Hacker News new | past | comments | ask | show | jobs | submit login
Hackers ship their exploits directly to their target’s mailroom (techcrunch.com)
256 points by lordqwerty 18 days ago | hide | past | web | favorite | 159 comments

Find someone who's out on leave for a while (just look for who's having a baby on IG) and ship the package to him/her! They won't discover it for weeks and you'll have plenty of time for your package to sit in the mailroom or on someone's desk. The danger is when the package is opened, the company may realize they've been hacked.

Or have it there permanently: Ship an executive a fancy illuminated globe or desk clock from the local "Chamber of Commerce". Put a camera and mic in there too to try to get passwords via audio or video surveillance. (Audio recordings of keyboards typing can be surprisingly effective if you have a big enough training set)

(On my way to DEFCON! See you all there!)

Or just give them a giant wooden carving of the US presidential seal: https://en.wikipedia.org/wiki/The_Thing_(listening_device)

given the cheapness and compactness of modern electronics any furniture can carry a factory (or during shipping) installed chip these days, even without getting into smart/cloud connected office tables and chairs territory. One can hope at least NSA X-rays their furniture :)

Even better if you integrate into something like a motorized standing desk, they'll plug it in for you.

Does that USB drive stick trick still work?

Yes, yes, it does

I very much doubt you could discover anything with X-rays. You can place whole device inside a screw or the circuit can be very thin with little to no metal etc.

I would assume it's becoming a a software war. You monitor all frequencies with SDR and try to shield as much as possible while on the offending side you try to push information on different frequencies and making it look a like like stuff that's already in the air.

You also don't even need to use RF. You can also use high-frequency audio to communicate to other devices, though I guess I'm not sure how you get it out of the building.

It has been said that covert agencies have monitored conversations through windows by measuring the acoustic vibrations with a laser. So maybe that will work, but I have no idea how well that works with higher frequencies outside of human perception.

Higher frequencies will get filtered out. They don't have the power to vibrate the glass unless it's very loud.

Cuban sounds as an [ultrasound intermodular distortion based] attack on electronics with humans seeming to be a side effect:


So sounds like you'd also want a room that can give off emp pulses to fry electronics that you can't see as a failsafe

Also discourages workers from bringing their phones into the office. Or their pacemakers.

I read somewhere years ago that they do. I don't remember where though, sorry.

Unrelated: WTF? I just had to do a reCAPTCHA on HN to log in!

One of the first pen testers I ever read pointed out that companies do (sometimes excessive) background checks on their staff all the time and then they outsource the cleaning crew. When I'm there during the day, there's only so much I could do without other people noticing. But here's a group with full access to an empty building full of your equipment for 10 hours a day.

People are going to come at you from your blindside, if they can find it. And if you consider a certain class of people invisible, then that's what a hacker wants to be.

Many companies treat the cleaning crew like trash. Unpredictable scheduling, no benefits, minimum wage pay combine to make it so a very small bribe would get an attacker into a building, where they could plant gear in the drop ceiling and more.

Doing right by your workers would go a long way towards plugging this vulnerability.

While you should always treat your employees well, I'm not talking about creating a disgruntled employee leading to problems.

The example given was a route someone could use to be invited into the building. Nothing is stopping you from being a blue collar worker, especially if you're willing to fake a work history.

I once stayed late and noticed a cleaner was wearing a polo from the company I used to work for. I asked him about it and it turned out he was an engineer and was filling in for his girlfriend who owned the cleaning business. Holy red flag! I made some noise and that cleaning company was let go.

Pro-tip for anyone that finds themselves in this situation when trying to steal another company's data - say you bought the shirt for 50c at a second hand store. That, or don't wear your company polo on an espionage mission.

Or just wear a boring flat grey shirt like all of the rest of the cleaning staff.

I'm not sure I see why the cleaning company was the problem.

Presumably, because they swapped to a non-approved person on their schedule.

"his girlfriend who owned the cleaning business"

He wasn't just some guy.

He was working for the cleaning business, though. If the company was letting in anyone who works for that cleaner without further investigation, that's their problem. That's the situation we were talking about upthread, so I assumed zcrackerz would have said something if it were different.

Where I work, each cleaner gets a badge, just like the engineers. Presumably she gave her badge to a random other person, aka her boyfriend, so he could let himself in. Nothing stops me from doing that as an engineer either, but it would absolutely be a firing offence if caught.

Yeah, I never understood that. At the first half sensitive job I had, the cleaning crew had access to all the computer rooms, including the server one. I had thought of trying to push my boss into using encryption for our emails but abandoned after realizing that.

I still believe it was dangerous to use gmail for the company emails when Google was one of our competitors in our niche.

And I think your belief is justified. Look at how many niche products people built on AWS and Amazon caught wind of their success and rolled out a competitor!

But I think this is not as cut and clear with an enterprise gmail account. Who really competes with Google? Amazon on the other hand competes with every retailer out there.

To corroborate that, I once helped a family friend clean banks in the middle of the night. That was her job. Far as I can tell, she was just the lowest bidder on it with a consistent work ethic. We had access to almost everything. Could've gotten to most of the computers. I told her as much with her laughing that it was ridiculous.

I left my iPod on the desk overnight once while working at a large international investment bank. It vanished, presumably lifted by the cleaners. Security were remarkably uninterested in this, refused to do anything whatsoever (including checking the CCTV) although they did ask me to give them the crime number if I reported it.

That's easy enough to explain...

First off, lying to office security carries fewer repercussions than lying to the police to get a crime number. The office security guys won't want to be party to someone else's vendetta (would you?)

Secondly - if you care enough to waste hours of your time filing a police report, then you must give a damn about your shiny-thing. If not... well you clearly don't care enough and it's not a problem, so goodbye.

Read that how you will...

A small company I once worked for employed a new firm of cleaners. Very good and conscientious for several months, right up to the night they loaded all the computer gear they could find on the premises into their van and disappeared. (After, of course, doing the cleaning and making sure they locked up afterwards)

I'm always amaze at how many computer screens/keyboards are visible from windows. It would be so easy to plant a webcam with some good optics on an opposite building and just get the passwords of the victim quite easily. you could have easily a few dozens of victims on a single company with a single camera.

I notice these things too, but at the end of the day the sad news is nothing so exotic is necessary. There are far easier ways to get what you need from a modern office with typical security hygiene.

> There are far easier ways to get what you need from a modern office with typical security hygiene.

Far easier than looking through a window? I'm curious to know! I've seen banks where it would be possible! I expect most of their software to be internal and accessed through a VPN when outside but still.

Well you'd usually need to work to get access to a room to look through the window, so that's not a given :)

I think sending a parcel like in this article, or leaving a USB stick lying around is often an easier task. Even if you window-surf some credentials you most likely can't use them unless you're on the internal network already. At least at my place of work you'd need a VPN token to make any use of my details unless you have physical access to plug in a cable.

> Well you'd usually need to work to get access to a room to look through the window, so that's not a given :)

There's plenty of ways to enter in many buildings without "working there". As long as the physical security there is lower (and there's a ton of reason why it could be) or that it's already open to the public.

> I think sending a parcel like in this article,

That only give you physical proximity. Unless they have bad wifi securities like that article said... that won't give much. People don't talk about password regularly ;).

> leaving a USB stick lying around is often an easier task

That's just hoping right there, Windows autorun hasn't been a thing for a long time, an USB keys that open a terminal is freaking obvious and most people know not to plug any random USB keys. That most probably won't works for any high ranking official.

Almost no one talk about making sure windows doesn't see keyboards though... or even screens, and you'll see that usually, people with higher ranks do have windows closeby ;) (the perks of the ranks).

This is a real problem. While I was working at XBox, we made giant pictures over the windows using colored post-it notes. I remember a really good pixel art megaman that was my favorite. Internal offices sometimes used newspapers to cover over the windows (but maybe that was just advertising, here's someone who works on something you want to see!).

Our company has extremely deeply tinted and reflective exterior windows that even at night (outside) with lights inside, you can barely see in if your face is 1" away from the glass.

That seems like a pretty good way to handle this vulnerability!

I was thinking about how hard managing this risk was and except removing all windows (which I hope everyone will agree is quite bad), it's hard to protect ourself against this issue from all angle and that's even knowing the issue and trying to handle it (which most people won't even do).

All the old TEMPEST stuff probably works great when you're _inside_ the target's building.

If my (granted, very limited and anecdotal) experience is anything to go by, rather than TEMPESTifying a whole building, one rather hardens specific rooms or areas inside it.

Oh, and in those rooms bringing your own stuff from the outside is not encouraged - to the extent that I was asked to leave my disposable coffee cup outside on one occasion.

Didn’t matter much - there was an approved and vetted Moccamaster inside.

Or ship it to the security team the week of DEFCON.

How would you be able to pull out any information out of an audio recording of keyboard typing? Wouldn't the training set differ between keyboards too? Sounds interesting it it worked, do you have any sources?

You get a week's worth of typing; you cluster the sounds; then based on statistical frequency analysis you decode which cluster maps to the spacebar and which to the letter 'x'; then you can transcribe the whole typing history and decide which of all that is a password.

Great plan, but we have to test it. Can you upload a sample dataset of you typing for 1 week so we can try this approach?

What's your address? I can send it on a usb key.

This is like a hacker chess match, and here I am all out of popcorn.

You can just mail it to

9800 Savage Rd. Suite 6272

Ft. Meade, MD 20755-6000

I have their dataset. Email me for details.

Can it be published? Happy to contribute bandwidth!

I think it was a joke

The illuminated globe example is much better than the one in the OP imo. The one in the OP isn't much different from parking a van outside the target office.

Seems like doing this with a rooted phone would be even sneakier. You've got everything you need built in: battery, modem, etc. When it eventually does get opened, the mailroom person is going to think "oh someone ordered a phone" instead of "holy shit, this bunch of wires and circuit boards is maybe a bomb and definitely something I should tell the police about".

The really nasty one is compromising the return supply chain. Many (especially unopened) returned electronic devices go right back into the supply chain. For many retailers it's literally a free attack to carry out, with the only downside being you don't get to pick your target (although you can probably get ok odds on a target population).

IDK. If they put it in a stuffed animal like the pic in the article, how many would rip it open to see what's inside?

But what is more suspicious - a phone nobody ordered or (in the worst case of discovery) a stuffed animal nobody ordered with custom electronics in it?

Just disguise your electronics to look like a voice box. Heck, you could even make it functional; microphone, speaker, and a tiny bit of software would make a convincing toy.

The Furby scare is back!

How likely are they to rip open a stuffed animal and find the electronics? Depends on the security level, and the weight.

One of my favorite security stories came from a well known security researcher who was asked to try to penetrate the computer system of a national research lab. On the day of the test he came in and logged in using his own credential and had full system access. Leaving everyone in the room stunned.

The system was made by DEC and DEC had the process of sending software updates by magnetic tape. This researcher had made a follow up meeting request and brought with them a tape that looked exactly like an update tape with label and all the trimmings. Further they dropped it on to a mail delivery cart that was already through the 'verify the mail' process. As a result the tape got delivered to the operators, they mounted it and installed the "updates." Of course that created an account the pentester used to log in.

Caught the customer by surprise of course, nobody likes to be surprised by the pentesters but it is always a good thing to have them find something rather than be penetrated.

The story (which has clearly stuck with me for a long time) left me with an appreciation for looking at things which aren't normally considered "part of the IT infrastructure" as part of the attack surface that needs to be protected.

Interesting - I too heard this story from Paul Karger (a noted security expert, sadly deceased). Paul's office was next to mine at IBM research and by talking to him, I realized I lacked the necessary level of paranoia to ever become a security expert :-)

Source, without all the TechCrunch "OMG Hackers" stuff:


Do everyone a favor, mister mod.

No thank you. The TC article is both entertaining and factual.

Why an attacker should spend 100$ , sending hardware to the target that could be potentially tracked following the path between the resellers, could transport evidences like fingerprints or DNA, using a telephone connection that could also be tracked when the same thing could be done with a good radio equipment and more discretion ? Anyway, I am the kind of guy that inspects the ATM praying to find out a skimmer to dissect, so if someone would send me all that cool stuff directly at home is welcome !

