Finding a mysterious circuit board plugged into a network that you are tasked with managing is always going to be a disconcerting moment for any sysadmin.
Now imagine the device isn’t just connected to the network but plugged directly into a LAN switch located inside a cabinet in a supposedly secure, locked room.
Who put the device there? What was the equipment doing before it was found?
The primary evidence was the device itself, an original Raspberry Pi Model B revision 1 from 2011 – a bit of a collector’s item these days.
Plugged into one of the Pi’s USB ports was a dongle enabling Wi-Fi and Bluetooth, the former connecting to an unknown SSID.
This dongle, it later transpired, was an nRF52832 system-on-a-chip development board of the sort that might be popular in environments for tinkering with (a clue here) the Internet of Things (IoT).
The boot image on the Pi’s SD card turned out to be balena.io, an IoT development platform, loading virtualised Docker containers which were being updated every 10 hours.
Important detail – the communication from the device back to whomever it was communicating with happened, suspiciously, across a VPN.
Unidentified Network Object
The setup looked like an unauthorised and rather irresponsible experiment in IoT, but the possibility of something rogue couldn’t be ruled out.
Reddit being Reddit, there was no shortage of theories:
- Perhaps it was a spot of pen-testing by a red team.
- Or a sophisticated attempt to gain backdoor access to Bluetooth or Wi-Fi traffic.
- Or perhaps the test was to see whether admins noticed it sitting in plain sight in the first place.
- Did the organisation whose network it was connected to do anything that might interest hackers?
We’re in the educational field so I don’t think it’s what’s IN our network but rather the network itself. Maybe to obfuscate some traffic the attacker creates.
Other commenters fretted that perhaps the sysadmin should call the police and pass the problem to someone on a higher pay grade.
It’s easy to understand why finding a Raspberry Pi connected to your network cabinet could be unsettling, but wouldn’t a professional criminal have taken more care to disguise it?
Eventually, geek_at was able to shed some light on matters:
At the moment it looks like a former employee (who still has a key because of some deal with management) put it there. I found his username trying to log in to Wi-Fi (blocked because user disabled) at 10pm just a few minutes before our DNS server first saw the device. Still no idea what it actually does except for the program being called ‘logger’, the Bluetooth dongle and it being only feet away from secretary/CEO office.
Several snatches of learning here, starting with the obvious one that asking Reddit for an opinion could leave you with plenty of helpful insight but perhaps more than you expected, or indeed wanted.
The other is the power wielded by insiders, even ones who have left an organisation.
Just because they’re gone doesn’t mean they’ve left, especially if someone has unwisely given them a key to the network room.