Raspberry Pi Used for Data Breach?

LIFARS - Digital Forensics and Incident Response Investigaions Company

The Raspberry Pi is a small, credit card sized computer that was originally designed for children to learn how to program. It comes with Linux distribution that although is slower in power is very versatile in that it is can be programmed to how the user would like. This small computer that can fit in the palm of your hand, essentially operates as a desktop computer without big equipment and wires. For small organization, schools, or student the Raspberry Pi can be a great tool. Professionals can use it as a cheap, portable computer for troubleshooting or researching solutions.

Due to the small and compact design of the Raspberry Pi the device can be easily hidden. A recent post on Reddit talked about a Raspberry Pi that was found in the network closet of an organization. This closet was being kept under lock and key and the raspberry pi was found with a USB dongle that was connected to one of the switches. The USB dongle has both Bluetooth and Wi-Fi capabilities. Further, when the IT employee found the device he imaged it and found that the drive was imaged with a balena.io or resin.io, a Raspberry Pi image which was connected to a VPN. The device contains docker containers on boot that get updated regularly and one of the containers has confidential company code that created information screens for large companies. The program installed on it was called ‘logger’. The user on the Raspberry Pi belonged to a former employee who still has a key to the room, however, the user is disabled.

When an incident such as this occurs, it is crucial to contact management and turning to the organization’s incident response plan. Gathering as much information from all resources can assist in resolving the problem. In this case, it seems that either a pen test was being performed by the organization or a former employee may have gone rogue. The Raspberry Pi could have been connected to the server for months without anyone noticing and collecting all logs and packets passing through on the network. Because the device is connected to a VPN, has Wi-Fi abilities, and being updated every 20 hours is a strong indication that the organization’s information is being leaked. It is important that best security procedures are followed, locks are changed, and an investigation is done to ensure no other devices are connected.

If you found a strange device in your company network or even at your home, contact LIFARS. Our team will make sure to analyze the device to understand its behavior and give you all the answers your need.