how we found, analyzed (with the help of Reddit) and in the end caught the culprit of a malicious device in our network
Article word count: 1025
HN Discussion: https://news.ycombinator.com/item?id=18919129
Posted by geek_at
(karma: 379)Post stats: Points: 156 - Comments: 36 - 2019-01-16T08:20:40Z
Last week I got a message from a co-worker with an image attached.
Message from my co-worker
I asked him to unplug it, store it in a safe location, take photos of all parts and to make an image from the SD card (since I mostly work remote). I have worked on many Raspberry Pi projects and I felt confident I could find out what it does.
At this point nobody thought it was going to be malicious, more like one of our staffers was playing around with something.
There were 3 parts:
\* A Raspberry Pi b first generation
\* a mysterious USB dongle
\* a 16GB sd card (a fast one)
USB dongle and SD card
First thing to do: Ask everybody who can access this network closet
The number of people who can access this small cabinet is very limited. Only 4 people have a key for this room:
1. The manager
2. The groundskeeper
3. My co-worker
None of them knew anything about this so I asked my IT colleagues and they were as baffled as I was. I heard of people getting paid to put things like this in places they shouldnʼt and for this reason I was very interested in finding out what it actually does.
What is that USB dongle though?
To help me solve this mistery I asked reddit and surely enough they identified the dongle as a microprocessor, almost as powerful as the Rasberry Pi itself: the nRF52832-MDK. A very powerful wifi, bluetooth and RFID reader.
The nRF52832-MDK usb dongle
This was - no doubt - to give the old Raspberry Pi a wifi and bluetooth connection. Great so now this thing has wifi too..
Time to dissect the SD card image
The SD card has a few partitions. Most ext4 (linux) and one fat16 (boot)
GParted view of the image
Great, time to mount it.
My debian box told me the first big clue: Itʼs a resin installation
Resin partitions on the SD Card
WTF is Resin?
Resin (now renamed to Balena) is a paid IOT web service where you can generate images for IOT devices, deploy those devices and get updates and data from and to resin.
Resin also installs a VPN on the device so the collected data is transferred securely. Obviously this device was meant to be picked up again since it leaves a trail as the service is a paid one.
Closer look at the partitions
First partition is called "resin-boot"
See something that catches your eye? We got a config.json. Quick jackpot?
config.json on the resin-boot partition
What we can extract from this file:
1. The application deployed to this resin device is called "logger". Not a good sign
2. We got a username. This seems to be the username for the resin account associated with this device
3. Confirmation that the device used a VPN via Port 443
4. A registration date. It was registered (or first deployed or set up?) on May 13th 2018
About that username..
When I googled the username found in the config.json file I found a person in the same town where this Pi was found. The company then checked their records for this person but found nothing.
Oddly enough I found a website from 2001 where parents of "gifted children" write articles about them and for some reason sign those articles with their home address and phone numbers. So I have a name and the address of this whole family.
Not the actual site but a similar one
This could be a wrong lead as usernames tend to be used by multiple people but letʼs just keep that name in mind.
The data directory didnʼt have any data stored (as in: collected data) but there was a nodejs app which was heavily obfuscated and to this day I canʼt tell exactly what it was doing. It seems to talk via a serial connection to the dongle but I canʼt extract what data is actually collected. I can only assume that it collected movement profiles of bluetooth and wifi devices in the area (around the Managers office) and maybe raw wifi packets.
But I found something much more interesting: a LICENSE.md file
Screenshot of the LICENSE.md file
Odd.. Why would this nodejs app include a confidential piece of software? I googled the company from the copyright header and guess what?
The guy from the username I found in the config file is a part owner
It is beyond me why a co-founder of a company would distribute these devices around town but well..
Getting the attackers home address
Another very interesting thing I found was a file on the third partition (resin-state) in the path /root-overlay/etc/NetworkManager/system-connections/. The file is called resin-wifi-01 and guess what it contains?
It contains the wifi credentials to the wifi that was used to set the device up (or to test it). Definitely not the wifi of the company. And what do we do, when we want to find out a location associated with a wifi name? We go to wigle.net, enter the SSID (=wifi name) and it tells us where on the world it is found.
not the actual name and not the actual location
And guess what? The address we found of that gifted persons parents? Thatʼs exactly where our Pi was set up according to Wigle.net
I checked the DNS logs and found the exact date and time when the Pi was first seen in the network. I checked the RADIUS logs to see which employee was at the premises at that time and I saw multiple error messages that a deactivated account tried to connect to wifi.
That deactivated accound belongs to an ex employee who (for some reason) made a deal with management that he could still have a key for a few months until he moved all his stuff out of the building (donʼt ask..).
Legal has taken over, I did my part and the rest is over my pay grade.
For me it was a very interesting challenge and Iʼd like to thank every person on reddit who helped me with one piece of the puzzle.
HackerNewsBot debug: Calculated post rank: 116 - Loop: 87 - Rank min: 100 - Author rank: 140
how we found, analyzed (with the help of Reddit) and in the end caught the culprit of a malicious device in our networkblog.haschek.at