Hackers may start 'Warshipping' businesses to steal data

IBM's latest imagined attack vector could soon be a reality

Cyber attack

IBM has revealed what it thinks could be a future attack vector for cyber criminals to harness when attempting to hijack a victim's wireless network and steal sensitive data without detection.

The technique explained by the company at Black Hat 2019 is being coined "Warshipping" and involves concealing a tiny homebrew device, which it said costs less than $100 to build, inside of a regular-looking parcel and sending it to a victim - perhaps a business or CEO.

With the number of packages getting delivered to businesses and stored in mailrooms increasing every day, attackers can use this to their advantage by deploying this device to sniff a company's network for access points and other data worth harvesting.

"Think of the volume of boxes moving through a corporate mailroom daily. Or, consider the packages dropped off on the porch of a CEO's home, sitting within range of their home Wi-Fi," said Charles Henderson, global head of IBM X-Force Red. "Using warshipping, X-Force Red was able to infiltrate corporate networks undetected.

"Our aim in doing so was to help educate our customers about security blind spots and modern ways adversaries can disrupt their business operations or steal sensitive data." 

Image by IBM

The makeshift device (pictured above) is fitted with a wireless 3G modem which allowed IBM researchers to remotely control the device from back in their lab. The device itself is a single board computer (SBC) which are cheap and cheerful networked PCs powered by a mobile phone battery.

The design's main limitation is its power consumption, but IBM managed to tweak it to become a low-power device, capable of being turned off when it's not needed.

Once concealed in the parcel and in transit, the device periodically scans for wireless networks which lets the controllers monitor the location of the parcel and ultimately verify that it has been delivered to the intended target.

"Once we see that a warship device has arrived at the target's front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target's wireless access," said Henderson. "The goal of these attacks is to obtain data that can be cracked by more powerful systems in the lab, such as a hash."

IBM said it could gain a foothold on the network by listening for a handshake (a packet signalling an established connection) and capturing the hash to crack a preshared key which can be used to gain network access, and collect data that can be siphoned back to a more powerful system for cracking. 

The warship can also be set up as an 'evil twin' network whereby attacks could be performed by setting up a spoof network to which employees could be enticed to connect devices to, revealing their true credentials which can then be used to move deeper throughout a legitimate network.

Henderson noted the researchers were then able to exploit vulnerabilities in things like employee devices to establish a persistent foothold on the network, giving them the ability to "steal employee data, exfiltrate corporate data or harvest user credentials".

The name 'Warshipping" was inspired by and named after a combination of Wardialing and Wardriving.

The former was a network-cracking approach in the 1980s and 1990s dial-up era which involved attackers spamming phone numbers until they landed on a weak system.

The latter was used more recently in the 2005 TJX data breach which cost the company close to $2 billion. In this case, attackers drove around Miami and sat in TJX store car parks and sniffing the store's networks locally from a vehicle, using cheap wireless equipment.

"Attacks like these are particularly concerning as they are so difficult to detect and can prove to be detrimental if executed successfully," said Stuart Sharp, VP of solution engineering at OneLogin. "These attacks are certainly viable as they require low powered devices that can be activated remotely, meaning they can withstand transit for many days without losing power.

"Organisations should be extra vigilant when accepting packages and refrain from leaving empty boxes within the confines of the business," he added.

Henderson said we could expect to see the attack method being exploited more heavily during times of the year which see high volume deliveries such as Christmas or Black Friday.

No examples of Warshipping have been seen in the wild yet. However, in late 2018 a string of European banks were targeted by attackers posing as job seekers, couriers and inspectors who then installed Raspberry Pi devices in places like meeting rooms and stole tens of millions of dollars by doing so.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021