Sean Gallagher* says testers have shown that for less than $100, compact hardware can turn a shipped package into a Trojan horse for attacks.
Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients’ networks before less friendly attackers exploit them.
But in recent tests by IBM’s X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren’t aware they were exposed until they got the bad news in report form.
That’s because the people at X-Force Red put a new spin on sneaking in — something they’ve dubbed “warshipping”.
Using less than $100 worth of gear, the X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer dropped into a shipping box or embedded in objects such as a stuffed animal or plaque.
We’ve looked at such devices, typically referred to as “drop boxes,” before.
Covert drop boxes have taken the form of “wall wart” device chargers, Wi-Fi routers, and even power strips.
And mobile devices have also been brought to play, allowing “war walking” — attacks launched remotely as a device concealed in a bag, suitcase, or backpack is carried nonchalantly into a targeted location.
But IBM X-Force Red Global Managing Partner and Head, Charles Henderson told Ars that you can just let a shipping company do the work for you.
“The thing that’s cool about this is, this is the wall of the box,” Henderson said.
“It can be easily built into the cardboard.”
“If you get a phone shipped to you, you’re suspicious of it.”
“If you get a box or maybe a plaque that says you’re the new CISO of the year, you might not.”
The plaque might just go right up on the wall.
“Put a $13 solar charger panel on the plaque, and that makes it a permanent fixture in a CISO’s office.”
The hardware has also been planted in a stuffed animal and even inside the case of a normal Wi-Fi router.
Signals everywhere
The near-ubiquity of some kind of cellular signal and the advent of Internet of Things (IoT) cellular modems has also created a new set of security concerns for those targeted for industrial espionage and other criminal activity.
Henderson emphasises that in each case, his team had permission from someone with authority at each company that received a “warship.”
But the companies weren’t widely warned about what was coming.
“When we talked to the CSO or the CFO and got permission, we said, ‘OK, don’t tell anybody.’”
And with the exception of one shipment — which failed mostly because of rough handling — every one of the cardboard Trojan horses was welcomed with open arms.
Express hack delivery
One “warshipping” box sent out by Henderson’s team found its way into a company’s secure research centre — a place where mobile phones are banned.
The rig, capable of storing data on an SD card until it regains a mobile connection, was able to perform reconnaissance inside the facility before dumping it back to home when the box was disposed of.
“It went where they have RF shielding, where no package like this should go,” Henderson said.
But because the warshipping rig was concealed within the cardboard of the box itself, it was given unfettered access.
All of this is well within the grasp of many attackers.
“It’s off-the-shelf components,” said Steve Ocepek, X-Force Red’s Hacking CTO.
The most expensive component of the rig is the cellular modem.
While the hardware is inexpensive, X-Force Red also invested hours in modifying the software used to make it work in a low-power environment.
“So, there’s a lot going on here to make it work in this way, low power. But it’s doable,” Ocepek said.
And if they could do it, he suggested, so could just about any determined attacker.
Road worrier
The check-in every two hours doesn’t just let the team know when the package gets to its destination.
It also has yielded some “weird unintended consequences,” Ocepek said.
“They’ve turned into our own ‘wardriving’” — a mobile survey of Wi-Fi access points along the path of the shipment.
While en route, the warshipping rig picks up all the networks around it.
It can even pick up the in-flight Wi-Fi of aircraft.
“Every time it turns on, you get all the access points that are around wherever it’s at,” Ocepek explained.
“So if you wanted to war drive in an area … you could send this through a carrier network and basically have it do it for you.”
That includes overseas locations, “no passport required,” said Henderson.
“And the great thing is, that now with modern shipping mechanisms, you can actually predict where your package is going to be on a given day.”
“So, if I want to war drive, say, downtown London, I could ship a package to London and have it turn on on delivery day.”
More than just a good listener
The hack in the box can do more than just sniff for networks.
Since it’s essentially just a platform, other sensors can be added to it, with interesting consequences.
Henderson had me pick a box up for demonstration.
“If you were wearing an RFID badge, where would it be right now?”
The answer, of course, was right up against the box — where a low-cost software-defined radio could read and clone the data in it for an attacker to create a counterfeit access badge.
And the box could be shipped to a specific person just to target their physical access credentials.
The method can also be used for offensive operations.
Henderson said that when IBM shipped a device to a financial services company, “they said, ‘OK, what do you see?’ And we said, “We see three access points.’”
One of them was not supposed to be there, and Henderson said the CISO at the company told him, “I’m going to need you to attack that one.”
The point of these exercises, Henderson said, was to get companies to “start considering packages untrusted in the same way that you would consider email or USB keys.”
If you eye that next Amazon box that arrives at the office a little more suspiciously, well, mission accomplished.
* Sean Gallagher is Ars Technica’s IT and National Security Editor. He tweets at @thepacketrat.
This article first appeared at arstechnica.com.
