Warshipping: Attackers can access corporate networks through the mailroom

Most infosecurity professionals have heard of wardialing and wardriving, but what about warshipping?

The expression has been coined by IBM X-Force Red researchers to describe a new attack vector, which consists of covertly delivering to the target’s premises small devices that can be used to gain access to the home or office wireless network and assets connected to it.

The attack

“IBM X-Force Red is always looking to find vulnerabilities or risks before criminals, in order to stay one step ahead. We are currently using warshipping in our pentesting engagements, to help educate our customers about security blind spots and modern ways adversaries can disrupt their business operations or steal sensitive data,” Steve Ocepek, CTO at IBM X-Force Red, told Help Net Security.

“Warshipping is an attack vector no one has considered. A similar, but older tactic was historically used to mail users devices in an attempt to get them to manually plug them in. These devices spanned everything from USB drives to keyboards and electronic toys, however this tactic is less stealthy and easily detectable compared to our new attack.”

A warshipping attack takes advantage of the fact that, with the proliferation of online shopping, packets are constantly arriving at our doorsteps and in our corporate mailrooms. Hiding a tiny attack device in those is easy.

“The [attack] device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim,” Charles Henderson, Global Managing Partner of IBM X-Force Red, noted.

.

The warship device X-Force Red uses in their pentesting engagements is a disposable, lightweight, low-cost (<$100) and low-power single-board computer (SBC) that can run on a basic cell phone battery and has a 3G-enabled modem. "SBCs have some inherent limitations, such as the high amount of power they consume to operate, so we applied some clever hacks to turn them into low-power gadgets when active and power them off completely when dormant. Using an IoT modem, we were also able to keep these devices connected while in transit and communicate with them every time they powered on," Henderson explained. Once at the destination - a target’s front door, mailroom or loading dock - the device can be activated and remotely controlled by the pentesters/attackers. It can listen for handshake packets and transmit the captured hasheds to their servers, where they can crack the preshared key and effectively discover the Wi-Fi network's password. It can also be used to launch a deauthentication and an “evil twin” attack, tricking users into joining the attackers' decoy network and unknowingly share login credentials. "Once we broke in via the Wi-Fi access, we could then seek to pivot by exploiting existing vulnerabilities to compromise a system, like an employee’s device, and establish a persistent foothold in the network. With this ability to get back into a compromised network, attackers can move through it, steal sensitive employee data, exfiltrate corporate data or harvest user credentials," Henderson pointed out.

Protection against warshipping attacks

IBM X-Force Red advises organizations to avoid bringing packages into secure areas, dispose of empty boxes quickly to avoid lurking devices, and to consider a package scanning process for large mailrooms.

“Depending on the size and nature of the business, some physical security recommendations are better suited than others. While [the package scanning] suggestion is intended as an extra layer of precaution for companies of all sizes, for smaller businesses this can be a quick and effective way to identify packages that need to be vetted further manually,” Ocepek told Help Net Security.

“Think of this method like an x-ray which could potentially be used as the first line of defense in finding a device that was hidden somewhere in a larger package. At the enterprise level, this process could limit packages from going into sensitive area, creating a type of quarantine. By filtering out packages that are ‘cleared’, businesses can run a closer check on packages with electronic devices – similar to the baggage scanning processes in airports. This process wouldn’t seem out of the norm for larger, more secure facilities since similar methods are used to regularly monitor personnel – therefore, a comparable setup in the mailroom of the same location wouldn’t be unreasonable.”

Discouraging employees from shipping personal packages to the office is also an idea worth considering, Henderson noted.

Finally, educating users about the need to connect only to trusted wireless networks and opting for Wi-Fi authentication strategies that utilize certificates instead of preshared keys would also mitigate the risk of falling victim to a warshipping attack.