A Raspberry Pi in the Closet?

Alasdair Allan
3 min readJan 17, 2019

At the tail end of last year there was the now somewhat notorious case of the malicious board that turned out to be a cross between a multi-level marking scam, and hardware malware. But it isn’t alone. There seems to be a minor outbreak of curious things being found in places where they shouldn’t be, connected to networks that they shouldn’t be connected to in the first place.

Around the same time, but far less publicised, there was the case of the rogue Raspberry Pi in the network closet, and yesterday we finally got some closure of “The Curious Case of the Raspberry Pi in the Network Closet.”

The rogue Raspberry Pi found in the network closet. (📷: Christian Haschek)

Discovered in the middle of November in a network cabinet, this first generation Raspberry Pi came as more than a bit of a surprise to Christian Haschek, the system admin in charge. Attached to the network via an Ethernet cable, the board was just sitting there, lurking without a clear purpose.

The mysterious USB ‘dongle’ attached to the Raspberry Pi is far newer, and just as powerful, as the Pi itself. It’s a nRF52832-MDK board built around the Nordic Semiconductor nRF52832 system-on-chip. It provides 2.4GHz support, including Bluetooth LE and ANT, and can be programmed from a variety of environments ranging from Arm’s mBed, through to Espruino and MicroPython.

The nRF52832-MDK found attached to the Raspberry Pi. (📷 Christian Haschek)

The nRF52832-MDK is serious overkill just to provide networking. Designed to be the heart of a full blown Internet of Things smart device, it is entirely capable of implementing proprietary 2.4GHz networking protocols. Here however, it probably is just intended to provide the aging Raspberry Pi with access to Bluetooth and, presumably, Wi-Fi.

When they’re discovered, these sorts of network leeches are normally rather hard to analyse. The file systems are usually encrypted, and if you get further than that, the code is usually highly obfuscated, and at best it connects back to an anonymous botnet. However, intriguingly, this one was different.

The Raspberry Pi’s SD card turned out to have an entirely normal file system, in fact, it turned out to be a Balena — that’s the new name for Resin.io for those of us that haven’t been paying attention lately—installation. Which for this sort of board is sort of insane, Balena is a paid service, and is linked back to real identity, and isn’t the sort of thing you want to use when you deploy hardware into someone else’s data center under the cover of night.

The Resin.io config.json file links the board back to a real person. (📷: Christian Haschek)

From there Haschek followed the trail from the Balena user name, along with left over networking configuration file that gave him the SSID of the network the Raspberry Pi was configured on, right back to a home address.

Checking RADIUS logs indicated that the board was attached to the network by an ex-employee who still had access to the building, and now “…legal has taken over.”

There are still some issues around the board, and Haschek has posted some additional details not found in his update post back to to the original Reddit thread. We often times don’t get the closure we’d like to these sorts of stories, so it’s fascinating to get an update on this one, and I rather hope we get a final update. After all the legal proceedings have finished, of course. Because after the evidence trail that’s surfaced from this device, it’s all going to court.

[h/t: Hacker News]