Ride the Lightning

Warshipping: A New Threat From the Packages Delivered to Your Office

September 26, 2019

I am late covering this story from The Register, but this is certainly a new form of attack that may become prevalent – and very few people seem to have heard of it. So what is warshipping?

Black Hat IBM's X-Force hacking team came up with an interesting variation on wardriving – if you don't know, that's when you cruise a neighborhood looking for unsecured Wi-Fi networks. This is a step up using commercial delivery services to your office.

To demonstrate warshipping, the X-Force team built a low-power gadget consisting of a $100 single-board computer with built-in 3G and Wi-Fi connectivity and GPS. It's smaller than the palm of your hand and can be hidden in a package sent out for delivery to a target's business or home.

Once it arrives, it can be activated remotely over the internet, or when it detects it is near its destination using GPS. It can be instructed to scan for vulnerable networks to infiltrate or spoof nearby legitimate wireless networks to harvest passphrases from those connecting.

Obtained information can be relayed back to base, over the internet, and the device can be commanded to drill further into any networks it is able to break into, installing spyware as it goes. This device is potentially very effective as it passes through a business on its way to someone's desk.

"Think of the volume of boxes moving through a corporate mailroom daily," said Charles Henderson of IBM X-Force Red – "Or consider the packages dropped off on the porch of a CEO's home, sitting within range of their home Wi-Fi. Using warshipping, X-Force Red was able to infiltrate corporate networks undetected."

Henderson continued, describing how the gizmo could be deployed:

"With our warship device, we could also launch other active wireless attacks, such as a deauthentication attack or "evil twin" Wi-Fi attack. By launching an evil twin Wi-Fi network, we could then set up a rogue Wi-Fi network with the warship device and coax our target to join our new decoy network. Our target would then divulge their true credentials (including username and password). This would provide us with further access that could be used for follow-up attacks against the enterprise wireless network.

Once we broke in via the Wi-Fi access, we could then seek to pivot by exploiting existing vulnerabilities to compromise a system, like an employee's device, and establish a persistent foothold in the network. With this ability to get back into a compromised network, attackers can move through it, steal sensitive employee data, exfiltrate corporate data or harvest user credentials.

Bottom line: In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target's systems."

To put things in perspective, this gadget is only at the proof-of-concept stage, though in the future IBM predicts it could become popular with attackers. I think we can assume that others (not with benign intent) are pursuing warshipping as a very valuable tool.

IBM recommends banning employees from shipping personal packages to their offices (this would not go over well at our office), thus easily allowing all parcels to be intercepted, and checking deliveries with a suitable radio frequency scanner.

No one is likely to pay great attention to warshipping until we see it in the wild. I think it's likely that there will be such sightings in 2020.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson