Black Hat IBM's X-Force hacking team have come up with an interesting variation on wardriving – you know, when you cruise a neighborhood scouting for Wi-Fi networks. Well, why not try using the postal service instead, and called it "warshipping," Big Blue's eggheads suggested earlier today.
To demonstrate this approach, the X-Force team built a low-power gizmo consisting of a $100 single-board computer with built-in 3G and Wi-Fi connectivity and GPS. It's smaller than the palm of your hand, and can be hidden in a package sent out for delivery to a target's business or home.
Once it arrives, it can be activated remotely over the internet, or when it detects it is near its destination using GPS. It can be instructed to scan for vulnerable networks to infiltrate – a la the TJX wireless hacking in the mid-2000s – or spoof nearby legit wireless networks to harvest passphrases from those connecting, or get up to other mischief over the air.
Any obtained information can be relayed back to base, over the internet, and it can be commanded to drill further into any networks it is able to break into, installing spyware as it goes. This widget is potentially potent as it passes through a business on its way to someone's desk.
"Think of the volume of boxes moving through a corporate mailroom daily," said Charles Henderson of IBM X-Force Red on Wednesday, just in time for this year's Black Hat USA conference in Las Vegas. "Or consider the packages dropped off on the porch of a CEO's home, sitting within range of their home Wi-Fi. Using warshipping, X-Force Red was able to infiltrate corporate networks undetected."
Henderson continued, describing how the gizmo could be deployed:
With our warship device, we could also launch other active wireless attacks, such as a deauthentication attack or “evil twin” Wi-Fi attack. By launching an evil twin Wi-Fi network, we could then set up a rogue Wi-Fi network with the warship device and coax our target to join our new decoy network. Our target would then divulge their true credentials (including username and password). This would provide us with further access that could be used for follow-up attacks against the enterprise wireless network.
Once we broke in via the Wi-Fi access, we could then seek to pivot by exploiting existing vulnerabilities to compromise a system, like an employee’s device, and establish a persistent foothold in the network. With this ability to get back into a compromised network, attackers can move through it, steal sensitive employee data, exfiltrate corporate data or harvest user credentials
Bottom line: In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target’s systems.
This warshipping has a number of advantages for hackers. For one thing, there's no need to suspiciously cruise a location; just send a box anonymously instead and control it from the comfort of your own home, er, cafe Wi-Fi via Tor.
So far, this gadget is only at the proof-of-concept stage, though in the future IBM predicts it could become popular with crafty snoops. We can well assume Big Blue is not the first to come up with this sort of idea: a cheap rooted Android phone could work just as well as the above described single-board computer – if not better because a smartphone is unlikely to raise many suspicions.
In any case, the IT titan recommends banning employees from shipping personal packages to their offices, thus easily allowing all parcels to be intercepted, and checking deliveries with a suitable radio frequency scanner. ®