Moreover: battery. How many time a battery of reasonable dimensions could survive powering that kind of system ? exaggerating, 3 days without using a heavy use of the phone modem ? But let's say that in that time the attacker reach the target collecting WIFI keys that doesn't mean that he can compromise any PC or phone in the home network. So my advise is to send directly networking hardware compromised (i.e. an access point ) and, if your budget is 100$ , you can send a very nice piece of hardware to the target, avoiding that he throws all that stuff away (if he can't recycle all like me ). Again, if someone could send me a free, 100$ worth AP is welcome.

Think about the distance factor. Sure, you could get good radio stuff set up so that you don't have to be in the parking lot to break in and can avoid appearing suspicious on any surveillance cameras, but you still have to be within a few kilometers at most. With warshipping you can be across the planet.

Having done a handful of red teams our last concern was security cameras since most times no one looks at security footage until they’re already compromised.

Yeah but 'APTs' are generally shitty low end numbers-game attacks that target HR with terrible macro based malware to breach company perimeters.

Unless you're emulating nation state actors, your ideology of a 'red team' which focuses on physical access is a disservice to your client and your industry.

Red teams have less to worry about than actual hackers if they are identified post-facto on security footage.

Also, its easy to get a FedEx/UPS/DHL uniform and deliver a package yourself.

Just don't smile for the cameras.

Good point. noted !

>Once the warship locates a Wi-Fi network from the mail room or the recipient’s desk, it listens for wireless data packets it can use to break into the network. The warship listens for a handshake — the process of authorizing a user to log onto the Wi-Fi network — then sends that scrambled data over the cellular network back to the attacker’s servers, which has far more processing power to crack the hash into a readable Wi-Fi password.

Breaking a hash to obtain the Wi-Fi password? Surely this is impossible?

Not really, this is a known "vulnerability" with WPA2 and has been demonstrated to work a lot of times.


This is done completely offline once you have the handshake captured and can be easily scaled.

When I’ve been hired to do red teams we always use giant antennas and find a nice parking lot a few blocks away to capture the necessary handshakes. This works great even in downtown SF where the RF interference is absurd.

Yea, this ^. This attack approach is interesting but any company that's serious about security needs to realize that anything opened up on wifi is a big hole - this used to be more amusingly exploited by war-driving, just driving around a neighborhood looking for someone with an open network that spills out into the street so you could download the latest episode of friends.

I don't work in this sort of security and it seems terrifying, the social engineering side is especially crazy.

I used to do this as a kid in rural Texas, when we could only afford dial-up at the house and my parents didn't let me on the network very often. Good times! I'm terrified of the prospect now, but back then I really appreciated all my neighbors who ran unsecured wireless networks named "linksys"

The social engineering side is 100x the threat. Handshake brute forcing is a show pony trick.

Hacking obsolete protocols is shooting fish in a barrel.

Classy hackers hack modern protocols like WPA 3.


which nobody uses yet. last time I checked around a month ago there was only one WPA3 on WiGLE.

there are next to nil WPA3 fish in the barrel yet.

My friend did this with his neighbor's wifi (with their permission of course) just to see if he could. He got trial access to some super computers in the Google cloud (sorry I'm not more specific, just recollecting what he told me) and was able to crack with that horsepower in a day or so.

Your friend probably used the GPU enabled instances, which are absurdly efficient at generating WPA2 hashes.

If the password is a predictable, low-length alphanumeric password it’s not going to take long for something like a multi-GPU machine with some dictionaries to break it.

Well for wpa2 the minimum is 8 characters and that is 2.6 days on the largest AWS instance at a peak cost of around $1560 if you got a PMK packet and about 50x longer if you don't.

Maybe with a separate cellular antenna the device could capture all of the wifi data, communicate it to a server with more processing power and possibly break it there and communicate it back to the device.

That’s actually what the device in the article does.

