The curious case of the Raspberry Pi within the community closet

2024-01-08 13:54:46

Final week I acquired a message from my dad (who works with me at a shopper) with a picture connected.

Message from dad

I requested him to unplug it, retailer it in a secure location, take images of all elements and to make a picture from the SD card (since I principally work distant). I’ve labored on many Raspberry Pi tasks and I felt assured I might discover out what it does.

At this level no person thought it was going to be malicious, extra like one among our staffers was enjoying round with one thing.

There have been 3 elements:

  • A Raspberry Pi b first era
  • a mysterious USB dongle
  • a 16GB sd card (a quick one)

USB dongle and SD card

The quantity of people that can entry this small cupboard may be very restricted. Solely 4 individuals have a key for this room:

  1. The supervisor
  2. The groundskeeper
  3. My co-worker
  4. Me

None of them knew something about this so I requested my IT colleagues they usually had been as baffled as I used to be. I heard of individuals getting paid to place issues like this in locations they should not and because of this I used to be very fascinated about discovering out what it really does.

To assist me resolve this mistery I asked reddit and absolutely sufficient they recognized the dongle as a microprocessor, nearly as highly effective because the Rasberry Pi itself: the nRF52832-MDK. A really highly effective wifi, bluetooth and RFID reader.

The nRF52832-MDK usb dongle

This was – little question – to offer the previous Raspberry Pi a wifi and bluetooth connection. Nice so now this factor has wifi too..

The SD card has a couple of partitions. Most ext4 (linux) and one fat16 (boot)

GParted view of the picture

Nice, time to mount it.

My debian field instructed me the primary huge clue: It is a resin set up

Resin partitions on the SD Card

WTF is Resin?

Resin (now renamed to Balena) is a paid IOT web service the place you may generate photos for IOT units, deploy these units and get updates and information from and to resin.

Resin additionally installs a VPN on the gadget so the collected information is transferred securely. Clearly this gadget was meant to be picked up once more because it leaves a path because the service is a paid one.

Nearer have a look at the partitions

First partition known as “resin-boot”

See one thing that catches your eye? We acquired a config.json. Fast jackpot?

config.json on the resin-boot partition

What we are able to extract from this file:

  1. The appliance deployed to this resin gadget known as “logger”. Not a superb signal
  2. We acquired a username. This appears to be the username for the resin account related to this gadget
  3. Affirmation that the gadget used a VPN by way of Port 443
  4. A registration date. It was registered (or first deployed or arrange?) on Might thirteenth 2018

About that username..

After I googled the username discovered within the config.json file I discovered an individual in the identical city the place this Pi was discovered. The corporate then checked their data for this particular person however discovered nothing.

Oddly sufficient I discovered an internet site from 2001 the place dad and mom of “gifted kids” write articles about them and for some motive signal these articles with their house handle and cellphone numbers. So I’ve a reputation and the handle of this entire household.

Not the precise web site however the same one

This may very well be a unsuitable lead as usernames are usually utilized by a number of individuals however let’s simply maintain that title in thoughts.

resin-data

The info listing did not have any information saved (as in: collected information) however there was a nodejs app which was closely obfuscated and to today I can not inform precisely what it was doing. It appears to speak by way of a serial connection to the dongle however I can not extract what information is definitely collected. I can solely assume that it collected motion profiles of bluetooth and wifi units within the space (across the Managers workplace) and possibly uncooked wifi packets.

However I discovered one thing way more fascinating: a LICENSE.md file

See Also

Screenshot of the LICENSE.md file

Odd.. Why would this nodejs app embrace a confidential piece of software program? I googled the corporate from the copyright header and guess what?

It’s past me why a co-founder of an organization would distribute these units round city however effectively..


Getting the attackers house handle

One other very fascinating factor I discovered was a file on the third partition (resin-state) within the path /root-overlay/and so forth/NetworkManager/system-connections/. The file known as resin-wifi-01 and guess what it accommodates?

It accommodates the wifi credentials to the wifi that was used to set the gadget up (or to check it). Positively not the wifi of the corporate. And what can we do, after we wish to discover out a location related to a wifi title? We go to wigle.web, enter the SSID (=wifi title) and it tells us the place on the world it’s discovered.

not the precise title and never the precise location

And guess what? The handle we discovered of that gifted individuals dad and mom? That is precisely the place our Pi was arrange in response to Wigle.web

How and when did the Pi even get there?

I checked the DNS logs and located the precise date and time when the Pi was first seen within the community. I checked the RADIUS logs to see which worker was on the premises at the moment and I noticed a number of error messages {that a} deactivated account tried to hook up with wifi.

That deactivated account belongs to an ex worker who (for some motive) made a take care of administration that he might nonetheless have a key for a couple of months till he moved all his stuff out of the constructing (do not ask..).

What now

Authorized has taken over, I did my half and the remaining is over my pay grade.

For me it was a really fascinating problem and I would wish to thank each particular person on reddit who helped me with one piece of the puzzle.

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top