The U.S. Postal Service processes and delivers 484.8 million mailpieces of first-class mail a day — roughly one-and-a-half mailpieces for every person in the U.S. — in a single day. That’s without accounting for the millions of shipments delivered through international couriers. On-demand, free and same-day delivery options mean that virtually anything is accessible at any time and can be sent straight to our doorstep. What most people don’t realize is that some packages they receive may be looking to steal personal or confidential information. And the proliferation of e-commerce-related package deliveries is exactly what cybercriminals can exploit with a tactic IBM X-Force Red is calling “warshipping.”

IBM X-Force Red investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door. Think of the volume of boxes moving through a corporate mailroom daily. Or, consider the packages dropped off on the porch of a CEO’s home, sitting within range of their home Wi-Fi. Using warshipping, X-Force Red was able to infiltrate corporate networks undetected. Our aim in doing so was to help educate our customers about security blind spots and modern ways adversaries can disrupt their business operations or steal sensitive data.

So, What Is Warshipping?

Warshipping is the evolution of artifact hacking methods such as wardialing and wardriving. These are all techniques that allow cybercriminals to infiltrate a network remotely. In the 1980s and 1990s, the age of dial-up internet, cybercriminals used wardialing to gain unauthorized access to networks by systematically calling a block of numbers until they landed on a weak system that they then could attack.

More recently, wardialing has been set aside for wardriving, the technique used behind the major TJX breach in 2005. By wardriving, the culprits drove around parking lots of TJX stores in Miami with basic wireless hardware in hand (and a full tank of gas), successfully infiltrating the corporate network and stealing tens of millions of customer data records, ultimately costing the company nearly $2 billion in financial losses associated with the breach.

The wardialing and wardriving techniques have limitations, however. These limitations include the amount of time it takes to perform wardialing and the suspicions that arise when a car is detected circling a block hundreds of times with an auspicious antenna and laptop in view.

Warshipping counters these limitations in many ways by using disposable, low-cost and low-power computers to remotely perform close-proximity attacks, regardless of a cybercriminal’s location. Adding to that, warshipping increases target accuracy dramatically. An attacker could control the device from the comfort of their home anywhere in the world. All a malicious actor needs to do is hide a tiny device (similar to the size of a small cell phone) in a package and ship it off to their victim to gain access to their network. In fact, they could ship multiple devices to their target location thanks to low build cost. The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.

Figure 1: A bare warship device before it’s hidden in a package element

Hacks and Crafts: A Warship Device

Technically speaking, a warshipping device is made up of a single-board computer (SBC). They are cheap, capable, networked computers that can run on a basic cell phone battery.

So, what can attackers do with them? At X-Force Red, we built these ready-for-delivery warshipping devices and found that not only are they cheap and small, but for an average cybercriminal, they’re also easy to build. SBCs have some inherent limitations, such as the high amount of power they consume to operate. Applying some clever hacks, we were able to turn these devices into low-power gadgets when active and power them off completely when dormant. Using an internet of things (IoT) modem, we were also able to keep these devices connected while in transit and communicate with them every time they powered on.

Using a command-and-control (C&C) server we created for the task, the devices we had set up securely checked for a specific file on the server to determine if they should stay on or go back to sleep. With off-the-shelf components, this do-it-yourself (DIY) “hacks and crafts” project can cost a cybercriminal under $100.

Once built, a warship device can perform wireless attacks simply by being shipped to someone and arriving on their desk or doorstep. While in transit, the device does periodic basic wireless scans, similar to what a laptop does when looking for Wi-Fi hotspots. It transmits its location coordinates via GPS back to the C&C server.

Once we see that a warship device has arrived at the target’s front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target’s wireless access. The goal of these attacks is to obtain data that can be cracked by more powerful systems in the lab, such as a hash. These hashes represent a very small amount of data that we can obtain over a warship’s 3G connection as the attack progresses.

Behold: A Warship on the Network

For this project, we chose to conduct a passive wireless attack by listening for packets that we could use to break into our victim’s systems. As an example, we listened for a handshake, a packet signaling that a device established a network connection. One of the warship devices transmitted the captured hash to our servers, which we then utilized on the backend to crack the preshared key, essentially the user’s wireless password, and gain Wi-Fi access.

With our warship device, we could also launch other active wireless attacks, such as a deauthentication attack or “evil twin” Wi-Fi attack. By launching an evil twin Wi-Fi network, we could then set up a rogue Wi-Fi network with the warship device and coax our target to join our new decoy network. Our target would then divulge their true credentials (including username and password). This would provide us with further access that could be used for follow-up attacks against the enterprise wireless network.

Once we broke in via the Wi-Fi access, we could then seek to pivot by exploiting existing vulnerabilities to compromise a system, like an employee’s device, and establish a persistent foothold in the network. With this ability to get back into a compromised network, attackers can move through it, steal sensitive employee data, exfiltrate corporate data or harvest user credentials

Bottom line: In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target’s systems.

How to Spot and Protect Against Warshipping Attacks

The warshipping technique can be especially lucrative to cybercriminals during seasons when package deliveries rise significantly, such as summer sales, Cyber Monday or a holiday season. It is quite common for employees to have their online orders shipped to their offices. This can cause great risks to an organization as packages (including incorrect packages) start piling up.

Having illustrated how relatively easy it is for warshipping to succeed, our team of offensive security specialists strongly encourages businesses to follow some common security best practices. Here are some tips that can help reduce the chances of a warshipping attack being successful:

  1. Treat your packages like you would treat a visitor. Would you let a visitor walk straight up to your chief financial officer’s desk? Just as security processes are in place for people, the same must apply to packages. Avoid bringing packages into secure areas and be sure to dispose of empty boxes quickly to avoid lurking devices.
  2. Set a package policy for employees. Discourage employees from shipping personal packages to the office — they may unwittingly be introducing security risks to the company. If such a policy is not an option, inspect all packages you receive for any unwelcome or unsolicited devices.
  3. Consider a package scanning process for large mailrooms. Organizations should inspect all incoming packages. If you’re expecting clothing or books, scanning can detect malicious tech-enabled devices.
  4. Only connect to trusted wireless networks. Avoid using rogue or suspicious wireless access points, and educate employees about these being high-risk hubs that increase attackers’ options for point of entry.
  5. Signal strength is not a security control; do not count on it. Counting on signal strength as a security measure is flawed. Businesses must secure their network’s signal strength as if it were a wireless technology in the middle of a metro area. In the case of Wi-Fi, make sure your organization uses a strong Wi-Fi Protected Access (WPA2) implementation. If you are using a non-wireless protocol, ensure you use strong encryption and additional controls as needed.
  6. Avoid using preshared keys in corporate environments. Use enterprise-grade wireless that has efficient security safeguards in place to provide additional security. For example, Wi-Fi authentication strategies that utilize certificates are becoming popular to go beyond a username and password. In some high-security wireless deployments, a virtual private network (VPN) using multifactor authentication (MFA) is utilized as a gateway to protect the internal network.
  7. Hire a hacking service. Work with a team of hackers such as X-Force Red to uncover and help fix known and unknown vulnerabilities in your organization. This includes testing applications, networks, physical security and people. Do this with a trusted team before a criminal does.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today