> The device, which cost about $100 to build, was equipped with a 3G-enabled modem, allowing it to be remote-controlled so long as it had cell service.

> The warship listens for a handshake — the process of authorizing a user to log onto the Wi-Fi network — then sends that scrambled data over the cellular network back to the attacker’s servers, which has far more processing power to crack the hash into a readable Wi-Fi password.

It’s not uncommon for red teams to do something similar: pull a bunch of ciphertext and hashes from the target network, ship them off to their GPU farm at the office, wait for results.

Use Aircrack-ng. Doesn't require skill. The broken part is the handshake.

If it's not a strong hash and the protocol doesn't include salting, it's not impossible. Rainbow tables exist. And they really only need to find a collision. Wi-Fi protocols, especially WEP, have had vulnerabilities similar to this before. Similar in the sense that if you sniffed enough traffic you could figure out the password (don't recall the specific mechanisms - but this could be one).

It's unfair to say that there is no salting. The PMK is derived from the WiFi network name (SSID) as well as the password [1]. The SSID acts as a salt here. Not perfect as SSIDs are often not unique, but it's certainly better than no salting at all.

[1]: https://www.ins1gn1a.com/understanding-wpa-psk-cracking/

So stupid they don’t use the MAC as the salt.

I said "IF" there's no salting. In any case, I'd be less concerned about SSID's not being unique as I am about the fact that the SSID of a specific target is trivial to obtain and almost never changed.

> I'd be less concerned about SSID's not being unique as I am about the fact that the SSID of a specific target is trivial to obtain and almost never changed.

Salts don't need to be secret, only unique. In fact, in this case the unauthenticated client needs to be able to compute the PMK from the password alone, so you can't keep it on the AP.

This is why we have rainbow tables.

Rainbow tables don't work here because the password is salted.

A salt can't do it's job when it's reused.

There are WPA rainbow tables for common ssid's available online.

If your ssid is "Linksys" it takes only moments to look up a weak password.

There are numerous attacks to crack wifi hashes. In theory, a properly implemented hash should not be crackable -- but theory often does not match the real world.

No, any hash will be crackable, it just depends on how fast.

A well designed authentication protocol shouldn't expose any hashes to be cracked in the first place.

Sure -- if you define the heat death of the universe as "how fast".

You can't guarantee that, and keep reasonable performance, if humans are generating the PSK

I agree, but you can certainly build a system where humans don't generate the key.

Then how do humans share said key?

QR codes and NFC tags etc. are nice, but not supported everywhere.

If your network security relies on promixity for ultimate security, you've done something very wrong.

Yep. You can do the same thing sitting outside on the street with a high gain antenna. Or one of the many rarely updated, vulnerability-ridden Android phones that are inside the building in people pockets.

The difference being that you can send multiple packages all over the globe for reasonably cheap.

But you cannot ship yourself to said parking-lots that fast, cheap and never in parrallel.

This makes me think of an even more straightforward attack. How hard would it be to actually just ship them computer hardware and hope it makes it into the system?

I mean, if a package that looks like it came from NewEgg containing a router shows up, especially if it matches the type the company usually uses, which wouldn't be too hard to figure out, what are the chances it just gets tossed on a shelf to be used next time one is needed? Or do companies have sophisticated controls in place for something like that?

Or just leave a usb stick (really have it be a usb rubby ducky or bash bunny) in the parking lot. Someone will find it and be like "OH I wonder whose this is, it could be important, I better plug it in and found out." TaDa, you now have a shell to their network.

It's the opposite -- companies lack sophisticated controls and without impetus they'd just never get the item into teh right place to use the item.

Maybe if you shipped it at the same time someone was expecting it, you could get it to someone who knew what to do with it. Or ship it to the newegg/amazon warehouse to get mixed in with regular deliveries.

This is sort of what NSA did to Cisco routers...


Package everything up in a Kinesis Advantage.

Add one more item to the list of things to keep the Chief Security Officer up at night... though I've got to imagine this type of attack is at least a decade old even if it's only becoming well known right now. I've got to wonder if spear-phishers have been able to combine this type of attack with getting someone at a company to buy/accept and plug in some type of electronic novelty device...

