don't
care about their own privacy. This is pretty demoralizing.

------
abraham_lincoln
I am just curious of the age group here.

------
bhaavan
TL;DR Roomate is dumb.

------
mrhackerpoland
My roommate received this device too.

Having observed its activity. It doesn't steal any data.

It simply setups a ssh dynamic tunnel and uses your network IP for accessing
your Facebook account which you sold.

Why? Because Fb locks the account the moment it's accessed from a different
network from a different device.

Can it steal your data? Absolutely yes! Does it steal? Probably no.

Afaik, all they want is your fb account for which they pay you.

