Hackers may start 'Warshipping' businesses to steal data

Cyber attack

IBM has revealed what it thinks could be a future attack vector for cyber criminals to harness when attempting to hijack a victim's wireless network and steal sensitive data without detection.

The technique explained by the company at Black Hat 2019 is being coined "Warshipping" and involves concealing a tiny homebrew device, which it said costs less than $100 to build, inside of a regular-looking parcel and sending it to a victim - perhaps a business or CEO.

With the number of packages getting delivered to businesses and stored in mailrooms increasing every day, attackers can use this to their advantage by deploying this device to sniff a company's network for access points and other data worth harvesting.

"Think of the volume of boxes moving through a corporate mailroom daily. Or, consider the packages dropped off on the porch of a CEO's home, sitting within range of their home Wi-Fi," said Charles Henderson, global head of IBM X-Force Red. "Using warshipping, X-Force Red was able to infiltrate corporate networks undetected.

"Our aim in doing so was to help educate our customers about security blind spots and modern ways adversaries can disrupt their business operations or steal sensitive data."

Image by IBM

The makeshift device (pictured above) is fitted with a wireless 3G modem which allowed IBM researchers to remotely control the device from back in their lab. The device itself is a single board computer (SBC) which are cheap and cheerful networked PCs powered by a mobile phone battery.

The design's main limitation is its power consumption, but IBM managed to tweak it to become a low-power device, capable of being turned off when it's not needed.

Once concealed in the parcel and in transit, the device periodically scans for wireless networks which lets the controllers monitor the location of the parcel and ultimately verify that it has been delivered to the intended target.

"Once we see that a warship device has arrived at the target's front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target's wireless access," said Henderson. "The goal of these attacks is to obtain data that can be cracked by more powerful systems in the lab, such as a hash."

IBM said it could gain a foothold on the network by listening for a handshake (a packet signalling an established connection) and capturing the hash to crack a preshared key which can be used to gain network access, and collect data that can be siphoned back to a more powerful system for cracking.

The warship can also be set up as an 'evil twin' network whereby attacks could be performed by setting up a spoof network to which employees could be enticed to connect devices to, revealing their true credentials which can then be used to move deeper throughout a legitimate network.

Henderson noted the researchers were then able to exploit vulnerabilities in things like employee devices to establish a persistent foothold on the network, giving them the ability to "steal employee data, exfiltrate corporate data or harvest user credentials".

The name 'Warshipping" was inspired by and named after a combination of Wardialing and Wardriving.

The former was a network-cracking approach in the 1980s and 1990s dial-up era which involved attackers spamming phone numbers until they landed on a weak system.

The latter was used more recently in the 2005 TJX data breach which cost the company close to $2 billion. In this case, attackers drove around Miami and sat in TJX store car parks and sniffing the store's networks locally from a vehicle, using cheap wireless equipment.

"Attacks like these are particularly concerning as they are so difficult to detect and can prove to be detrimental if executed successfully," said Stuart Sharp, VP of solution engineering at OneLogin. "These attacks are certainly viable as they require low powered devices that can be activated remotely, meaning they can withstand transit for many days without losing power.

"Organisations should be extra vigilant when accepting packages and refrain from leaving empty boxes within the confines of the business," he added.

Henderson said we could expect to see the attack method being exploited more heavily during times of the year which see high volume deliveries such as Christmas or Black Friday.

No examples of Warshipping have been seen in the wild yet. However, in late 2018 a string of European banks were targeted by attackers posing as job seekers, couriers and inspectors who then installed Raspberry Pi devices in places like meeting rooms and stole tens of millions of dollars by doing so.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.