Why even bother with a novelty? Send some USBs or even drop a few outside the building. Curiosity is a massive vulnerability

I work close to IT (being software) for a company ~400 people. We were doing a security audit and this is one of the things they tested. USB's were loaded up with curious sounding files that when opened alerted our IT department. It was shocking how many people picked up and used these random USB's they found laying around.

> It was shocking how many people picked up and used these random USB's they found laying around.

"Oh no some one lost their USB stick! I better plug it and try to figure out who so I can return it."

>curious sounding files

You left out the good part, what sort of file names did you use?

settlement_proposal.docx 2019-05-25_bachelor-party.mov GAME_OF_THRONES_S1E06.mp4 salaries.xlsx

IBM have a service to sell. Hence this 'fear'.

Real world attacks using this method?

Show me one.

It is like putting superglue in locks. In theory anyone could invest in $5 of superglue and put a large building out of business for a few hours. It doesn't happen. But if you were an IBM type of company you could offer this as a service to companies wanting to test their contingency plans. Seems that is what is going on here.

Agreed: this is an IBM "offensive operations unit" publicity piece. Key items from TFA:

* TFA quotes Charles Henderson, "who heads up the IBM offensive operations unit."

* "This newly named technique — dubbed “warshipping” — is not a new concept."

* "All of this could be done covertly without anyone noticing — so long as nobody opens the parcel."

A much more practical implementation of this attack vector is the "Malicious Raspberry Pi Power Strip" (article posted in 2012): https://hackaday.com/2012/10/04/malicious-raspberry-pi-power... Those could easily be shipped to end users who would be pretty likely to plug it in. Add a note in the box "from" the IT department and I bet it gets a very high percentage success rate.

That hackaday article has a great comment at the bottom

> One time I had a colony of ants build up inside an APC UPS. Every day, the system would make a little popping sound, then switch to battery inversion for about two seconds, then switch back to mains. For the longest time I was baffled.

> Then one day I noticed some ants making a trail and investigated. It was crazy how many ants were living inside it. Apparently, every once in a while an ant would come too close to crossing the AC wires and the power would short through it, killing the ant instantly and causing the protection circuit to put it on battery.

> I find myself wondering if a similar ant infestation would destroy the RasPi.


I don't know why you're getting down voted but this is exactly what I was about to post. It's a piece to hire IBM's X-force. I can understand if these where spotted in the wild. If anything, they have given ideas to attackers. ;) But what do they care, the more vector of attack the money there's money for the security company to make.

The WiFi network is an interesting attack vector, although I've seen lots of places that don't have wifi setup with direct internal network access, only for internet access. That could limit the effectiveness of the warship somewhat.

When I started the article the first it came to me was that, once that package actually arrived at someone's desk, the main goal of the attackers would be to exploit Bluetooth attack vectors, where you can actually snoop at user/passwords, take control of devices or event plug the warship as a keyboard and deploy malicious code into the internal PCs.

For some of the bluetooth attack vectors, the warship wouldn't even need the cell network access and a call home, just a powerful bluetooth antenna should suffice.

Presumably WiFi hijacking would get you access to a lot of systems at a lot of places, but it does seem like the most intriguing targets (and those most hardened against other attacks) are least likely to be susceptible.

But now I wonder how many other attacks can be launched from a sealed box in a mailroom. Van Eck phreaking will get you a decent image off an LCD monitor from 10+ meters away through multiple interior walls, and can survive significant channel noise. Other side-channel attacks can directly pick up keys during decryption, though the proofs are short-range and it's not clear whether increasing device size/power would boost that.

It'd be tricky and expensive to arrange, especially with the risk of ending up pointed in a boring direction. But it seems like an absolutely wild idea for remote access to the contents of even air-gapped monitors.

Right. Or just ship a free, already compromised monitor. A free 32-inch 4K monitor could quickly find itself attached to pretty interesting places.

24/7 power, a platform to mount attacks via Bluetooth, WiFi, microphone, integrated USB hub, and heck, aren't the new monitors often attached to Thunderbolt, which is almost the same as PCIe. And even in case it's not Thunderbolt, it's likely going to be USB-C — not too shabby for evil keyboard emulation, memory sticks, fake ethernet adapters etc.

