Hackers may start 'Warshipping' businesses to steal data

IBM's latest imagined attack vector could soon be a reality

Cyber attack

IBM has revealed what it thinks could be a future attack vector for cyber criminals to harness when attempting to hijack a victim's wireless network and steal sensitive data without detection.

The technique explained by the company at Black Hat 2019 is being coined "Warshipping" and involves concealing a tiny homebrew device, which it said costs less than $100 to build, inside of a regular-looking parcel and sending it to a victim - perhaps a business or CEO.

With the number of packages getting delivered to businesses and stored in mailrooms increasing every day, attackers can use this to their advantage by deploying this device to sniff a company's network for access points and other data worth harvesting.

"Think of the volume of boxes moving through a corporate mailroom daily. Or, consider the packages dropped off on the porch of a CEO's home, sitting within range of their home Wi-Fi," said Charles Henderson, global head of IBM X-Force Red. "Using warshipping, X-Force Red was able to infiltrate corporate networks undetected.

"Our aim in doing so was to help educate our customers about security blind spots and modern ways adversaries can disrupt their business operations or steal sensitive data." 

Image by IBM

The makeshift device (pictured above) is fitted with a wireless 3G modem which allowed IBM researchers to remotely control the device from back in their lab. The device itself is a single board computer (SBC) which are cheap and cheerful networked PCs powered by a mobile phone battery.

The design's main limitation is its power consumption, but IBM managed to tweak it to become a low-power device, capable of being turned off when it's not needed.

Once concealed in the parcel and in transit, the device periodically scans for wireless networks which lets the controllers monitor the location of the parcel and ultimately verify that it has been delivered to the intended target.

"Once we see that a warship device has arrived at the target's front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target's wireless access," said Henderson. "The goal of these attacks is to obtain data that can be cracked by more powerful systems in the lab, such as a hash."

IBM said it could gain a foothold on the network by listening for a handshake (a packet signalling an established connection) and capturing the hash to crack a preshared key which can be used to gain network access, and collect data that can be siphoned back to a more powerful system for cracking. 

The warship can also be set up as an 'evil twin' network whereby attacks could be performed by setting up a spoof network to which employees could be enticed to connect devices to, revealing their true credentials which can then be used to move deeper throughout a legitimate network.

Henderson noted the researchers were then able to exploit vulnerabilities in things like employee devices to establish a persistent foothold on the network, giving them the ability to "steal employee data, exfiltrate corporate data or harvest user credentials".

The name 'Warshipping" was inspired by and named after a combination of Wardialing and Wardriving.

The former was a network-cracking approach in the 1980s and 1990s dial-up era which involved attackers spamming phone numbers until they landed on a weak system.

The latter was used more recently in the 2005 TJX data breach which cost the company close to $2 billion. In this case, attackers drove around Miami and sat in TJX store car parks and sniffing the store's networks locally from a vehicle, using cheap wireless equipment.

"Attacks like these are particularly concerning as they are so difficult to detect and can prove to be detrimental if executed successfully," said Stuart Sharp, VP of solution engineering at OneLogin. "These attacks are certainly viable as they require low powered devices that can be activated remotely, meaning they can withstand transit for many days without losing power.

"Organisations should be extra vigilant when accepting packages and refrain from leaving empty boxes within the confines of the business," he added.

Henderson said we could expect to see the attack method being exploited more heavily during times of the year which see high volume deliveries such as Christmas or Black Friday.

No examples of Warshipping have been seen in the wild yet. However, in late 2018 a string of European banks were targeted by attackers posing as job seekers, couriers and inspectors who then installed Raspberry Pi devices in places like meeting rooms and stole tens of millions of dollars by doing so.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020