Or have it there permanently: Ship an executive a fancy illuminated globe or desk clock from the local "Chamber of Commerce". Put a camera and mic in there too to try to get passwords via audio or video surveillance. (Audio recordings of keyboards typing can be surprisingly effective if you have a big enough training set)
(On my way to DEFCON! See you all there!)
I would assume it's becoming a a software war. You monitor all frequencies with SDR and try to shield as much as possible while on the offending side you try to push information on different frequencies and making it look a like like stuff that's already in the air.
It has been said that covert agencies have monitored conversations through windows by measuring the acoustic vibrations with a laser. So maybe that will work, but I have no idea how well that works with higher frequencies outside of human perception.
Unrelated: WTF? I just had to do a reCAPTCHA on HN to log in!
People are going to come at you from your blindside, if they can find it. And if you consider a certain class of people invisible, then that's what a hacker wants to be.
Doing right by your workers would go a long way towards plugging this vulnerability.
The example given was a route someone could use to be invited into the building. Nothing is stopping you from being a blue collar worker, especially if you're willing to fake a work history.
He wasn't just some guy.
I still believe it was dangerous to use gmail for the company emails when Google was one of our competitors in our niche.
First off, lying to office security carries fewer repercussions than lying to the police to get a crime number. The office security guys won't want to be party to someone else's vendetta (would you?)
Secondly - if you care enough to waste hours of your time filing a police report, then you must give a damn about your shiny-thing. If not... well you clearly don't care enough and it's not a problem, so goodbye.
Read that how you will...
Far easier than looking through a window? I'm curious to know! I've seen banks where it would be possible! I expect most of their software to be internal and accessed through a VPN when outside but still.
I think sending a parcel like in this article, or leaving a USB stick lying around is often an easier task. Even if you window-surf some credentials you most likely can't use them unless you're on the internal network already. At least at my place of work you'd need a VPN token to make any use of my details unless you have physical access to plug in a cable.
There's plenty of ways to enter in many buildings without "working there". As long as the physical security there is lower (and there's a ton of reason why it could be) or that it's already open to the public.
> I think sending a parcel like in this article,
That only give you physical proximity. Unless they have bad wifi securities like that article said... that won't give much. People don't talk about password regularly ;).
> leaving a USB stick lying around is often an easier task
That's just hoping right there, Windows autorun hasn't been a thing for a long time, an USB keys that open a terminal is freaking obvious and most people know not to plug any random USB keys. That most probably won't works for any high ranking official.
Almost no one talk about making sure windows doesn't see keyboards though... or even screens, and you'll see that usually, people with higher ranks do have windows closeby ;) (the perks of the ranks).
I was thinking about how hard managing this risk was and except removing all windows (which I hope everyone will agree is quite bad), it's hard to protect ourself against this issue from all angle and that's even knowing the issue and trying to handle it (which most people won't even do).
Oh, and in those rooms bringing your own stuff from the outside is not encouraged - to the extent that I was asked to leave my disposable coffee cup outside on one occasion.
Didn’t matter much - there was an approved and vetted Moccamaster inside.
9800 Savage Rd. Suite 6272
Ft. Meade, MD 20755-6000
The system was made by DEC and DEC had the process of sending software updates by magnetic tape. This researcher had made a follow up meeting request and brought with them a tape that looked exactly like an update tape with label and all the trimmings. Further they dropped it on to a mail delivery cart that was already through the 'verify the mail' process. As a result the tape got delivered to the operators, they mounted it and installed the "updates." Of course that created an account the pentester used to log in.
Caught the customer by surprise of course, nobody likes to be surprised by the pentesters but it is always a good thing to have them find something rather than be penetrated.
The story (which has clearly stuck with me for a long time) left me with an appreciation for looking at things which aren't normally considered "part of the IT infrastructure" as part of the attack surface that needs to be protected.
Do everyone a favor, mister mod.