Perfect visibility to keyboards as well.

3G for return channel.

Throwing USB sticks on the ground seems to work well also. https://www.wired.com/2011/06/the-dropped-drive-hack/

> The researchers developed a proof-of-concept device — the warship, which has a similar size to a small phone — into a package and dropped it off in the mail. The device, which cost about $100 to build, was equipped with a 3G-enabled modem, allowing it to be remote-controlled so long as it had cell service. With its onboard wireless chip, the device would periodically scan for nearby networks — like most laptops do when they’re switched on — to track the location of the device in its parcel.

This is beyond belief to me and an example of why there are more security breaches than would happen if everyone out there (security researcher in particular and ironic) wasn't eager for their glory of discovering an exploit that very well might have taken years to uncover if at all.

So they come up with an idea, create and proof of concept, then they publicize it so that actual hackers can be turned on to a new idea under the guise that they are going to prevent a problem so that people can protect against it.

> “If we can educate a company about an attack vector like this, it dramatically reduces the likelihood of the success of it by criminals,” Henderson said.

Like all the other similar 'research' it completely ignores that it is also educating people who will now know of the exploit and it will give them ideas on what can be done.

We're in a predator-prey relationship. And the stakes are enormous. You can bet something like this actually has been done in the wild before. In fact, governments do things like this regularly. The only question is if it's worth your effort to protect yourself from it.

That seems like a lot of hassle and a pretty big federal crime for only being able to attack Wi-Fi networks. Why not just park your car outside and use a laptop?

How long can you sit outside a company running Kali Linux and a high gain antenna array before you attract attention? If you ship someone on the DevOps team a WiFi-connected plush toy that listens for webhooks from your CI/CD platform to make happy/sad noises when the build passes/fails -- AND THEY PLUG IT IN AND LEAVE IT ON -- then the ability to have passive access to the network for a long period of time will be less noticed.

The example of the WiFi connected stuffed animal listening for webhooks isn't a made-up example -- I read a blog post about that years ago. Some team had a "build bunny" whose ears perked up and made happy noises when the build passed and the ears drooped and made a sad trombone noise when builds failed. The thing is already RF-active... would anyone break out a spectrum analyzer to notice if the thing was also transmitting/receiving on LTE and not just WiFi?

There was also, The Thing which was a gift from Young Pioneer organization of the Soviet Union to Ambassador Harriman in 1945. It was discovered to be a passive listening device seven years later.


I suspect way longer than you think. Ten of thousands of small businesses don't pay attention to that stuff.

A typical SUV or minivan with tinted windows that only parks there during business hours probably wouldn't attract much attention if the business was large enough that no one knew everyone that worked there. Integrate the yagi antenna into some part of the car like a bike rack or hide it inside a plastic roof carrier. Show up around the time that people are starting to come in so you can get a good spot for the antenna and leave when everyone else does.

But this device won't work for more than a few days anyway.

Just piggyback it onto something the recipient would want to plug in. Problem solved.

You don't even have to be in the same country as your target. You can ship with a fake source and be pretty much invisible.

Using repurposed used hardware, this can also be crazy cheap.

Fun idea: buy junk vendor swag (stuffed animal, glass globe, etc) off of ebay in bulk, then mail it to people you know have recently left the company (say, from scanning LinkedIn). They'll probably keep the package around for a while before disposing of it. Or even better, someone else claims it as 'free swag,' and keeps it in the office.

Maybe it'll stay in there a long time: https://en.wikipedia.org/wiki/The_Thing_(listening_device)

Extra points: make it something powered (like a clock) and make them plug it in. Battery charge for initial scan, and if you get lucky, they'll recharge the battery by plugging in the device.

Or drop off a solar powered Pineapple [1] on the roof with a drone and maybe an extra battery. Assuming you are in the same geographic area, that is.

[1] - https://shop.hak5.org/products/wifi-pineapple

If you can't enter a country or a facility, the mail usually can.

Am I missing something or does this depend on the company having a WiFi network that's connected to the company's normal internal network and its only authentication is an somewhat insecure Wifi password?

Because I would think that's a very uncommon case, everywhere I've worked either didn't have WiFi or the WiFi was a completely external network.

There are companies with offices that have no Ethernet wiring, where WiFi is the only network. Some of them write software. (The last time $DAYJOB was office-shopping, there was one candidate space then occupied by, I think, a games developer which ran exclusively on WiFi; the cost and time required to wire the place up was one reason we wound up going elsewhere.)

This seems to be more self aggrandizement than something new. Like several have said, you can buy a off the shelf cell phone and do this with some code. This attack is only on wifi, and most companies don't place confidential or enterprise systems on wifi. Yes there are exceptions, but just pulling up to the side of a building would probably give you the same access to their wifi.

This could be really fun for people who live in apartment complexes. Break your neighbor's wifi by using this little, no-fuss box.

You could probably make a killing selling these for $100 - 200 on Etsy or something.

Only the main question remains: why do you need this if you could simply crack your neighbour's wifi by using a high-gain antenna hidden behind the walls of your own flat?

This comment reminds me of the initial response to Dropbox [1]. Sure, you or I, a very technical group, could set this up manually. But I was suggesting you manufacture, or part together a very simple box. The idea is this would be easy for non-technical people to get their wifi. Basically, plug in this box and in 30 days, you will have your neighbor's wifi password.

[1]: https://news.ycombinator.com/item?id=8863

Nah. You don't get it, still.

What I am asking is: how is this device better than another (used-friendly, packaged) device, that can work from your own flat? Moreover, selling that device with a high-gain antenna isn't any more against user-friendliness that selling a few boards you're supposed to hide yourself.

Sending a device to your neighbour is essentially a liability. A liability that, compared to simply listening to the traffic of your neighbour - can easily give the enforcement agencies enough material to lock you up.

The truth is that hiding the same device inside something else should be done by the user, because the moment you start putting those into a specific model of a plush bear, the picture of that plush bear will immediately appear in security advisories.

Could you look at the wireless MAC, contact the manufacturer, figure out where it was sold, contact the seller, and ask for sales records?

Guess it wouldn't prevent people from buying on craigslist.

MAC addresses are trivially configurable in software.

Even if they weren't, its easy enough to buy random $5 wifi enabled dev boards from Aliexpress or somewhere similar, where detailed records tracing individual boards from manufacturer -> distributor -> reseller -> user are highly unlikely to exist.

You could try, but I imagine most manufacturers/stores wouldn't give that info out to non-police. And some places might not even give it out to police without a legal warrant.

Mailing a bunch of "free" and "promotional" USB drives, prepared with zero-day malware, would probably work too. Especially if it was official looking.

zero-day malware probably makes malware writing sound difficult. Bypassing fingerprint-based scanners is reasonably easy with the use of 'packers' (which can be bought from hacker markets for pretty cheap, or built pretty easily). Bypassing heuristic based scanners is a little more research-intensive[1], but some 'packers' do this too.


This is to break into wifi that doesn't leak outside the building?

Less effort to just ship a mobile phone there I'd imagine.

Love to see Adafruit parts in real-world payloads!!!

I had an idea to do exactly this but I never did it

Careful. The Norwegian postal service almost ripped me a new one for having the gall to ship a microcontroller, a thermometer and a couple of accelerometers to myself; apparently, buried somewhere deep in some regulation is the fact that shipping live datalogging equipment is a big no-no. Their legal department assured me this was par for the course for UPI (International Postal Union) menber countries.

Among the observations I made was that the tallest drop a package had to endure going through the sorting machine in Trondheim was 62cm (2ft).

> Among the observations I made was that the tallest drop a package had to endure going through the sorting machine in Trondheim was 62cm (2ft).

And now you know why live datalogging is forbidden, it exposes the possibility of finding out how negligent the postal workers are.

How did they discover you were shipping that stuff?

I stupidly thought they'd find the idea amusing, so I sent them a copy of the write-up I did afterwards. (School project.)

They were not amused.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact