IBM’s X-Force Red team have demonstrated a new tactic through which cybercriminals could attack a corporate network, calling it “warshipping”. The main difference of warshipping with what we’re used to seeing is that it’s not a remote attack, but instead, it requires that the device is in the range of the targeted wireless network. So, what this means is that the attackers would have to send the device via postal mail to the actual address of the network they want to compromise, and with millions of mailboxes being delivered every day, this wouldn't be hard at all.
Warshipping is based on the utilization of a low-cost and low-power computer like one of the many single-board systems that are currently available on the market. The device needs to be 3G-enabled so that the attacker can control it remotely, and can be hidden inside postal boxes, or even the contents of it. Think of a small teddy bear for example, with a Raspberry Pi Zero inside it and a battery to keep it going. Using a 4000mAh Li-Ion pack should be enough to keep the computer running for at least 16 hours, during which the attacker could compromise the target network.
The warship device that the X-Force Red built as an example scans for Wi-Fi hotspots periodically, and also sends back its GPS location so that the attacker can figure out when it has reached its intended destination. The device listens for handshakes by sniffing on the packet exchange process and then transmits the captured hash to the attacker’s server. Then, the attacker cracks the preshared key and finally adds the Wi-Fi access code to the warship device, so they gain access to the target network. Another way to deploy the warship would be to run an “evil twin” Wi-Fi attack and then trick people into connecting to the decoy wireless network.
All in all, this method enables attackers to exfiltrate corporate data, steal user login credentials, or harvest sensitive employee information. To stay protected against warshipping, you should not let unopened boxes lying around for long once they reach your office, and check the contents thoroughly when opened. Using scanners is also a robust way to stay safe and locate electronics inside items. Finally, enterprises should secure their Wi-Fi with WPA2, and utilize certificates for Wi-Fi authentication instead of relying on just usernames and passwords. Other than that, setting up a VPN with multifactor authentication to act as a gateway to the corporate network will render warshipping impossible.
Have you ever received a box containing a single board computer? Share the details with us in the comments below, and help us spread the word of warning by sharing this post via our socials, on Facebook and Twitter.