Moreover: battery. How many time a battery of reasonable dimensions could survive powering that kind of system ? exaggerating, 3 days without using a heavy use of the phone modem ? But let's say that in that time the attacker reach the target collecting WIFI keys that doesn't mean that he can compromise any PC or phone in the home network. So my advise is to send directly networking hardware compromised (i.e. an access point ) and, if your budget is 100$ , you can send a very nice piece of hardware to the target, avoiding that he throws all that stuff away (if he can't recycle all like me ). Again, if someone could send me a free, 100$ worth AP is welcome.
Unless you're emulating nation state actors, your ideology of a 'red team' which focuses on physical access is a disservice to your client and your industry.
Breaking a hash to obtain the Wi-Fi password? Surely this is impossible?
This is done completely offline once you have the handshake captured and can be easily scaled.
I don't work in this sort of security and it seems terrifying, the social engineering side is especially crazy.
Classy hackers hack modern protocols like WPA 3.
there are next to nil WPA3 fish in the barrel yet.
> The device, which cost about $100 to build, was equipped with a 3G-enabled modem, allowing it to be remote-controlled so long as it had cell service.
> The warship listens for a handshake — the process of authorizing a user to log onto the Wi-Fi network — then sends that scrambled data over the cellular network back to the attacker’s servers, which has far more processing power to crack the hash into a readable Wi-Fi password.
It’s not uncommon for red teams to do something similar: pull a bunch of ciphertext and hashes from the target network, ship them off to their GPU farm at the office, wait for results.
Salts don't need to be secret, only unique. In fact, in this case the unauthenticated client needs to be able to compute the PMK from the password alone, so you can't keep it on the AP.
There are WPA rainbow tables for common ssid's available online.
If your ssid is "Linksys" it takes only moments to look up a weak password.
A well designed authentication protocol shouldn't expose any hashes to be cracked in the first place.
QR codes and NFC tags etc. are nice, but not supported everywhere.
But you cannot ship yourself to said parking-lots that fast, cheap and never in parrallel.
I mean, if a package that looks like it came from NewEgg containing a router shows up, especially if it matches the type the company usually uses, which wouldn't be too hard to figure out, what are the chances it just gets tossed on a shelf to be used next time one is needed? Or do companies have sophisticated controls in place for something like that?
Maybe if you shipped it at the same time someone was expecting it, you could get it to someone who knew what to do with it. Or ship it to the newegg/amazon warehouse to get mixed in with regular deliveries.
"Oh no some one lost their USB stick! I better plug it and try to figure out who so I can return it."
You left out the good part, what sort of file names did you use?
Real world attacks using this method?
Show me one.
It is like putting superglue in locks. In theory anyone could invest in $5 of superglue and put a large building out of business for a few hours. It doesn't happen. But if you were an IBM type of company you could offer this as a service to companies wanting to test their contingency plans. Seems that is what is going on here.
* TFA quotes Charles Henderson, "who heads up the IBM offensive operations unit."
* "This newly named technique — dubbed “warshipping” — is not a new concept."
* "All of this could be done covertly without anyone noticing — so long as nobody opens the parcel."
A much more practical implementation of this attack vector is the "Malicious Raspberry Pi Power Strip" (article posted in 2012):
https://hackaday.com/2012/10/04/malicious-raspberry-pi-power... Those could easily be shipped to end users who would be pretty likely to plug it in. Add a note in the box "from" the IT department and I bet it gets a very high percentage success rate.
> One time I had a colony of ants build up inside an APC UPS. Every day, the system would make a little popping sound, then switch to battery inversion for about two seconds, then switch back to mains. For the longest time I was baffled.
> Then one day I noticed some ants making a trail and investigated. It was crazy how many ants were living inside it. Apparently, every once in a while an ant would come too close to crossing the AC wires and the power would short through it, killing the ant instantly and causing the protection circuit to put it on battery.
> I find myself wondering if a similar ant infestation would destroy the RasPi.
When I started the article the first it came to me was that, once that package actually arrived at someone's desk, the main goal of the attackers would be to exploit Bluetooth attack vectors, where you can actually snoop at user/passwords, take control of devices or event plug the warship as a keyboard and deploy malicious code into the internal PCs.
