Hacker News new | past | comments | ask | show | jobs | submit login

IBM have a service to sell. Hence this 'fear'.

Real world attacks using this method?

Show me one.

It is like putting superglue in locks. In theory anyone could invest in $5 of superglue and put a large building out of business for a few hours. It doesn't happen. But if you were an IBM type of company you could offer this as a service to companies wanting to test their contingency plans. Seems that is what is going on here.

Agreed: this is an IBM "offensive operations unit" publicity piece. Key items from TFA:

* TFA quotes Charles Henderson, "who heads up the IBM offensive operations unit."

* "This newly named technique — dubbed “warshipping” — is not a new concept."

* "All of this could be done covertly without anyone noticing — so long as nobody opens the parcel."

A much more practical implementation of this attack vector is the "Malicious Raspberry Pi Power Strip" (article posted in 2012): https://hackaday.com/2012/10/04/malicious-raspberry-pi-power... Those could easily be shipped to end users who would be pretty likely to plug it in. Add a note in the box "from" the IT department and I bet it gets a very high percentage success rate.

That hackaday article has a great comment at the bottom

> One time I had a colony of ants build up inside an APC UPS. Every day, the system would make a little popping sound, then switch to battery inversion for about two seconds, then switch back to mains. For the longest time I was baffled.

> Then one day I noticed some ants making a trail and investigated. It was crazy how many ants were living inside it. Apparently, every once in a while an ant would come too close to crossing the AC wires and the power would short through it, killing the ant instantly and causing the protection circuit to put it on battery.

> I find myself wondering if a similar ant infestation would destroy the RasPi.


I don't know why you're getting down voted but this is exactly what I was about to post. It's a piece to hire IBM's X-force. I can understand if these where spotted in the wild. If anything, they have given ideas to attackers. ;) But what do they care, the more vector of attack the money there's money for the security company to make.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact