STOP WAIT A MINUTE MR POSTMAN, you're delivering cybersecurity exploits directly to a target's mailroom so cyber crims don't need to break into networks over the web.
So says IBM X-Force Red security researchers, which have shed light on the so-called 'warshipping' hacking technique that involves shipping low-powered and disposable computers to targets. This enables close-proximity attacks to be performed remotely anywhere in the world from anywhere in the world.
"All a malicious actor needs to do is hide a tiny device (similar to the size of a small cell phone) in a package and ship it off to their victim to gain access to their network. In fact, they could ship multiple devices to their target location thanks to low build cost," explained Charles Henderson, head of IBM's offensive operations arm.
"The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child's teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim."
The researchers created a proof-of-concept device (above), which used a small 3G modem, cost some $100 to build and once set up periodically scanned for nearby networks allowing for the parcel the device is being shipped in to be tracked.
"Once we see that a warship has arrived at the target destination's front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively, or actively, attack the target's wireless access," said Henderson.
After a network has been compromised, the so-called warship then seeks out data that it could then grab and send back to a more powerful system so it could be hacked later.
"As an example, we listened for a handshake, a packet signalling that a device established a network connection. One of the warship devices transmitted the captured hash to our servers, which we then utilised on the backend to crack the preshared key, essentially the user's wireless password, and gain Wi-Fi access," said Henderson.
He also noted that the warship could also be used to create a rogue wireless network to coax a victim into joining it and thereby opening themselves up to further attacks.
The technique might seem like something out of Mr Robot, but apparently, it presents a potentially lucrative opportunity to criminals given how many packages are shipped worldwide and how many of us get things delivered to our offices, especially in the holiday sales seasons.
Henderson warned that a secure package policy and avoiding bringing in packages into sensitive parts of a business can help stop such attacks, as can ensuring a Wi-Fi network uses strong WPA2 security.
Our advice is to be bloody careful what packages you accept and if you think they contain something dodgy burn them with a cleansing fire. µ
An assault course on the senses
Boasting Bionic boosting