At the annual Black Hat cybersecurity conference happening this week in Las Vegas, Nevada, IBM’s X-Force Red presented in front of more than 19,000 security professionals from roughly 90 countries a new attack technique they’ve nicknamed "warshipping".
Similar to wardriving, when you cruise a neighborhood scouting for Wi-Fi networks, warshipping allows a hacker to remotely infiltrate corporate networks by simply hiding inside a package a remote-controlled scanning device designed to penetrate the wireless network–of a company or the CEO's home–and report back to the sender.
"The U.S. Postal Service processes and delivers 484.8 million mailpieces of first-class mail a day—roughly one-and-a-half mailpieces for every person in the U.S.—in a single day," said Charles Henderson, the head of Big Blue's offensive security team in a blog post yesterday. "What most people don’t realize is that some packages they receive may be looking to steal personal or confidential information. And the proliferation of e-commerce-related package deliveries is exactly what cybercriminals can exploit with a tactic IBM X-Force Red is calling 'warshipping'.”
With this in mind, IBM X-Force Red–an autonomous team of veteran hackers, within IBM Security, hired to break into organizations and uncover security vulnerabilities that criminal attackers may use–investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door.
Here's how a sub-$100 device could easily infiltrate a secure corporate wireless network
"Our aim in doing so was to help educate our customers about security blind spots and modern ways adversaries can disrupt their business operations or steal sensitive data," added Henderson.
For that purpose, Henderson's team built a cheap (less than $100) 3G-enabled 'warship device' which is a single-board computer with a Wi-Fi chip, antenna components and a battery that is small enough that it can be hidden in a package element.
"Applying some clever hacks, we were able to turn these devices into low-power gadgets when active and power them off completely when dormant. Using an internet-of-things (IoT) modem, we were also able to keep these devices connected while in transit and communicate with them every time they powered on," noted Henderson.
Once the warship device arrived on-site, at the target’s front door, mailroom or loading dock, the IBM team was able to remotely control the system and run tools to either passively or actively attempt to attack the target’s wireless access.
"For this project, we chose to conduct a passive wireless attack by listening for packets that we could use to break into our victim’s systems," described Henderson. "As an example, we listened for a handshake, a packet signaling that a device established a network connection. One of the warship devices transmitted the captured hash to our servers, which we then utilized on the backend to crack the preshared key, essentially the user’s wireless password, and gain Wi-Fi access."
Once inside the corporate network, an attacker can then start exploiting existing vulnerabilities to compromise a system, like an employee’s device, and establish a persistent foothold in the network, steal sensitive employee data, exfiltrate corporate data, harvest user credentials and so much more.
Atherton Research Insights
With hundreds if not thousands of packaged delivered each day at every company around the world, the "attack surface" is huge and the first step is to make sure that your organization uses a strong Wi-Fi Protected Access (WPA2) implementation across all the endpoint devices in the enterprise.
Remember, a company's security is as strong as its weakest link.
So here are 3 ways to mitigate the risks of a warshipping type attack:
- Ask employees to refrain shipping personal packages to the office
- Receive and store all outside packages in a "quarantine" area with no or limited access to the corporate network
- Continuously look for rogue Wi-Fi devices that either try to connect to the corporate network or can act as a rogue wireless access point that employees could erroneously connect to
Although impractical in many ways, the IBM team also suggests inspecting and scanning all incoming packages for "tech-enabled" devices.