For some of the bluetooth attack vectors, the warship wouldn't even need the cell network access and a call home, just a powerful bluetooth antenna should suffice.
But now I wonder how many other attacks can be launched from a sealed box in a mailroom. Van Eck phreaking will get you a decent image off an LCD monitor from 10+ meters away through multiple interior walls, and can survive significant channel noise. Other side-channel attacks can directly pick up keys during decryption, though the proofs are short-range and it's not clear whether increasing device size/power would boost that.
It'd be tricky and expensive to arrange, especially with the risk of ending up pointed in a boring direction. But it seems like an absolutely wild idea for remote access to the contents of even air-gapped monitors.
24/7 power, a platform to mount attacks via Bluetooth, WiFi, microphone, integrated USB hub, and heck, aren't the new monitors often attached to Thunderbolt, which is almost the same as PCIe. And even in case it's not Thunderbolt, it's likely going to be USB-C — not too shabby for evil keyboard emulation, memory sticks, fake ethernet adapters etc.
Perfect visibility to keyboards as well.
3G for return channel.
This is beyond belief to me and an example of why there are more security breaches than would happen if everyone out there (security researcher in particular and ironic) wasn't eager for their glory of discovering an exploit that very well might have taken years to uncover if at all.
So they come up with an idea, create and proof of concept, then they publicize it so that actual hackers can be turned on to a new idea under the guise that they are going to prevent a problem so that people can protect against it.
> “If we can educate a company about an attack vector like this, it dramatically reduces the likelihood of the success of it by criminals,” Henderson said.
Like all the other similar 'research' it completely ignores that it is also educating people who will now know of the exploit and it will give them ideas on what can be done.
The example of the WiFi connected stuffed animal listening for webhooks isn't a made-up example -- I read a blog post about that years ago. Some team had a "build bunny" whose ears perked up and made happy noises when the build passed and the ears drooped and made a sad trombone noise when builds failed. The thing is already RF-active... would anyone break out a spectrum analyzer to notice if the thing was also transmitting/receiving on LTE and not just WiFi?
Using repurposed used hardware, this can also be crazy cheap.
Fun idea: buy junk vendor swag (stuffed animal, glass globe, etc) off of ebay in bulk, then mail it to people you know have recently left the company (say, from scanning LinkedIn). They'll probably keep the package around for a while before disposing of it. Or even better, someone else claims it as 'free swag,' and keeps it in the office.
Maybe it'll stay in there a long time: https://en.wikipedia.org/wiki/The_Thing_(listening_device)
Extra points: make it something powered (like a clock) and make them plug it in. Battery charge for initial scan, and if you get lucky, they'll recharge the battery by plugging in the device.
 - https://shop.hak5.org/products/wifi-pineapple
Because I would think that's a very uncommon case, everywhere I've worked either didn't have WiFi or the WiFi was a completely external network.
You could probably make a killing selling these for $100 - 200 on Etsy or something.
What I am asking is: how is this device better than another (used-friendly, packaged) device, that can work from your own flat? Moreover, selling that device with a high-gain antenna isn't any more against user-friendliness that selling a few boards you're supposed to hide yourself.
Sending a device to your neighbour is essentially a liability. A liability that, compared to simply listening to the traffic of your neighbour - can easily give the enforcement agencies enough material to lock you up.
The truth is that hiding the same device inside something else should be done by the user, because the moment you start putting those into a specific model of a plush bear, the picture of that plush bear will immediately appear in security advisories.
Guess it wouldn't prevent people from buying on craigslist.
Even if they weren't, its easy enough to buy random $5 wifi enabled dev boards from Aliexpress or somewhere similar, where detailed records tracing individual boards from manufacturer -> distributor -> reseller -> user are highly unlikely to exist.
Among the observations I made was that the tallest drop a package had to endure going through the sorting machine in Trondheim was 62cm (2ft).
And now you know why live datalogging is forbidden, it exposes the possibility of finding out how negligent the postal workers are.
They were not amused.