Via Christian Haschek’s blog we have a case of where finding an unknown Raspberry Pi with a strange dongle on it in a business’ network closet could be a concern:
Last week I got a message from a co-worker with an image attached.
I asked him to unplug it, store it in a safe location, take photos of all parts and to make an image from the SD card (since I mostly work remote). I have worked on many Raspberry Pi projects and I felt confident I could find out what it does.
At this point nobody thought it was going to be malicious, more like one of our staffers was playing around with something.
The parts found included A Raspberry Pi b first generation, a mysterious USB dongle. and a 16GB sd card.
The first thing one asks is: who has access to this network closet?
Next: What IS that USB dongle?
The investigators take the USB card and do some interesting forensics. Little bits of information from various files coupled with Google information pointed to the culprit.
I checked the DNS logs and found the exact date and time when the Pi was first seen in the network. I checked the RADIUS logs to see which employee was at the premises at that time and I saw multiple error messages that a deactivated account tried to connect to wifi.
That deactivated account belongs to an ex employee who (for some reason) made a deal with management that he could still have a key for a few months until he moved all his stuff out of the building (don’t ask..).
What now
Legal has taken over, I did my part and the rest is over my pay grade.
For me it was a very interesting challenge and I’d like to thank every person on reddit who helped me with one piece of the puzzle.
No comments:
Post a Comment