The U.S. Postal Service processes and delivers 484.8 million mailpieces of first-class mail a day — roughly one-and-a-half mailpieces for every person in the U.S. — in a single day. That’s without accounting for the millions of shipments delivered through international couriers. On-demand, free and same-day delivery options mean that virtually anything is accessible at any time and can be sent straight to our doorstep. What most people don’t realize is that some packages they receive may be looking to steal personal or confidential information. And the proliferation of e-commerce-related package deliveries is exactly what cybercriminals can exploit with a tactic IBM X-Force Red is calling “warshipping.”

IBM X-Force Red investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door. Think of the volume of boxes moving through a corporate mailroom daily. Or, consider the packages dropped off on the porch of a CEO’s home, sitting within range of their home Wi-Fi. Using warshipping, X-Force Red was able to infiltrate corporate networks undetected. Our aim in doing so was to help educate our customers about security blind spots and modern ways adversaries can disrupt their business operations or steal sensitive data.

So, What Is Warshipping?

Warshipping is the evolution of artifact hacking methods such as wardialing and wardriving. These are all techniques that allow cybercriminals to infiltrate a network remotely. In the 1980s and 1990s, the age of dial-up internet, cybercriminals used wardialing to gain unauthorized access to networks by systematically calling a block of numbers until they landed on a weak system that they then could attack.

More recently, wardialing has been set aside for wardriving, the technique used behind the major TJX breach in 2005. By wardriving, the culprits drove around parking lots of TJX stores in Miami with basic wireless hardware in hand (and a full tank of gas), successfully infiltrating the corporate network and stealing tens of millions of customer data records, ultimately costing the company nearly $2 billion in financial losses associated with the breach.

The wardialing and wardriving techniques have limitations, however. These limitations include the amount of time it takes to perform wardialing and the suspicions that arise when a car is detected circling a block hundreds of times with an auspicious antenna and laptop in view.

Warshipping counters these limitations in many ways by using disposable, low-cost and low-power computers to remotely perform close-proximity attacks, regardless of a cybercriminal’s location. Adding to that, warshipping increases target accuracy dramatically. An attacker could control the device from the comfort of their home anywhere in the world. All a malicious actor needs to do is hide a tiny device (similar to the size of a small cell phone) in a package and ship it off to their victim to gain access to their network. In fact, they could ship multiple devices to their target location thanks to low build cost. The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.

Figure 1: A bare warship device before it’s hidden in a package element

Hacks and Crafts: A Warship Device

Technically speaking, a warshipping device is made up of a single-board computer (SBC). They are cheap, capable, networked computers that can run on a basic cell phone battery.

So, what can attackers do with them? At X-Force Red, we built these ready-for-delivery warshipping devices and found that not only are they cheap and small, but for an average cybercriminal, they’re also easy to build. SBCs have some inherent limitations, such as the high amount of power they consume to operate. Applying some clever hacks, we were able to turn these devices into low-power gadgets when active and power them off completely when dormant. Using an internet of things (IoT) modem, we were also able to keep these devices connected while in transit and communicate with them every time they powered on.

Using a command-and-control (C&C) server we created for the task, the devices we had set up securely checked for a specific file on the server to determine if they should stay on or go back to sleep. With off-the-shelf components, this do-it-yourself (DIY) “hacks and crafts” project can cost a cybercriminal under $100.

Once built, a warship device can perform wireless attacks simply by being shipped to someone and arriving on their desk or doorstep. While in transit, the device does periodic basic wireless scans, similar to what a laptop does when looking for Wi-Fi hotspots. It transmits its location coordinates via GPS back to the C&C server.

Once we see that a warship device has arrived at the target’s front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target’s wireless access. The goal of these attacks is to obtain data that can be cracked by more powerful systems in the lab, such as a hash. These hashes represent a very small amount of data that we can obtain over a warship’s 3G connection as the attack progresses.

Behold: A Warship on the Network

For this project, we chose to conduct a passive wireless attack by listening for packets that we could use to break into our victim’s systems. As an example, we listened for a handshake, a packet signaling that a device established a network connection. One of the warship devices transmitted the captured hash to our servers, which we then utilized on the backend to crack the preshared key, essentially the user’s wireless password, and gain Wi-Fi access.

With our warship device, we could also launch other active wireless attacks, such as a deauthentication attack or “evil twin” Wi-Fi attack. By launching an evil twin Wi-Fi network, we could then set up a rogue Wi-Fi network with the warship device and coax our target to join our new decoy network. Our target would then divulge their true credentials (including username and password). This would provide us with further access that could be used for follow-up attacks against the enterprise wireless network.

Once we broke in via the Wi-Fi access, we could then seek to pivot by exploiting existing vulnerabilities to compromise a system, like an employee’s device, and establish a persistent foothold in the network. With this ability to get back into a compromised network, attackers can move through it, steal sensitive employee data, exfiltrate corporate data or harvest user credentials

Bottom line: In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target’s systems.

How to Spot and Protect Against Warshipping Attacks

The warshipping technique can be especially lucrative to cybercriminals during seasons when package deliveries rise significantly, such as summer sales, Cyber Monday or a holiday season. It is quite common for employees to have their online orders shipped to their offices. This can cause great risks to an organization as packages (including incorrect packages) start piling up.

Having illustrated how relatively easy it is for warshipping to succeed, our team of offensive security specialists strongly encourages businesses to follow some common security best practices. Here are some tips that can help reduce the chances of a warshipping attack being successful:

  1. Treat your packages like you would treat a visitor. Would you let a visitor walk straight up to your chief financial officer’s desk? Just as security processes are in place for people, the same must apply to packages. Avoid bringing packages into secure areas and be sure to dispose of empty boxes quickly to avoid lurking devices.
  2. Set a package policy for employees. Discourage employees from shipping personal packages to the office — they may unwittingly be introducing security risks to the company. If such a policy is not an option, inspect all packages you receive for any unwelcome or unsolicited devices.
  3. Consider a package scanning process for large mailrooms. Organizations should inspect all incoming packages. If you’re expecting clothing or books, scanning can detect malicious tech-enabled devices.
  4. Only connect to trusted wireless networks. Avoid using rogue or suspicious wireless access points, and educate employees about these being high-risk hubs that increase attackers’ options for point of entry.
  5. Signal strength is not a security control; do not count on it. Counting on signal strength as a security measure is flawed. Businesses must secure their network’s signal strength as if it were a wireless technology in the middle of a metro area. In the case of Wi-Fi, make sure your organization uses a strong Wi-Fi Protected Access (WPA2) implementation. If you are using a non-wireless protocol, ensure you use strong encryption and additional controls as needed.
  6. Avoid using preshared keys in corporate environments. Use enterprise-grade wireless that has efficient security safeguards in place to provide additional security. For example, Wi-Fi authentication strategies that utilize certificates are becoming popular to go beyond a username and password. In some high-security wireless deployments, a virtual private network (VPN) using multifactor authentication (MFA) is utilized as a gateway to protect the internal network.
  7. Hire a hacking service. Work with a team of hackers such as X-Force Red to uncover and help fix known and unknown vulnerabilities in your organization. This includes testing applications, networks, physical security and people. Do this with a trusted team before a criminal does.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today