That's an amateur job. Resin explains it - you try to do some exfiltration via an external commercial service? Come on.
If the author had setup an encrypted partition where all the "real stuff" was found, and the key for such partition was in-memory only, possibly going alone one of the small rpi UPS/batteries to prevent minor electrical hiccups to make the whole operation fail.... it would have been almost impossible to get back at the author.
Also, using a nice "black box" that looked like a sort of electronic device, instead of some randomly put together rpi+pieces, would have made the device mostly invisible.
Or even better: find an old ethernet switch, gut it (but keep the connectors) and put Raspberry PI inside. You will need to solder 6 wires for ethernet and power, but the pins are fairly large so this should be easy.
Even if discovered, most people would not bother taking it apart --- they'll just assume it is broken and throw it away.
This is exactly what I was thinking. Even the network admin would probably be like, "well, I don't think so but I'd better not mess with it, just in case it's how the CEO is getting internet". Unless of course they engineered the network originally.
I have a 4 outlet "surge protection" power board with a Pi Zero W, and USB power supply, and 4 240V mains relays and drivers all neatly tucked/hidden inside... I use it as Wi-Fi controllable power points, not for pen testing, but at this stage that's just a software update...
Check out the image in the article.
They attached keyloggers and sent the strokes to the box. Saving them and once in a week dump them over to a car in the parking lot.
The original article is great, but the guy was really not putting any effort into it.
A high voltage warning sticker is likely to gather a lot of attention, especially inside a network closet.
There are many rules related to where high voltage stuff should be, how it should be installed and who can access it. And unless you do it by the rules (unlikely), it will get caught up during a safety inspection.
Encryption was the first thing I expected when he showed the partition table; so much about the "gifted child" :-)
But even if you don't care, at least DON'T SIGN UP WITH YOUR REAL NAME to that service. What the freaking heck? I really hope they get what they deserve.
I hadn't realised that the wifi->address mapping was so publicly available. That means a list of wifi addresses that you've connected your phone to is also a location history. :(
Which is why Android restricts getting the current wifi SSID (WifiManager.getConnectionInfo()) or the nearby wifi SSIDs (WifiManager.getScanResults()) to apps with the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permissions. If an application doesn't have permission to know your location, it's also not allowed to know your wifi network's name.
Does it mean you need to turn on location services as well, or just grant the permission? Noticed recently that WifiAnalyzer on fdroid needed location permissions (and explained why) but I never turn location on so just downgraded to 1.9.3.
I guess good time to point out XPrivacyLua[0], a privacy/permissions manager which should be default in Android imo (without having to root/install Xposed etc). But for the power users out there, worth it.
IP addresses tend to have a relatively long lived association with a subscriber, often weeks. So an app which communicates out the wifi names naturally reveals the IP address (unless there is carrier NAT, i.e. on mobile, in Russia). So with a database of such information, the IP also reveals probable wifi names and hence location.
What's even more fun is that your phone is also broadcasting those SSIDs to the world as you walk down the street, if you have wifi enabled, and likely also your unique MAC address.
So anyone in wireless range of you can 1) track you and recognize you again, and 2) possibly figure out where you work and live (although of course they may see your friends' wifi networks too and not be able to tell which is your network.)
Only if those SSIDs were configured as a "hidden SSID" (WifiConfiguration.hiddenSSID). AFAIK, that will only happen when you type the SSID manually, instead of selecting it from the list of scan results. And using a "hidden SSID" is a bad idea in the first place (https://superuser.com/questions/43836/automatically-connecti...).
That is entirely not true, both iOS and Android send out requests for known APs when not connected to Wi-Fi. iOS does it VERY often in fact (depending on your list of known APs, could be upwards of 50x/min while device is in use). If you have a wifi chipset you can put in monitor mode, it’s easy to see how noisy mobile devices are.
Don’t know about the bug you linked (will read up on it later), but I can easily provide radio captures to prove that most Android devices do what I described, with no “hidden” networks ever in use.
There are retail analytics startups who literally use this exact type of data to allow brick and mortar stores to gain insights into their passive customer behavior. Source: I used to work for one of them and designed and built a bunch of the hardware / software stack.
Looks like more recent phones are better about this, but there are still a lot of older phones out there! And there are still leakages that allow tracking.
