Hacker News new | past | comments | ask | show | jobs | submit login
The curious case of the Raspberry Pi in the network closet (blog.haschek.at)
518 points by geek_at 3 months ago | hide | past | web | favorite | 155 comments



That's an amateur job. Resin explains it - you try to do some exfiltration via an external commercial service? Come on.

If the author had setup an encrypted partition where all the "real stuff" was found, and the key for such partition was in-memory only, possibly going alone one of the small rpi UPS/batteries to prevent minor electrical hiccups to make the whole operation fail.... it would have been almost impossible to get back at the author.

Also, using a nice "black box" that looked like a sort of electronic device, instead of some randomly put together rpi+pieces, would have made the device mostly invisible.

So: an amateurish hacking job.


> Also, using a nice "black box" that looked like a sort of electronic device

Disguised as one of those generic thermostat boxes on a wall it'd go unnoticed by 99.999% of people. Bonus points for a twiddly wheel.


Or even better: find an old ethernet switch, gut it (but keep the connectors) and put Raspberry PI inside. You will need to solder 6 wires for ethernet and power, but the pins are fairly large so this should be easy.

Even if discovered, most people would not bother taking it apart --- they'll just assume it is broken and throw it away.


This is exactly what I was thinking. Even the network admin would probably be like, "well, I don't think so but I'd better not mess with it, just in case it's how the CEO is getting internet". Unless of course they engineered the network originally.


Or as a PoE injector. Even better is to make it piggyback on an actual PoE injector plugged into legitimate hardware.


I have a 4 outlet "surge protection" power board with a Pi Zero W, and USB power supply, and 4 240V mains relays and drivers all neatly tucked/hidden inside... I use it as Wi-Fi controllable power points, not for pen testing, but at this stage that's just a software update...


Or a power plug...

Article: https://www.hln.be/regio/antwerpen/rechter-straft-it-special...

Check out the image in the article. They attached keyloggers and sent the strokes to the box. Saving them and once in a week dump them over to a car in the parking lot.

The original article is great, but the guy was really not putting any effort into it.


Or a box with a high voltage warning sticker. Unlikely anyone will want to toy with it.


A high voltage warning sticker is likely to gather a lot of attention, especially inside a network closet.

There are many rules related to where high voltage stuff should be, how it should be installed and who can access it. And unless you do it by the rules (unlikely), it will get caught up during a safety inspection.


Okay what about one of those biohazard stickers then?


The goal is to avoid being noticed or drawing attention. Do you really think a biohazard sticker in a server closet wouldn't draw attention?


Probably just the "meh, another wannabe logo" type - abuse of nuclear/biohazard warning signs is becoming an issue.

https://99percentinvisible.org/article/biohazard-symbol-desi...


Encryption was the first thing I expected when he showed the partition table; so much about the "gifted child" :-)

But even if you don't care, at least DON'T SIGN UP WITH YOUR REAL NAME to that service. What the freaking heck? I really hope they get what they deserve.


And to be honest a simple mail with a nice little attachment.exe and a little SE would have given the attacker the same result without the risk of physical penetration...


I hadn't realised that the wifi->address mapping was so publicly available. That means a list of wifi addresses that you've connected your phone to is also a location history. :(


Which is why Android restricts getting the current wifi SSID (WifiManager.getConnectionInfo()) or the nearby wifi SSIDs (WifiManager.getScanResults()) to apps with the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permissions. If an application doesn't have permission to know your location, it's also not allowed to know your wifi network's name.


.. from Android 8 (!) upwards.

(I'm still using a perfectly workable phone that is forever stuck on Android 5)


Does it mean you need to turn on location services as well, or just grant the permission? Noticed recently that WifiAnalyzer on fdroid needed location permissions (and explained why) but I never turn location on so just downgraded to 1.9.3.


Which phone? If you're willing to unlock the bootloader and flash a custom OS load, you could probably get 8 or at least 7.


Not OP, but my 2013 1st Gen Moto X (Verizon) is also stuck on 5(.1) and the bootloader is not unlockable.


I guess good time to point out XPrivacyLua[0], a privacy/permissions manager which should be default in Android imo (without having to root/install Xposed etc). But for the power users out there, worth it.

[0]: https://github.com/M66B/XPrivacyLua


Don't get your hope up like I did. From the readme:

     Installation
     Download, install and activate the Xposed framework
     Download, install and activate the XPrivacyLua module


IP addresses tend to have a relatively long lived association with a subscriber, often weeks. So an app which communicates out the wifi names naturally reveals the IP address (unless there is carrier NAT, i.e. on mobile, in Russia). So with a database of such information, the IP also reveals probable wifi names and hence location.


Upvoted big, because I was planning to get my SSID name for some sort of Chromecast wifi synchronisation for the devices.


What's even more fun is that your phone is also broadcasting those SSIDs to the world as you walk down the street, if you have wifi enabled, and likely also your unique MAC address.

So anyone in wireless range of you can 1) track you and recognize you again, and 2) possibly figure out where you work and live (although of course they may see your friends' wifi networks too and not be able to tell which is your network.)


Only if those SSIDs were configured as a "hidden SSID" (WifiConfiguration.hiddenSSID). AFAIK, that will only happen when you type the SSID manually, instead of selecting it from the list of scan results. And using a "hidden SSID" is a bad idea in the first place (https://superuser.com/questions/43836/automatically-connecti...).


That is entirely not true, both iOS and Android send out requests for known APs when not connected to Wi-Fi. iOS does it VERY often in fact (depending on your list of known APs, could be upwards of 50x/min while device is in use). If you have a wifi chipset you can put in monitor mode, it’s easy to see how noisy mobile devices are.


I looked at it back in 2015 (https://news.ycombinator.com/item?id=9217589), it seems there was a bug (https://www.eff.org/deeplinks/2014/07/your-android-device-te...) which sent these probe requests when the screen was off. I don't know if it has been fixed yet.


Don’t know about the bug you linked (will read up on it later), but I can easily provide radio captures to prove that most Android devices do what I described, with no “hidden” networks ever in use.

There are retail analytics startups who literally use this exact type of data to allow brick and mortar stores to gain insights into their passive customer behavior. Source: I used to work for one of them and designed and built a bunch of the hardware / software stack.


Phones don't broadcast previously-seen SSIDs. Where did you get that idea?


You are so wrong. Your phone is constantly broadcasting ALL the SSIDs it was ever connected to (and you did not remove).

I show this live when I do general security presentations. Live on stage with nothing more then a Raspi and a Wifi USB dongle.

It freaks people out to see there home, holiday, local bar, family in law and other historic SSIDs scroll by.


I suggest you Google "phones broadcast ssids". And then go get a stiff drink.


Set a wifi chip in monitor mode, fire up wireshark, then see for yourself. Rather easy to do and once you do, you’ll learn to keep wifi off when you aren’t intentionally wanting it.


On Android there are apps to manage this automatically. I'm using Smarter WiFi Manager myself, and it does work pretty well.


On iOS they have Shortcuts that can do something like that too.

It's real limited in what it does, but it can turn wifi / bluetooth / other stuff on depending on time, location, the usual stuff.

I would love to have a real "Tasker" type app for iOS, but I doubt that will happen anytime soon.


You can read up on it here:

https://robertheaton.com/2019/01/15/a-brief-history-of-wi-fi...

Looks like more recent phones are better about this, but there are still a lot of older phones out there! And there are still leakages that allow tracking.

Note that with "real computers", just keeping the software up to date is enough to get you the latest in MAC randomization and whatnot; with phones, you may or may not be able to upgrade your software. -.-


The now kind of forgotten Google row where it was discovered they were scanning all wifi networks while mapping speaks volumes to this. If you have a map that details signal strengths you can infer someones location pretty accurately (not gps accurate, but within the ballpark) even if they have location services off just by logging and plotting them against your wifi coverage map.


The thing that people were upset about was that Google Street View cars didn't only scan the public SSIDs, but also recorded all (open) network traffic.

https://www.theguardian.com/technology/2010/may/15/google-ad...


oh yes I remember and they still use the data they collected. I lived in Vienna for 30 years and just recently moved to the country side.

There are no wifi hotspots around me so when I set up my old wifi (same ssid as before and same hardware (bssid)) and checked my phone on google maps it was saying that I still am at the old place because it had not GPS at the moment and then google maps checked the SSIDs around me and looked up where those are located

Was a very weird thing


Both, actually.


Mozilla also has an opt in service where you can upload WiFi details you pass. Its useful for locating your device faster than gps


Knowing this from an Opsec perspective, it would also be better to use generic SSIDs for any wifi networks you're setting up. Something with a name like 'internet' or 'wifi' would be so generic that it would be impossible to pin down.

I tried to check numbers on WiGLE but it's being painfully slow for me.


Yeah it's returning 502 Bad Gateway errors (AFAIK that's what a CDN would return if it can't reach the actual host), probably a HN/reddit hug of death?

I just realized people can track my relocation across cities and countries if they can see "Ah this SSID was there last month, and here this month!".


My parents moved countries, bringing their WiFi router, and for months afterwards their iPhones would locate them back in the old country... Apple's database was quite slow to pick up the new location.


That's a bit of a simplistic programming, the phones should've seen other SSIDs around it and figured out they're not in Kansas any more. Except if your parent's WiFi network is the only one around the area.


They should be aware that some wifi channels are not legal in all countries.


True but there's also the MAC address...


You are right, you should definitely not feel safe when using a generic network name. In the file that OP posted, the MAC address was missing though. Doesn't mean that it wasn't present on the device. Android used to write the MAC address to logcat, nowadays it's off by default. Sometimes the MAC address of a network gets stored to wpa_supplicant.conf. I'm sure that NetworkManager reports the mac address in journald as well.


This can be spoofed I guess?


Yes

macchanger (I use a custom script that works better for me. Also does magic in places with limited interned, e.g. free 100MB limit)


You would want to look at a database of the most common MAC addresses and SSIDs (maybe even pairs of them) and spoof your MAC address and SSID to match one of the most common pairs.

But it won't help much if there are any other wifi networks or devices around.


"McDonalds Free Wifi" and a MAC address swiped from a nearby (but not so close your Wi0Fi signals will intersect) Mc Donalds...

For enhanced sneakiness, deploy three or more Wi-Fi base stations at the same location with the radios tx power turned right down and directional antennas - and try to make the geometry lookalike it's just a lucky long range shot to a real public/free wifi behind the antennas...


SSID is not significant. You can use a Google service to get a location, and what you need to supply is 3 or 4 mac addresses, not SSID.


This would by why my more security-conscious friend names his home network "NETGEAR".


Your friend should read more on WPA2: https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking...

SSID unique data is hashed into the password. If you use a very common name there will be a precomputed rainbow table that will make cracking much faster.

https://www.renderlab.net/projects/WPA-tables/

Ideally you would rotate your SSID regularly, but of couse that is a massive pain.


The concern of having your wifi password hacked vs being tracked may be of different concerns for different people.

(Besides, it can be useful to treat your LAN as hostile, anyway, with rampant IOT and friends etc.)


Also I should have pointed out that GPUs crunch WPA2 pretty quick these days too, it is best to use a really long passphrase. There are too many ISP supplied systems with a default password like "9K141U".

It definitely seems like a good idea to put IOT things on a different subnet. I've not met a home router yet that allows me to put proper filters on devices. DD-WRT I guess. But there are so many patches which should be applied, I'm sceptical of old firmware for routers.

At the moment I have an embedded linux device with a wifi dongle and giant antennas. The modem box can probably still be hacked remotely (from the ISP), but at least I'm able to prevent any device on the network from talking to it and using some simple rebinding or XSS attack. (E.g.: https://www.gironsec.com/blog/2015/01/owning_modems_and_rout... http://www.routerpwn.com/ )


> Also I should have pointed out that GPUs crunch WPA2 pretty quick these days too

How quickly, really? I remember a while ago I had a discussion on here where someone told me a hash method was insecure, as you could crack it with a GPU. I downloaded hashcat, put in the hash of a 6 character string, and left it running overnight on a GTX1070 and it was still going.


The hash method (SHA1 iterated 4096 times) is quite secure for this purpose. Even md4 would be fine. Of course, lots of Bitcoin ASICs are designed to compute SHA256 fast, but they are very fixed function and lacking the bandwidth to a CPU to stream in passwords. Also, they are just a constant factor better than what a GPU can do. I'm sure the NSA and other peers have rooms full of ASICs devoted to WPA2 though.

A good GPU cracker rig will get 500k hashes/second per GPU. That is still very slow compared to the search space of a 12 character [a-z][A-Z][0-9][@#$_&-+*"':;!?~|{}%] password.

For a 6 character string, it still depends on what mask you are providing, or what the search space is, i.e are there requirements like one or more upper, 1 or more digits, or is it purely random from a RNG?

Still, if it isn't breaking it within a day I'd say you are in CPU mode, where a multicore box is still only 5k hashes/second.


I know a few people who think they're being clever by doing things like this (playing with their (E)SSID). I'm still patiently waiting for one of them to learn what a BSSID is.


Too bad wifi location services use Mac addresses (BSSID) instead of ESSID. If anything, it’s probably worse because you’re revealing your real MAC address every time it tries to connect to those APs. Normally most phones scan with randomized Mac addresses but the randomization turns off when it tries to connect.


This is exactly what android does when it uses WiFi for location tracking


By appending ‘_nomap’ to the end of your Wi-Fi hotspots you could opt out of all Wi-Fi network tracking and means your hotspot will not be used for improving location fixes on mobile devices.

(only honored by google, other OSs need different approaches)


This is a terrible standard, unfortunately. This makes branded or "clever" SSID's difficult and awkward. (And Microsoft has a different standard too ...)

https://krebsonsecurity.com/2015/07/windows-10-shares-your-w...


interesting doesn't have mine in the UK maybe its just USA


no, I'm from Austria and it works here too. But it doesn't magically get all SSIDs from the planet, someone in your are must have the wigle app that records those info. It's crowd sourced


Mine too - from an address I moved out of ~6 months ago though...


It's wherever a contributor has been.

Our home SSID isn't there, but a neighbour's network is visible on the street outside and is listed.


I thought the same when I went to my country, but after a longer while a heatmap pops up. My wifi isn't in it though.


It does now ;)


I hadn't either. Also what is the deal of random people contributing to the database at https://wigle.net/, why don't you mind your own business? There is a big difference between broadcasting the SSID in a 20-50m radius and effectively broadcasting it world-wide.


Google and other entities already have that data. Building open databases like wigle.net or https://location.services.mozilla.com/ seems good to me because:

1) It allows building alternative location providers that make it possible to have an Android device that doesn't rely on Google maps.

2) Publicizing the existences of these databases might make the general public more conscious of privacy and data protection issues involved.


1) I don't find such location-providers a good addition to society.

2) That is like saying you go around kicking people in the crotch to make them more conscious about the benefits of learning self-defence.

Update:

> Google and other entities already have that data.

How is this an argument FOR gathering sensitive information about the people around you? Should you also look to their trash and digitise any documents they throw away and make a website that allows you to search through these documents? You could argue that Google or some other entity already has that information anyway.

You could also argue that this would increase consciousness with regards to the privacy concerns of your trash.


Re #2 maybe if a few people got kicked in the crotch, there would be a groundswell of support to pass laws restricting who can kick you in the crotch and under what circumstances.

Of course, the likely outcome is that only big multinational corporations with a legal team are allowed to kick you in the crotch.


Re: #1 I think they are a good addition to society because otherwise every device has to rely on satellite positioning, which is slower, generally less accurate, and prone to failure indoors or around tall buildings.


I prefer privacy over location data to be honest.


The practice is questionable at best, but it's a good reminder about that everying sent with radio waves can be picked up by others even if they were not the intended recipients and no matter if you want them to or not.

It's pretty much like leaving the front door unlocked -- it would be unethical to use it to go inside and steal your stuff but we still need to lock the door if we want to reduce the chance of someone stealing your stuff.

Tips for avoiding this:

- Change SSID at least once per year.

- If your router support multiple SSID's, turn the current one off and use the next one in the settings instead -- it will usually result in the MAC address being changed as well.

- Do the above whenever you move the router from one location to another.


For fun I guess, been around since the beginning of Wi-Fi access points. I guess a similar kind of fun to geocaching, etc.

https://en.wikipedia.org/wiki/Wardriving


I am aware that they must find it fun, but I am challenging the ethics of this 'fun'. I think this information should not exist anywhere and even if it did, it shouldn't be made public.

Geocaching and trying to gather as much privacy sensitive information about the people around you are two different things. With geocaching there aren't any parties involved that are unaware of the activity who are still negatively impacted by it.


Me neither, but I think the whole point of this article was to promote wigle.net.


Have two questions after reading the article

1) What are DNS logs?

2) What are RADIUS logs?

Would someone be so good as to answer?

Thanks in advance for help you could provide.

Edit :- This got downvoted. Don’t know why should anyone asking an honest question be marked down. Am I not allowed to ask technical questions in comments section?


Every time a device joins the corp. network, it gets an IP Address (DHCP) and a network name (DNS) from our servers.

RADIUS is the authentication method for wifi. In larger offices you don't just share the same password for all users, but rather set up a RADIUS server that manages individual accounts. So every employee has their own username and password for wifi. Also called WPA2 Enterprise


RADIUS predates wifi by a few years. :-) It was originally centralized authentication for dial-in systems: https://en.wikipedia.org/wiki/RADIUS


DNS logs -- logs of name lookups to the internal DNS server, which will include source IP of the DNS lookup (note: UDP, can be spoofed). Look up source IP in DHCP lease table to find hostname and mac address of device on wifi that is assigned that source IP.

RADIUS logs -- RADIUS = AAA server (authorization, authentication, accounting). Basically, a server that answers the question "given these credentials, what resources can this user access?" All new connections to the network will show up in RADIUS logs. As a user, when you have your "own" wifi username and password (e.g. on an access point configured to use WPA Enterprise), usually what happens is the access point asks an external RADIUS server to authenticate the credentials, and then the DHCP server asks the RADIUS server to authorize the user for an IP address assignment.


You probably got downvoted because you can just use Google to answer those questions.


I appreciate having the question asked and answered right here in the comments.

won't someone please think of the lurkers


I don’t think I broke any HN rules. Did I?


I didn't downvote you. Perhaps the downvoters did that because they felt your post not interesting enough. Read the guidelines (link at the bottom of the start page), especially:

> On-Topic: Anything that good hackers would find interesting.

Something which is common hacker's knowledge and easily googleable is probably boring.


that's for posts, not comments.


Did a quick Google search. Found this. Is it relevant to RADIUS logs I asked above?

https://en.m.wikipedia.org/wiki/RADIUS


yes, it's that RADIUS. Their WLAN access points use that protocol to check if a username/password they're given is acceptable.


Reminds me of the people getting paid to install rogue devices like this, e.g. https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/fou...


The attacker's setup is really, really bad. But it's very interesting to see a drop device being used in the wild. I assume that if amateur solo actors are doing this, then organized crime rings are for sure.


Yes, very much. Not only are they doing it but they're peddling it to the unwary. https://news.ycombinator.com/item?id=18919906


It is possible that there is a second device that does a sniffing part. This device may be a relay for the second device. They could be connected via Bluetooth, hence the Bluetooth dongle.


I agree. Like a keylogger on a wired keyboard which exfiltrates via the bluetooth dongle. That dongle was there for a reason.


It didn't really talk about what it "logged", that would have been interesting to know what data was being stolen.

Great article though, very interesting read.


As the article concludes with "Legal has taken over, I did my part and the rest is over my pay grade.", I think the author is not allowed to disclose this publicly.


I think the author just doesn't know what it does. From his Reddit post [1]:

>Still no idea what it actually does except for the program being called "logger", the bluetooth dongle and it being only feet away from secretary / ceo office

[1] https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_rasp...


One can speculate something along, "the neighbor kid, ABC, is pretty smart, perhaps he can help me set up some way to know if someone is around at work?".


Or, management asking the ex. employee to drop a logger on the network to snoop because "we really don't want our IT guys to know".


If OP shared the nodejs app I think somebody would be able to figure out what it does. I'd certainly have a go.


the article makes the massive assumption that the 'gifted person' whose name and home address were exposed is also the person who wanted it in the closet.

Either that person has phenomenally bad tradecraft, or they are actually innocent.

There are so many plausible ways in which the 'gifted person' is not in on the plot; for example, they may have sold the pi to the disgruntled employee before the employee was disgruntled or with no idea of the use that the disgruntled employee would put it too.

Have to kind of hope thats how it all ends up.

When I was young I often set up computers and stuff for others. These days I try and get slopy shoulders when people ask me for tech support, and if there were a young gifted wizkid nearby I'd be sending a lot of innocent business their way....


I didn't see that assumption anywhere in the article. He just followed the leads, collected the evidence and connected the dots. The device was set up in the gifted kid's home, and used a webservice paid for by the gifted kid's company. The device clearly comes from the gifted kid. Was he also the one who wanted the device in the closet? That's the one thing we don't know. That, and the relationship between the gifted kid and the ex-employee.

Further legal investigation will no doubt follow. Maybe gifted kid is involved in something illegal, maybe not. Hopefully we'll hear more about this in the future.


Yeah the link title here on HN is "How I got the home address of the person that put a RasPi in our network closet"

Which is interesting, because I double-checked and the article is actually more circumspect: "The curious case of the Raspberry Pi in the network closet how we found, analyzed (with the help of Reddit) and in the end caught the culprit of a malicious device in our network"

They find the home address and name of the person who prepared the pi (although we don't know it was the person who installed the 'logger', whatever that is etc). And they have identified the disgruntled employee who seems to have installed it. Two separate things.


Good point. The original HN title did indeed imply the "gifted person" was the one who put it there. I notice the the title has now been changed to the article title.


Initially he suspected, but didn't jump to conclusions. It was only confirmed after matching the WiFI SSID.


It was confirmed that the kid set it up, and that the kid never had access to the network.

An investigation will have to see if the kid has anything to do with the attack at all.


The kid was a kid in 2001, should be at least in his/her twenties now.


The author explicitly refrains from jumping to conclusions until acquiring more conclusive proof by matching the username from the config file to the license file, and correlating that to the SSID location.

> This could be a wrong lead as usernames tend to be used by multiple people but let's just keep that name in mind.


The gifted kid site was from 2001 no? So the gifted kid is an adult now.


This person's wiring closet needs to have all Ethernet switch ports in a default 'shut' state and assigned to a quarantine vlan.

It's amateur hour if you can just plug in any random rpi, it gets a DHCP lease, access to the company lan, and a route to the outside internet.


That would be best practice.

However I don't mind being able to get LAN internet at a hotel that wants me to pay $24 per day for wifi when they have VoiP phones that have internet access...


I often bring a small wifi router with me, hook it up to Ethernet (often taking the TV or phone ethernet connection), then set up a local wifi that I can connect a Chromecast to. That in turn sits in the tv, of course.

That gives me internet and streamability/casting to the tv :)


I often find that tethering to T-Mobile LTE is better than whatever misconfigured, screwed up NAT/gateway a hotel has.


Agreed.

Every single hotel I’ve been to in the last year or so has pitiful bandwidth, which is completely saturated after dark once everyone fires up Netflix and lets it run all night long.


Ha! Good to know.


Or, even better, your services need authentication and authorization even on internal network, with some sort of SSO and/or federated authentication, so it actually doesn't matter where you are. Google's own BeyondCorp initiative works kind of this way.

Getting a route to the outside internet is not such a big deal; access to internal data is.

By the way: it's "amateur hour" if, as you say, that happens for a switch in a public/semipublic area in an office structure. On the contrary, I've seen a lot of "all-enabled" switches if those were accessible just from INSIDE the datacenter, where few people had access. It's not a really reasonable scenario.


Yes, the "amateur hour" is giving an ex-employee the key.


They were allowed to keep the key.. I think focus on shutting off ex-employees is exaggerated given that they can plan as disgruntled employees.


It’s amateur hour if being on the company LAN means anything more than being on Starbucks WiFi.


Well, that's the status quo.


Bit of a Agatha Christie style who dun it.

Fixed number of people it could be ... and it turns out to be the ex employee ... who would have thought.


The butler ... ahem ... ex-employee always does it.

I'm pretty shocked at how obvious they left this. Surely they knew it would be found one day?


Perhaps it’s more like ”Who framed Roger Rabbit”?

Always suspected that Agatha was a bit simplistic. Maybe the real bad guy always gets away!


Plugging out is kinda bad idea, I would start with cold boot attack just in case sd card would be encrypted.


What would that involve? I'm guessing making a bookable SD card that dumps memory, unplugging and quickly replugging the power cable, and then booting that card? Or do you need something more specialized?


I don't think that you can, manually, swap SD cards (on a running system! That alone would trigger all sorts of quirks, unless you're running off initramfs, tmpfs or an external storage device.) and toggle power so quickly that the RPi reboots but doesn't erase RAM. I mean, you might get very lucky, but the boot process is heavily stacked against you - the bootloader on your SD card gets executed fairly late in the boot sequence: https://raspberrypi.stackexchange.com/questions/10442/what-i...


I meant you'd swap the card when the system was off, not when it was on.


Power off, swap cards, power on? That's a multi-second task, even if SDRAM didn't reset during boot stages.


I mean, you could swap the cards live, but I'd be worried about the electrical end, not the debounced and processed signals coming from the OS - although if I were writing a malicious package, device tree changes would also trigger all sorts of alarms. (Had a bad contact on an SD card once - the effect of disconnect-reconnect on the running OS was...spectacular, but in a bad way. In the better case, it fluctuated the board voltage enough to reboot.)


My thoughts as well. Great job regardless, someone is in trouble! :/


On the Reddit post this originated from [0], it says that the motivation from the ex-employee was "help us identifying wifi problems and tracking users in the area around the Managers office". Makes me wonder if it was malicious or just stupidity.

[0] https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_rasp...


Well, Co-founder of Makerdiary is here :)

I love this article, and I wanna promote our works in this thread :)

We are build some little Nordic nRF52-based widgets for maker with a lot of documents, you can find more wiki at here[1][2]. And we are try to use MESH network technology to protect our IoT data, here is some tutorial for BLE MESH[3] and OpenThread MESH[4].

BTW, if you are intersted in FIDO U2F security key, please check here[5], an open source FIDO U2F implementation on nRF52 SoC.

[1]: https://wiki.makerdiary.com

[2]: https://blog.makerdiary.com

[3]: https://blog.makerdiary.com/getting-started-with-bluetooth-m...

[4]: https://blog.makerdiary.com/build-a-thread-network-with-nrf5...

[5]: https://github.com/makerdiary/nrf52-u2f


I'm shocked they used a commercial service to store their entire codebase. That could be easily subpeonad and if its a paid plan they will be dead in the water.


You guys just killed wigle.net :(


Intereseting, at every hint found in the blogpost, i was trying to guess the next steps, fun !


It might have been better to call the FBI as soon as nobody could identify the device. However, the conclusion was quite satisfying.


This is a textbook case where of amateur sleuthing is a bad idea. We're not all Tsutomu Shimomura.

If there is a criminal (or civil) case, there has been no chain of custody. If you find something like this, don't even touch it, get someone qualified.

Secondly, it seems highly likely the person who created the image is not the person who emplaced it. The use of a VPN is hardly an indicator of evil intent. At least the author did not put any names in their publication.



Mr Robot, this 'gifted' kid is not.


CSI: Cyber :)


nice detective work :D cool


Yeah, and a big F for that "gifted person".


To the ex-employee.

There was no conclusion drawn as to the involvement of the gifted kid other than the pi initially being set up by them.


Yeah, but it was the setup that included all that information about him. That's why I said "F". An OPSEC fail. For the ex-employee, it was failure in judgment. And also OPSEC failure, for not checking the device for compromising information.


> Legal has taken over, I did my part and the rest is over my pay grade.

Wow, I never wanted to work in a company where I had to say this. Really, if the pay grade decides which human you are, I better get no money but can do whatever I want, like go to that person, ring on its door and ask it about its plans.


That term generally means "it's not my decision to make," it does not necessarily have to do with how much anyone gets paid. In this context he's saying that he did his part, discovering the device, and from that point forward the decision to pursue legal action (or something else) is not his to make.


So you want to personally go to the door of a person who already committed a serious crime? A crime against your workplace even, not against your person. That is a highly questionable action, to say the least.


There really is a point where it's better to let legal take over if you're not a legal expert yourself. I assume the police is going to have a chat with the ex-employee and the gifted kid.


"beyond my pay grade" is just an expression, it doesn't really refer to pay exactly, it just means it's someone else's responsibility


though if I remember correctly, it comes from the military where seniority (and thus decision-making capability) and pay grade are explicitly linked.


This sounds like a great way to get into a dangerous situation.


And to mess up legal cases.


Yepper! Chain of Custody MUST be recorded and preserved. Document Document DOCUMENT! EVERYTHING. From the moment it was found to who/where it went next, to every step you took with it.

This guy clearly was following that and did his due diligence of step 1 being, make a backup of the device. Then you have a record of everything as near time of discovery as possible, so if you're investigation hoses everything up, you can restore and start over.

The author is also correct in that once he's done his investigation, he passes it all on to the next level to do their job. So in his case, he's done. There is NOTHING else he should be doing. If he does it really could hose up any/all legal action.

Kinda like getting to court in a Sexual Assault case and finding on the arresting officer forgot to read the guy his Miranda Rights.... You can have 100% proof this is the guilty party, but he goes free because someone in the chain of custody hosed up their part.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: