The curious case of the Raspberry Pi in the network closet

how we found, analyzed (with the help of Reddit) and in the end caught the culprit of a malicious device in our network

Posted on 2019-01-16

Last week I got a message from a co-worker with an image attached.

Message from my co-worker

I asked him to unplug it, store it in a safe location, take photos of all parts and to make an image from the SD card (since I mostly work remote). I have worked on many Raspberry Pi projects and I felt confident I could find out what it does.

At this point nobody thought it was going to be malicious, more like one of our staffers was playing around with something.

The parts

There were 3 parts:

  • A Raspberry Pi b first generation
  • a mysterious USB dongle
  • a 16GB sd card (a fast one)

USB dongle and SD card

First thing to do: Ask everybody who can access this network closet

The number of people who can access this small cabinet is very limited. Only 4 people have a key for this room:

  1. The manager
  2. The groundskeeper
  3. My co-worker
  4. Me

None of them knew anything about this so I asked my IT colleagues and they were as baffled as I was. I heard of people getting paid to put things like this in places they shouldn't and for this reason I was very interested in finding out what it actually does.

What is that USB dongle though?

To help me solve this mistery I asked reddit and surely enough they identified the dongle as a microprocessor, almost as powerful as the Rasberry Pi itself: the nRF52832-MDK. A very powerful wifi, bluetooth and RFID reader.

The nRF52832-MDK usb dongle

This was - no doubt - to give the old Raspberry Pi a wifi and bluetooth connection. Great so now this thing has wifi too..

Time to dissect the SD card image

The SD card has a few partitions. Most ext4 (linux) and one fat16 (boot)

GParted view of the image

Great, time to mount it.

My debian box told me the first big clue: It's a resin installation

Resin partitions on the SD Card

WTF is Resin?

Resin (now renamed to Balena) is a paid IOT web service where you can generate images for IOT devices, deploy those devices and get updates and data from and to resin.

Resin also installs a VPN on the device so the collected data is transferred securely. Obviously this device was meant to be picked up again since it leaves a trail as the service is a paid one.

Closer look at the partitions

First partition is called "resin-boot"

See something that catches your eye? We got a config.json. Quick jackpot?

config.json on the resin-boot partition

What we can extract from this file:

  1. The application deployed to this resin device is called "logger". Not a good sign
  2. We got a username. This seems to be the username for the resin account associated with this device
  3. Confirmation that the device used a VPN via Port 443
  4. A registration date. It was registered (or first deployed or set up?) on May 13th 2018

About that username..

When I googled the username found in the config.json file I found a person in the same town where this Pi was found. The company then checked their records for this person but found nothing.

Oddly enough I found a website from 2001 where parents of "gifted children" write articles about them and for some reason sign those articles with their home address and phone numbers. So I have a name and the address of this whole family.

Not the actual site but a similar one

This could be a wrong lead as usernames tend to be used by multiple people but let's just keep that name in mind.

resin-data

The data directory didn't have any data stored (as in: collected data) but there was a nodejs app which was heavily obfuscated and to this day I can't tell exactly what it was doing. It seems to talk via a serial connection to the dongle but I can't extract what data is actually collected. I can only assume that it collected movement profiles of bluetooth and wifi devices in the area (around the Managers office) and maybe raw wifi packets.

But I found something much more interesting: a LICENSE.md file

Screenshot of the LICENSE.md file

Odd.. Why would this nodejs app include a confidential piece of software? I googled the company from the copyright header and guess what?

The guy from the username I found in the config file is a part owner

It is beyond me why a co-founder of a company would distribute these devices around town but well..


Getting the attackers home address

Another very interesting thing I found was a file on the third partition (resin-state) in the path /root-overlay/etc/NetworkManager/system-connections/. The file is called resin-wifi-01 and guess what it contains?

It contains the wifi credentials to the wifi that was used to set the device up (or to test it). Definitely not the wifi of the company. And what do we do, when we want to find out a location associated with a wifi name? We go to wigle.net, enter the SSID (=wifi name) and it tells us where on the world it is found.

not the actual name and not the actual location

And guess what? The address we found of that gifted persons parents? That's exactly where our Pi was set up according to Wigle.net

Aftermath

How and when did the Pi even get there?

I checked the DNS logs and found the exact date and time when the Pi was first seen in the network. I checked the RADIUS logs to see which employee was at the premises at that time and I saw multiple error messages that a deactivated account tried to connect to wifi.

That deactivated account belongs to an ex employee who (for some reason) made a deal with management that he could still have a key for a few months until he moved all his stuff out of the building (don't ask..).

What now

Legal has taken over, I did my part and the rest is over my pay grade.

For me it was a very interesting challenge and I'd like to thank every person on reddit who helped me with one piece of the puzzle.


loading..

Tags: security | raspberry-pi | network

1ChrisHMgr4DvEVXzAv1vamkviZNLPS7yx
0x1337C2F18e54d72d696005d030B8eF168a4C0d95