Curious Case of a Malicious Raspberry Pi Device Discovery
Author: Christian Haschek
Date: January 17, 2019
This is the story of how we found, investigated (with help from the Reddit community), and ultimately discovered who connected a malicious device to our network.
How It All Started
Last week, I received a message and a photo from my colleague.
Figure 1: Message asking to check where an unknown Raspberry Pi device was connected
Since I mostly work remotely, I asked my colleague to disconnect the device, store it in a safe place, and take photos of all the components and an image of the SD card. I have extensive experience with various Raspberry Pi projects, so I was confident I could figure out what was going on.
At that point, no one suspected the device was being used for malicious purposes. Everyone thought it was just an experiment by an employee.
Device Components
The device consisted of three parts:
- First-generation Raspberry Pi Model B
- A mysterious USB stick
- 16GB high-speed SD card
Figure 2: USB stick and SD card
The first thing to do was to ask who had access to this network node. It turned out that only four people had the key to this small cabinet:
- The manager
- The security guard
- My colleague
- Myself
None of us knew anything about the device. The IT department was just as puzzled as I was. I’d heard stories of people being paid to connect unauthorized devices like this, so I was especially curious to get to the bottom of it.
Identifying the USB Stick
I turned to Reddit for help, and the stick was identified as a microprocessor, almost as powerful as a Raspberry Pi: the nRF52832-MDK. It’s a very powerful reader with Wi-Fi, Bluetooth, and RFID support.
Figure 3: USB stick (nRF52832-MDK model)
Clearly, this USB stick was meant to give the old Raspberry Pi Wi-Fi and Bluetooth capabilities.
Investigating the SD Card Image
The SD card had several partitions, most with the ext4 (Linux) file system, and one boot partition with fat16.
Figure 4: Partition structure of the image
After mounting the image on my Debian-based system, I got my first important clue: the SD card image was created and installed using Resin.
Figure 5: SD card partitions created in Resin
What is Resin?
Resin (now renamed Balena) is a paid web service for creating images for IoT devices, configuring them, receiving updates, and exchanging data with Resin. It also sets up a VPN on the device for secure data transfer. Clearly, the creator planned to retrieve the device, as it stored traces in the form of an account for connecting to the paid service.
Detailed Partition Analysis
The first partition is called “resin-boot.”
Figure 6: Contents of the resin-boot partition
Right away, I noticed the config.json file. Could this be a quick jackpot?
Figure 7: Contents of config.json in the resin-boot partition
From this file, we learned:
- The device runs an app called “logger”—not a good sign.
- The username, likely the Resin account linked to this device.
- The device uses a VPN on port 443.
- Registration date: May 13, 2018.
Searching by Username
When I Googled the username from config.json, I found a person in the same city where the device was discovered. The company checked their records but found nothing on this person.
Strangely, I also found a website from 2001 where parents of “gifted children” wrote articles about themselves and, for some reason, included their home address and phone number. Now I had the name and address of the whole family.
Figure 8: Similar website to the one I found
Of course, I could have been following a false lead, since similar usernames can be used by different people. For now, I just noted the name.
The resin-data Partition
The data directory didn’t contain anything interesting (like collected information). I only found a heavily obfuscated Node.js app, and I couldn’t determine its purpose at this time.
It seemed to interact with the USB stick via serial connection, but I couldn’t figure out what data was being collected. My best guess is that it was gathering movement profiles for Bluetooth and Wi-Fi devices nearby, and possibly raw Wi-Fi packets.
But I found something much more interesting: a LICENSE.md file.
Figure 9: Contents of LICENSE.md
Strange… Why would this app contain such confidential information? I Googled the company listed in the copyright section, and guess what? The person using the username from the config file is a co-owner of that company.
I still don’t know why a company co-owner would distribute such devices in the city.
Finding the Attacker’s Home Address
In the third partition (resin-state), I found another interesting file in /root-overlay/etc/NetworkManager/system-connections/ called resin-wifi-01. And what do you think was in it?
Figure 10: Contents of resin-wifi-01
This file contained credentials for a Wi-Fi network used to set up (or test) the device. But this Wi-Fi didn’t belong to the company. So, how do you find a location by network name? Go to wigle.net, enter the SSID (network name), and find the spot on the map.
Figure 11: Name and address turned out to be outdated
Do you think the address matched the “gifted children” parents’ address? The wigle.net service showed the address where the suspicious device was found.
Epilogue
I checked the DNS server logs and found the exact date the device first appeared on the network. I checked the RADIUS server logs to see which employees were present at the time, but only found lots of error messages about attempts to connect via Wi-Fi using a deactivated account.
The deactivated account belonged to a former employee who, for some reason, had arranged with management to keep the key to the room for a while until he moved all his things out of the building (don’t ask why).
What Now?
Now, the lawyers are handling the case. I’ve done my part, and the rest is beyond my expertise.
This was a very interesting case, and I’d like to thank everyone who participated in the Reddit discussion and helped me solve this mystery.