good lord. I pulled a microSD card out of a Raspi inside an IoT product and it appears they had some developer use a raspi to develop/test some software, and then they just yanked the SD card out of that machine and duped it on to all of their deployed products.
it's got .bash_history of the development process! there's git checkouts of private repos! WHY WOULD YOU DO THIS?
also, you punks are writing python 2 code in 2021? come on, who does that?
I mean, I do all the time, but I'm a known retrocomputerist. I run Windows 95 and MS-DOS regularly. of course I'm using a wildly outdated programming language. I'm not making a product I sell to customers!
also they're spamming 9 lines to syslog every minute.
this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one
oh sweet jesus they logged into slack from this machine('s image)
I have their chrome profile, with history and cookies and shit!
this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product.
no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!
oh sweet jesus
they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords?
NOPE THEY USED SSHPASS
I have a file here with multiple lines like:
sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/
this is one of the many reasons I'm not a security researcher.
it's a target rich environment.
Also I'm a reverse engineer. There's no reverse engineering here!
I unscrewed the box, pulled out the raspi, pulled the SD card out, put it in my laptop, and it automounted. I then looked at some files while making a disgusted face.
That's not reverse engineering! That's just lookin'
Alice Averlong🏳️⚧️
Glyph