Proceed with caution: Villanustre encouraged anyone discovering such a device to proceed cautiously. “Disconnecting the device could result in losing important forensic information if not careful. It’s not too hard to equip the device with a tiny battery or supercapacitor that would give it enough time to wipe itself out if disconnected from the network or somehow tampered with,” Villanustre said. “Trying to send false information is even harder, because you would need to identify the protocols used by the device to know what to send. A bigger concern is if the device is connected to perhaps another device in the ship and could trigger a damaging action if tampered with. It could even detonate explosives.”Whisper Security CEO Kaveh Ranjibar added that his advice for dealing with this kind of physical discovery is “immediate isolation and forensic analysis, but with one critical step before physical removal: map the blast radius. Before you pull the plug, capture the device’s network traffic. Who is it talking to? What domains is it querying?””Using infrastructure intelligence, you can often attribute the actor based on the neighborhood of the command-and-control servers they use, allowing you to understand if this is a script kiddie or a GRU operation before you touch the hardware,” Ranjibar said. Ranjibar said that when such devices phone home, they may reveal a lot of usable information. “A rogue device like a Raspberry Pi, even with a cellular modem, isn’t invisible. It has to phone home to receive commands or exfiltrate data. It creates an infrastructure footprint: a new IP address, a DNS resolution or a connection to a specific Autonomous System Number (ASN),” Ranjibar said. “CISOs need to move beyond just monitoring their internal LAN,” he added. “They need continuous external infrastructure monitoring. If a device on your vessel or in your building starts communicating with a network block known for hosting state-sponsored malware, or if a new shadow asset appears on your perimeter, that is your tripwire. You might not catch the person planting the device, but you should instantly catch the device when it connects to the internet.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4108328/the-raspberry-pi-wakeup-call-why-enterprises-must-rethink-physical-security.html
