Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

With Warshipping, Hackers Ship Their Exploits Directly To Their Target's Mail Room (techcrunch.com) 79

Why break into a company's network when you can just walk right in-- literally? From a report: Gone could be the days of having to find a zero-day vulnerability in a target's website, or having to scramble for breached usernames and passwords to break through a company's login pages. And certainly there will be no need to park outside a building and brute-force the Wi-Fi network password. Just drop your exploit in the mail and let your friendly postal worker deliver it to your target's door. This newly named technique -- dubbed "warshipping" -- is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy, or when hackers drove up to TJX stores and stole customer data by breaking into the store's Wi-Fi network.

But security researchers at IBM's X-Force Red say it's a novel and effective way for an attacker to gain an initial foothold on a target's network. "It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal's location," wrote Charles Henderson, who heads up the IBM offensive operations unit.

This discussion has been archived. No new comments can be posted.

With Warshipping, Hackers Ship Their Exploits Directly To Their Target's Mail Room

Comments Filter:
  • by SuperKendall ( 25149 ) on Wednesday August 07, 2019 @04:33PM (#59059562)

    I had to ship some luggage ahead of me for a trip to Japan earlier this year, a small luggage tracking device lasted well over three weeks at the lowest power setting and I could see where it was most of the time, as well as where it ended up.

    So I could see if you wanted to know where someone at a company was physically located, you could ship something to some company address for a name you wanted to know about, then the company would forward along the package to the right address...

    But just thinking about all of the active network scanning tools you could pack into a box along with wireless connectivity to report back - wow.

    Although it seems like similar results could be had parking outside a business in a van, shipping a package in would be lots chapter and a less riskier way to accomplish the same thing. And it could maybe even get up to the executive level area if you did it right.

    I wonder if some companies have started scanning packages that arrive for signal emanation.

    • You make an interesting point. Remember the 2001 anthrax scare?

      Our mail room had a dedicated person to open mail. She wore gloves, a mask and I don't remember what all.

      • You make an interesting point. Remember the 2001 anthrax scare?

        I remember that also, and an interesting aspect of that is - how many mailrooms take that same precaution anymore?

        It seems like so many security precautions are fad based and die away eventually when news of an exploit fades into the past.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      You could ship a literal "blackbox" to any mail room of any multi-national and gain access to their network.

      I'm not suggestion this is incredibly doable, but there's a certain level of assumption that needs to exist:
      1. That the package will not be stolen in the first place
      2. That the package will have 3g/4g/5g access where it goes, many mail rooms are in the basement or warehouse area of a building and thus do not get cell reception
      3. That there is WiFi directly connected to the corporate network, in many c

      • stop outsourcing own the building as in some cases the BUILDING STAFF has access

      • I think you can probably ship a whole lot of actual computer products to corporate offices and get people to plug them in. Especially if you target branch offices, which in my experience tend to be less structured than corporate offices, as well as often under-resourced and would likely be more accepting of "free" computer stuff or office supplies.

        The jackpot would be getting a compromised small switch plugged in. You'd have power, direct ethernet access, probably the ability to sniff PC network traffic.

        I

    • by Anonymous Coward

      "I wonder if some companies have started scanning packages that arrive for signal emanation."

      At the private company where I worked before I retired, for AT LEAST the last 25 years, all incoming mail and packages are routinely scanned both via fluoroscope (like the X-Ray scanner at the airport) and for RF emissions at the receiving bay before they are allowed in the building. Depending on what is found determines the procedures that must be followed to retrieve the mail or package by the addressee.

    • /r/thathappened
  • by Anonymous Coward

    This is a good reason to have defense in depth. If a rogue device is in the mailroom and able to scan for WAPs, it might find out where it is physically located, but that is it. I don't really worry about a Raspberry Pi Zero W with a cell modem as a business crippling threat vector. If it is on Wi-Fi, it is using VPN and using 2FA, so at worst, the bad guy might have another open access point if they break the WPA-Enterprise there, but everything else is either one time passwords, or encrypted with seque

    • by Anonymous Coward

      The stupid thing is having your corporate networks on WiFi.

  • by fahrbot-bot ( 874524 ) on Wednesday August 07, 2019 @04:52PM (#59059688)
    Also known as HR.
  • Prediction (Score:5, Funny)

    by Thelasko ( 1196535 ) on Wednesday August 07, 2019 @05:07PM (#59059778) Journal
    This new attack vector will have IT security professionals shipping their pants!

    Thank you! I'll be here all week!

    Try the fish...

    I'll show myself out now...
  • by mentil ( 1748130 ) on Wednesday August 07, 2019 @05:29PM (#59059930)

    Proxying your mail shipments is a little more difficult than proxying network traffic. Otherwise, it's going to be known roughly where the package was shipped from, with you probably being in subpoena-able camera footage at a e.g. UPS Store dropping it off. If you use the USPS at all, you're opening yourself up to mail fraud charges, as well.
    Dropping a flash drive in a parking lot has plausible deniability, at the least, and a lower probability of encountering cameras.

    • by Anonymous Coward

      Very good point.

      Although, if you use the correct number of stamps on a small enough box you could drive to a rural mailbox with no cameras and put it in there.

    • If you think the only way to ship something is to drop it off at the depot, then you're living in the 80's.

      UPS and FedEx both have drop boxes at many businesses that are not under video surveillance.
      • UPS and FedEx both have drop boxes at many businesses

        Also a side point here, you could probably obtain a shipping account number from a large corporation and use that to pay for shipment, no-one would ever notice and payment could not be tied back to you.

        It would also lend a lot of authenticity to the package and help ensure it reached the area within the company you were hoping for,

    • there's plenty of shady companies that will be happy to "proxy" your mail shipments. They don't ask a lot of questions and are pretty close to untraceable. When I was in sales if somebody asked me to ship to a freight forwarder address we knew to stop then and there, but it wasn't easy to catch them all. Like I said, there's lots of them.
  • I knew that free router was too good to be true.

  • True, the TJ max "hack" was sitting in the parking lot - however the company used an un-encrypted wireless network for their point of sale devices...there wasn't any real "breaking" involved... candy from babies...
    • I was going to say, that's barely true. There was a kiosk in the store than had unfettered access to the entire TJX network. It wasn't on a isolated subnet or in a DMZ.

      https://www.informationweek.co... [informationweek.com]
      They definitely compromised the unsecured WiFi from across the street, not in the parking lot, but 2007 was a different time.
  • While there is a sort of obvious genius to an exploit like this (and a fair amount of 'FU' to the target), it's also more than a little bit desperate a tactic, I think, because they're sending physical evidence of their attack. You certainly could program the device to brick and completely wipe itself immediately upon performing it's primary function, but the actual device itself could potentially be traced back to the sender.
  • I enjoy the brazenness of this. I'd up the ante by shipping a full PC with a Post-It note saying "Plug me into network for happy fun time!" or just getting a large enough crate and shipping the hacker right into the building. Companies need to continually educate their employees on being on the lookout for suspicious behavior. Receiving a package, or an email, or a phone call, etc. from an unknown person needs to be given wariness that it might be an attack.
  • Build mail room inside faraday cage.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...