Written by: Matthew Burns
In this age of online shopping and fast-paced delivery, it’s usually not a shock to come home to a package at your doorstep. In fact, the United States Postal Service (USPS) alone delivers 472.1 million mailpieces every day, and in 2019, delivered 6.2 billion across the nation. However, most consumers and companies don’t realize that some of these packages can be malicious and actually act as a vehicle for stealing confidential information.
Building off of the more archaic forms of network infiltration (such as wardialing and wardriving) researchers have identified a new cyberattack technique, called “warshipping,” that’s capitalizing on these easy package delivery methods to infiltrate corporate and personal wireless networks—and consumers should be wary.
What is Wardialing and Wardriving?
Wardialing is an attack vector that allows hackers to automatically dial mass amounts of phone numbers in order to find weak spots in an IT architecture, especially unprotected modems. Attackers have mostly stopped using this method in favor of more advanced methods that are less cumbersome and more effective.
Wardriving evolved out of wardialing, and occurs when an attacker uses a Wi-Fi antenna, a laptop, a GPS device, and a car to drive around looking for vulnerable networks. While wardriving is a cheaper and more useful technique for finding an attack vector than wardialing, it can be time consuming and impossible if not physically located near the intended target. This is where the more modern technique of warshipping comes into play.
What is Warshipping?
Warshipping involves shipping a small, hidden computer with networking capabilities to a target. In initiating the attack, the hacker will choose a physical package to send to an organization and equip it with a cheap device that can be hidden in an object or at the bottom of the package. The device is usually a single board computer (SBC), or Raspberry Pi, that’s powered by a phone battery, with 3G capability, and can be remotely controlled.
This computer can then be used by the attacker to connect to an under-protected wireless network and perform a multitude of scans or attacks. The hacker can setup a command and control server (C&C) and has the ability to then program the “warship” to perform wireless scans in transit. GPS coordinates will also be sent to let the hacker know when the package has arrived to the destination.
Once a warship has been delivered to the target environment, a hacker then has several capabilities. They can launch other active or passive wireless attacks such as packet sniffing, evil twin attack eavesdropping, or setup a rogue access point.
This type of technology wasn’t available during the time of wardialing, and is much less time consuming than wardriving, making it an appealing option for black hats. Realistically, any attacker with malicious intent could employ these very same strategies in their own attacks. Warshipping is a very cost-effective technique that can be done with consumer parts that are readily available to most. Along with this, many organizations aren’t currently equipped to deal with a threat with this amount of stealth.
For hackers, one of the best parts about warshipping is all the leg work is either done by the USPS or another package carrier. While it’s being transported, it could be set to act as a scanner to gain information on any wireless network it passed en route to its destination. This means an attacker doesn’t even need to be located in the same country as the device to collect this information.
Some organizations don’t let outside phones or internet devices through security, but if the warship device is hidden in a cardboard box, it can easily avoid detection. With the volume of mail coming into corporate mailrooms, not every package is going to be vetted perfectly. Once the device reaches its intended target, there are many attacks that can be performed depending on the type of device that was shipped.
Vectors of Attack
The attacker can use a warship device to perform passive attacks, such as scanning the wireless network to search for vulnerabilities (like the mobile wardriving described above). There’s also the possibility for more active attack methods.
A warship device could be utilized to sniff wireless network packets, allowing attackers to potentially steal sensitive information or credentials. If the warship device was powerful enough, there are an almost limitless amount of possible attacks that can be executed.
White Hats, Black Hats, and Warshipping
In 2019 IBM X-Force (IBM’s penetration testing team) put together a warshipping device that could easily be hidden and shipped to anyone as a means of attack. They shipped one of these devices to a financial institution, then performed an evil twin attack by spoofing a new wireless access point that they used to steal credentials from employees.
The device cost less than $100 to assemble and consisted of a Raspberry Pi Zero W, a phone battery, and a cellular modem. The size of the device was small enough that it could fit in a stuffed animal, a TV, and many other places. In their tests, the device allowed IBM to passively and actively try to break the target’s wireless system, listen for handshakes, and sniff packets. The IBM X-Force was able to infiltrate corporate networks without detection through the warship technique. The goal of this research was to educate customers about security blind spots and modern attack characteristics used to disrupt operations and steal data.
How to Prevent Warshipping
- Verify where the package came from and who sent it
- Set a package policy for employees
- Consider banning personal employee packages
- Only connect to trusted networks
- Avoid using pre-shared keys in corporate wireless environments
- Consider a package scanning process for large mailrooms
In a normal business environment, implementing these controls would be challenging, but possible. In the current pandemic, protecting against these types of attacks is more difficult. Keeping track of which employees are receiving what packages is nearly impossible with most working from home. Ensure all employees are briefed on your package policies, and encourage employees to use the same scrutiny and package-receiving procedures as in the office. The most important thing is to make sure they verify who sent them a package, and check that the package hasn’t been tampered with.
Warshipping is a very viable attack vector that’s inexpensive and can be done with consumer grade parts. As IBM X-Force demonstrated, sending warships to organizations can be a very useful penetration testing tool. Secure controls are necessary to protecting your organization. Engaging a third-party to conduct penetration tests could uncover gaps in your program that need remediation, and can help your company develop a more mature security posture to guard against warshipping and other harmful attacks.