Note that with "real computers", just keeping the software up to date is enough to get you the latest in MAC randomization and whatnot; with phones, you may or may not be able to upgrade your software. -.-
Set a wifi chip in monitor mode, fire up wireshark, then see for yourself. Rather easy to do and once you do, you’ll learn to keep wifi off when you aren’t intentionally wanting it.
The now kind of forgotten Google row where it was discovered they were scanning all wifi networks while mapping speaks volumes to this. If you have a map that details signal strengths you can infer someones location pretty accurately (not gps accurate, but within the ballpark) even if they have location services off just by logging and plotting them against your wifi coverage map.
The thing that people were upset about was that Google Street View cars didn't only scan the public SSIDs, but also recorded all (open) network traffic.
oh yes I remember and they still use the data they collected. I lived in Vienna for 30 years and just recently moved to the country side.
There are no wifi hotspots around me so when I set up my old wifi (same ssid as before and same hardware (bssid)) and checked my phone on google maps it was saying that I still am at the old place because it had not GPS at the moment and then google maps checked the SSIDs around me and looked up where those are located
Knowing this from an Opsec perspective, it would also be better to use generic SSIDs for any wifi networks you're setting up. Something with a name like 'internet' or 'wifi' would be so generic that it would be impossible to pin down.
I tried to check numbers on WiGLE but it's being painfully slow for me.
You are right, you should definitely not feel safe when using a generic network name. In the file that OP posted, the MAC address was missing though. Doesn't mean that it wasn't present on the device. Android used to write the MAC address to logcat, nowadays it's off by default. Sometimes the MAC address of a network gets stored to wpa_supplicant.conf. I'm sure that NetworkManager reports the mac address in journald as well.
You would want to look at a database of the most common MAC addresses and SSIDs (maybe even pairs of them) and spoof your MAC address and SSID to match one of the most common pairs.
But it won't help much if there are any other wifi networks or devices around.
"McDonalds Free Wifi" and a MAC address swiped from a nearby (but not so close your Wi0Fi signals will intersect) Mc Donalds...
For enhanced sneakiness, deploy three or more Wi-Fi base stations at the same location with the radios tx power turned right down and directional antennas - and try to make the geometry lookalike it's just a lucky long range shot to a real public/free wifi behind the antennas...
Yeah it's returning 502 Bad Gateway errors (AFAIK that's what a CDN would return if it can't reach the actual host), probably a HN/reddit hug of death?
I just realized people can track my relocation across cities and countries if they can see "Ah this SSID was there last month, and here this month!".
My parents moved countries, bringing their WiFi router, and for months afterwards their iPhones would locate them back in the old country... Apple's database was quite slow to pick up the new location.
That's a bit of a simplistic programming, the phones should've seen other SSIDs around it and figured out they're not in Kansas any more. Except if your parent's WiFi network is the only one around the area.
SSID unique data is hashed into the password. If you use a very common name there will be a precomputed rainbow table that will make cracking much faster.
Also I should have pointed out that GPUs crunch WPA2 pretty quick these days too, it is best to use a really long passphrase. There are too many ISP supplied systems with a default password like "9K141U".
It definitely seems like a good idea to put IOT things on a different subnet. I've not met a home router yet that allows me to put proper filters on devices. DD-WRT I guess. But there are so many patches which should be applied, I'm sceptical of old firmware for routers.
At the moment I have an embedded linux device with a wifi dongle and giant antennas. The modem box can probably still be hacked remotely (from the ISP), but at least I'm able to prevent any device on the network from talking to it and using some simple rebinding or XSS attack. (E.g.: https://www.gironsec.com/blog/2015/01/owning_modems_and_rout...http://www.routerpwn.com/ )
> Also I should have pointed out that GPUs crunch WPA2 pretty quick these days too
How quickly, really? I remember a while ago I had a discussion on here where someone told me a hash method was insecure, as you could crack it with a GPU. I downloaded hashcat, put in the hash of a 6 character string, and left it running overnight on a GTX1070 and it was still going.
The hash method (SHA1 iterated 4096 times) is quite secure for this purpose. Even md4 would be fine. Of course, lots of Bitcoin ASICs are designed to compute SHA256 fast, but they are very fixed function and lacking the bandwidth to a CPU to stream in passwords. Also, they are just a constant factor better than what a GPU can do. I'm sure the NSA and other peers have rooms full of ASICs devoted to WPA2 though.
A good GPU cracker rig will get 500k hashes/second per GPU. That is still very slow compared to the search space of a 12 character [a-z][A-Z][0-9][@#$_&-+*"':;!?~|{}%] password.
For a 6 character string, it still depends on what mask you are providing, or what the search space is, i.e are there requirements like one or more upper, 1 or more digits, or is it purely random from a RNG?
Still, if it isn't breaking it within a day I'd say you are in CPU mode, where a multicore box is still only 5k hashes/second.
I know a few people who think they're being clever by doing things like this (playing with their (E)SSID). I'm still patiently waiting for one of them to learn what a BSSID is.
Too bad wifi location services use Mac addresses (BSSID) instead of ESSID. If anything, it’s probably worse because you’re revealing your real MAC address every time it tries to connect to those APs. Normally most phones scan with randomized Mac addresses but the randomization turns off when it tries to connect.
By appending ‘_nomap’ to the end of your Wi-Fi hotspots you could opt out of all Wi-Fi network tracking and means your hotspot will not be used for improving location fixes on mobile devices.
(only honored by google, other OSs need different approaches)
This is a terrible standard, unfortunately. This makes branded or "clever" SSID's difficult and awkward. (And Microsoft has a different standard too ...)
no, I'm from Austria and it works here too. But it doesn't magically get all SSIDs from the planet, someone in your are must have the wigle app that records those info.
It's crowd sourced
I hadn't either. Also what is the deal of random people contributing to the database at https://wigle.net/, why don't you mind your own business? There is a big difference between broadcasting the SSID in a 20-50m radius and effectively broadcasting it world-wide.
Google and other entities already have that data. Building open databases like wigle.net or https://location.services.mozilla.com/ seems good to me because:
1) It allows building alternative location providers that make it possible to have an Android device that doesn't rely on Google maps.
2) Publicizing the existences of these databases might make the general public more conscious of privacy and data protection issues involved.
1) I don't find such location-providers a good addition to society.
2) That is like saying you go around kicking people in the crotch to make them more conscious about the benefits of learning self-defence.
Update:
> Google and other entities already have that data.
How is this an argument FOR gathering sensitive information about the people around you? Should you also look to their trash and digitise any documents they throw away and make a website that allows you to search through these documents? You could argue that Google or some other entity already has that information anyway.
You could also argue that this would increase consciousness with regards to the privacy concerns of your trash.
Re #2 maybe if a few people got kicked in the crotch, there would be a groundswell of support to pass laws restricting who can kick you in the crotch and under what circumstances.
Of course, the likely outcome is that only big multinational corporations with a legal team are allowed to kick you in the crotch.
Re: #1 I think they are a good addition to society because otherwise every device has to rely on satellite positioning, which is slower, generally less accurate, and prone to failure indoors or around tall buildings.
The practice is questionable at best, but it's a good reminder about that everying sent with radio waves can be picked up by others even if they were not the intended recipients and no matter if you want them to or not.
It's pretty much like leaving the front door unlocked -- it would be unethical to use it to go inside and steal your stuff but we still need to lock the door if we want to reduce the chance of someone stealing your stuff.
Tips for avoiding this:
- Change SSID at least once per year.
- If your router support multiple SSID's, turn the current one off and use the next one in the settings instead -- it will usually result in the MAC address being changed as well.
- Do the above whenever you move the router from one location to another.
I am aware that they must find it fun, but I am challenging the ethics of this 'fun'. I think this information should not exist anywhere and even if it did, it shouldn't be made public.
Geocaching and trying to gather as much privacy sensitive information about the people around you are two different things. With geocaching there aren't any parties involved that are unaware of the activity who are still negatively impacted by it.
Edit :- This got downvoted. Don’t know why should anyone asking an honest question be marked down. Am I not allowed to ask technical questions in comments section?
Every time a device joins the corp. network, it gets an IP Address (DHCP) and a network name (DNS) from our servers.
RADIUS is the authentication method for wifi. In larger offices you don't just share the same password for all users, but rather set up a RADIUS server that manages individual accounts. So every employee has their own username and password for wifi. Also called WPA2 Enterprise
DNS logs -- logs of name lookups to the internal DNS server, which will include source IP of the DNS lookup (note: UDP, can be spoofed). Look up source IP in DHCP lease table to find hostname and mac address of device on wifi that is assigned that source IP.
RADIUS logs -- RADIUS = AAA server (authorization, authentication, accounting). Basically, a server that answers the question "given these credentials, what resources can this user access?" All new connections to the network will show up in RADIUS logs. As a user, when you have your "own" wifi username and password (e.g. on an access point configured to use WPA Enterprise), usually what happens is the access point asks an external RADIUS server to authenticate the credentials, and then the DHCP server asks the RADIUS server to authorize the user for an IP address assignment.
I didn't downvote you. Perhaps the downvoters did that because they felt your post not interesting enough. Read the guidelines (link at the bottom of the start page), especially:
> On-Topic: Anything that good hackers would find interesting.
Something which is common hacker's knowledge and easily googleable is probably boring.
The attacker's setup is really, really bad. But it's very interesting to see a drop device being used in the wild. I assume that if amateur solo actors are doing this, then organized crime rings are for sure.
It is possible that there is a second device that does a sniffing part. This device may be a relay for the second device. They could be connected via Bluetooth, hence the Bluetooth dongle.
However I don't mind being able to get LAN internet at a hotel that wants me to pay $24 per day for wifi when they have VoiP phones that have internet access...
I often bring a small wifi router with me, hook it up to Ethernet (often taking the TV or phone ethernet connection), then set up a local wifi that I can connect a Chromecast to. That in turn sits in the tv, of course.
That gives me internet and streamability/casting to the tv :)
Every single hotel I’ve been to in the last year or so has pitiful bandwidth, which is completely saturated after dark once everyone fires up Netflix and lets it run all night long.
Or, even better, your services need authentication and authorization even on internal network, with some sort of SSO and/or federated authentication, so it actually doesn't matter where you are. Google's own BeyondCorp initiative works kind of this way.
Getting a route to the outside internet is not such a big deal; access to internal data is.
By the way: it's "amateur hour" if, as you say, that happens for a switch in a public/semipublic area in an office structure. On the contrary, I've seen a lot of "all-enabled" switches if those were accessible just from INSIDE the datacenter, where few people had access. It's not a really reasonable scenario.
As the article concludes with "Legal has taken over, I did my part and the rest is over my pay grade.", I think the author is not allowed to disclose this publicly.
I think the author just doesn't know what it does. From his Reddit post [1]:
>Still no idea what it actually does except for the program being called "logger", the bluetooth dongle and it being only feet away from secretary / ceo office
One can speculate something along, "the neighbor kid, ABC, is pretty smart, perhaps he can help me set up some way to know if someone is around at work?".
the article makes the massive assumption that the 'gifted person' whose name and home address were exposed is also the person who wanted it in the closet.
Either that person has phenomenally bad tradecraft, or they are actually innocent.
There are so many plausible ways in which the 'gifted person' is not in on the plot; for example, they may have sold the pi to the disgruntled employee before the employee was disgruntled or with no idea of the use that the disgruntled employee would put it too.
Have to kind of hope thats how it all ends up.
When I was young I often set up computers and stuff for others. These days I try and get slopy shoulders when people ask me for tech support, and if there were a young gifted wizkid nearby I'd be sending a lot of innocent business their way....
I didn't see that assumption anywhere in the article. He just followed the leads, collected the evidence and connected the dots. The device was set up in the gifted kid's home, and used a webservice paid for by the gifted kid's company. The device clearly comes from the gifted kid. Was he also the one who wanted the device in the closet? That's the one thing we don't know. That, and the relationship between the gifted kid and the ex-employee.
Further legal investigation will no doubt follow. Maybe gifted kid is involved in something illegal, maybe not. Hopefully we'll hear more about this in the future.
Yeah the link title here on HN is "How I got the home address of the person that put a RasPi in our network closet"
Which is interesting, because I double-checked and the article is actually more circumspect: "The curious case of the Raspberry Pi in the network closet
how we found, analyzed (with the help of Reddit) and in the end caught the culprit of a malicious device in our network"
They find the home address and name of the person who prepared the pi (although we don't know it was the person who installed the 'logger', whatever that is etc). And they have identified the disgruntled employee who seems to have installed it. Two separate things.
Good point. The original HN title did indeed imply the "gifted person" was the one who put it there. I notice the the title has now been changed to the article title.
The author explicitly refrains from jumping to conclusions until acquiring more conclusive proof by matching the username from the config file to the license file, and correlating that to the SSID location.
> This could be a wrong lead as usernames tend to be used by multiple people but let's just keep that name in mind.
I'm shocked they used a commercial service to store their entire codebase. That could be easily subpeonad and if its a paid plan they will be dead in the water.
What would that involve? I'm guessing making a bookable SD card that dumps memory, unplugging and quickly replugging the power cable, and then booting that card? Or do you need something more specialized?
I don't think that you can, manually, swap SD cards (on a running system! That alone would trigger all sorts of quirks, unless you're running off initramfs, tmpfs or an external storage device.) and toggle power so quickly that the RPi reboots but doesn't erase RAM. I mean, you might get very lucky, but the boot process is heavily stacked against you - the bootloader on your SD card gets executed fairly late in the boot sequence: https://raspberrypi.stackexchange.com/questions/10442/what-i...
I mean, you could swap the cards live, but I'd be worried about the electrical end, not the debounced and processed signals coming from the OS - although if I were writing a malicious package, device tree changes would also trigger all sorts of alarms. (Had a bad contact on an SD card once - the effect of disconnect-reconnect on the running OS was...spectacular, but in a bad way. In the better case, it fluctuated the board voltage enough to reboot.)
On the Reddit post this originated from [0], it says that the motivation from the ex-employee was "help us identifying wifi problems and tracking users in the area around the Managers office". Makes me wonder if it was malicious or just stupidity.
I love this article, and I wanna promote our works in this thread :)
We are build some little Nordic nRF52-based widgets for maker with a lot of documents, you can find more wiki at here[1][2]. And we are try to use MESH network technology to protect our IoT data, here is some tutorial for BLE MESH[3] and OpenThread MESH[4].
BTW, if you are intersted in FIDO U2F security key, please check here[5], an open source FIDO U2F implementation on nRF52 SoC.
This is a textbook case where of amateur sleuthing is a bad idea. We're not all Tsutomu Shimomura.
If there is a criminal (or civil) case, there has been no chain of custody. If you find something like this, don't even touch it, get someone qualified.
Secondly, it seems highly likely the person who created the image is not the person who emplaced it. The use of a VPN is hardly an indicator of evil intent. At least the author did not put any names in their publication.
Yeah, but it was the setup that included all that information about him. That's why I said "F". An OPSEC fail. For the ex-employee, it was failure in judgment. And also OPSEC failure, for not checking the device for compromising information.
> Legal has taken over, I did my part and the rest is over my pay grade.
Wow, I never wanted to work in a company where I had to say this. Really, if the pay grade decides which human you are, I better get no money but can do whatever I want, like go to that person, ring on its door and ask it about its plans.
That term generally means "it's not my decision to make," it does not necessarily have to do with how much anyone gets paid. In this context he's saying that he did his part, discovering the device, and from that point forward the decision to pursue legal action (or something else) is not his to make.
So you want to personally go to the door of a person who already committed a serious crime? A crime against your workplace even, not against your person. That is a highly questionable action, to say the least.
There really is a point where it's better to let legal take over if you're not a legal expert yourself. I assume the police is going to have a chat with the ex-employee and the gifted kid.
Yepper! Chain of Custody MUST be recorded and preserved. Document Document DOCUMENT! EVERYTHING. From the moment it was found to who/where it went next, to every step you took with it.
This guy clearly was following that and did his due diligence of step 1 being, make a backup of the device. Then you have a record of everything as near time of discovery as possible, so if you're investigation hoses everything up, you can restore and start over.
The author is also correct in that once he's done his investigation, he passes it all on to the next level to do their job. So in his case, he's done. There is NOTHING else he should be doing. If he does it really could hose up any/all legal action.
Kinda like getting to court in a Sexual Assault case and finding on the arresting officer forgot to read the guy his Miranda Rights.... You can have 100% proof this is the guilty party, but he goes free because someone in the chain of custody hosed up their part.
If the author had setup an encrypted partition where all the "real stuff" was found, and the key for such partition was in-memory only, possibly going alone one of the small rpi UPS/batteries to prevent minor electrical hiccups to make the whole operation fail.... it would have been almost impossible to get back at the author.
Also, using a nice "black box" that looked like a sort of electronic device, instead of some randomly put together rpi+pieces, would have made the device mostly invisible.
So: an amateurish hacking job.