Skip to content
Naked Security Naked Security

Reddit helps admin solve mystery of rogue Raspberry Pi

Finding a mysterious circuit board plugged into a network that you are tasked with managing is always going to be a disconcerting moment for any sysadmin.

Finding a mysterious circuit board plugged into a network that you are tasked with managing is always going to be a disconcerting moment for any sysadmin.
Now imagine the device isn’t just connected to the network but plugged directly into a LAN switch located inside a cabinet in a supposedly secure, locked room.
Who put the device there? What was the equipment doing before it was found?
It’s a mystery that faced a sysadmin, geek_at, at a college in Austria earlier this week. According to The Register, the sysadmin took to Reddit to find answers.
The primary evidence was the device itself, an original Raspberry Pi Model B revision 1 from 2011 – a bit of a collector’s item these days.
Plugged into one of the Pi’s USB ports was a dongle enabling Wi-Fi and Bluetooth, the former connecting to an unknown SSID.
This dongle, it later transpired, was an nRF52832 system-on-a-chip development board of the sort that might be popular in environments for tinkering with (a clue here) the Internet of Things (IoT).
The boot image on the Pi’s SD card turned out to be balena.io, an IoT development platform, loading virtualised Docker containers which were being updated every 10 hours.
Important detail – the communication from the device back to whomever it was communicating with happened, suspiciously, across a VPN.

Unidentified Network Object

The setup looked like an unauthorised and rather irresponsible experiment in IoT, but the possibility of something rogue couldn’t be ruled out.
Reddit being Reddit, there was no shortage of theories:

  • Perhaps it was a spot of pen-testing by a red team.
  • Or a sophisticated attempt to gain backdoor access to Bluetooth or Wi-Fi traffic.
  • Or perhaps the test was to see whether admins noticed it sitting in plain sight in the first place.
  • Did the organisation whose network it was connected to do anything that might interest hackers?

Replied geek_at:

We’re in the educational field so I don’t think it’s what’s IN our network but rather the network itself. Maybe to obfuscate some traffic the attacker creates.

Other commenters fretted that perhaps the sysadmin should call the police and pass the problem to someone on a higher pay grade.
It’s easy to understand why finding a Raspberry Pi connected to your network cabinet could be unsettling, but wouldn’t a professional criminal have taken more care to disguise it?
Eventually, geek_at was able to shed some light on matters:

At the moment it looks like a former employee (who still has a key because of some deal with management) put it there. I found his username trying to log in to Wi-Fi (blocked because user disabled) at 10pm just a few minutes before our DNS server first saw the device. Still no idea what it actually does except for the program being called ‘logger’, the Bluetooth dongle and it being only feet away from secretary/CEO office.

Several snatches of learning here, starting with the obvious one that asking Reddit for an opinion could leave you with plenty of helpful insight but perhaps more than you expected, or indeed wanted.
The other is the power wielded by insiders, even ones who have left an organisation.
Just because they’re gone doesn’t mean they’ve left, especially if someone has unwisely given them a key to the network room.
 

9 Comments

“At the moment it looks like a former employee (who still has a key because of some deal with management)” What? An employee who is no longer employed and still has access to an educational building? Sounds like one hell of a lawsuit waiting to happen. Not to mention new management.

Reply

CISA here. Thinking about the IT controls that have been ignored. Documentation of the issue of physical keys allowing demands for same on separation. Periodic changes to key locks. [Simple swap will work.] Network documentation to discover changes to configuration. Routine security software runs to identify and discover configuration changes. Control and standardization of UIDs to identify users for remedial actions. Documentation of logical security permissions to allow removal on separation. Procedures for removal of same and documentation of removal. The issue here is negligent management that has no concern for the serious damage that the perpetrator can potentially cause. RISK IS REAL, folkes!! And those who ignore it will pay with career altering events.

Reply

Been there before though; if you were on (say) a keyholder roster, then they might offer you a one-off payment to hold a key for a few months after no longer being an employee, in case emergency access is needed out of hours (until everyone who might need emergency access has been updated with the new details). Similarly, if you held a lot of institutional knowledge that couldn’t be handed over within the offboarding timeframe, you might be offered a retainer to be “available” to help out (at a hourly rate) for a period after you leave. In theory, all that should be documented and available (or you have a bus factor of one, never good even if you aren’t leaving) but in practice… yeah, that doesn’t happen.

Reply

I once worked for a Major University, in the summer they would hire temporary labor to assist with prepping the dorms for the next year. The Building Maintenance Director, and his underling The General Maintenance Supervisor, how can I say this, liked to hire snitches to keep tabs on the University permanent maintenance staff. One of the temps was in good with the Director, and had been given a set of keys, even we the employees could not get into areas this temp could go. So now the end of the story, this temp had found his way into an area, where the Library stored it’s Pre-Columbian pottery collection, well over the next year or two, this gentleman proceeded to help himself to the collection, and by the time he was finally caught, let’s just say, the Library had a Pre-Columbian pot collection. Moral of the story, Institutions of Higher Education, are sometimes staffed by incompetent individuals, who will do anything for a boot lick.

Reply

Thirty years ago, I worked for a major university. We all had “superkeys”: Nth-generation copies of a long-ago master key. This avoided having to carry and sort through a pile o’ keys for different doors, all of which we had access to anyway.
I’m hoping this is no longer the case, but I wouldn’t bet on it…

Reply

It sounds like you had a multiple master key system with sub master keys for specific areas and grand master keys that opened everything. This was pretty common in large facilities like schools and probably still is. Back in high school a friend had almost everywhere access because he had a sub master, a spare lock cylinder and a control key for swapping lock cylinders so we could convert a lock to work with the key we had.

Reply

This is impressive. I want to know how the story ends. Did the Pi get plugged back in (foolishly)? Did the former employee get in trouble? Did locks get changed?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!