back to article POISON PI sniffs WiFi from your mail room, goes on rampage

Security bod Larry Pesce has developed a chopping board-sized hacker package as an inexpensive weapon for hacking wireless networks through the post. The device is designed for so-called "war shipping" attacks described (vid) last year in which hacking hardware is posted to a target organisation with the aim of attacking …

  1. Voland's right hand Silver badge

    Not likely to succeed

    Most banks and other interesting targets x-ray their email nowdays. There are way too many nutters out there. Ditto for mail in general. A selection of it gets scanned too.

    So this does not stand any chances as an attack method against most "interesting" targets. You are more likely to succeed by attaching a Pi to a rat, crow or something else that can get in range.

    1. Ross K Silver badge

      Re: Not likely to succeed

      Most banks and other interesting targets x-ray their email nowdays.

      X-raying email? Now that's what I call high security....

    2. DJO Silver badge

      Re: Not likely to succeed

      And the x-ray mail scanners are almost invariably located in the post room (nobody in management cares that much if the post room staff get blown up) and all this hack needs to be in inside the building so by the time this gets noticed on x-ray and then dumped into a bucket of water or whatever protocols are in place for suspect packages it would have already done it's work, so I would disagree and say that is very likely to succeed but is too complicated and too expensive for casual use.

      1. admiraljkb

        Re: Not likely to succeed

        For sake of the mail theme - make it look "laptop'ish" instead of looking like a bomb straight out of <name your favourite cop show here>, and it would make it through the xray's on the perimeter. Besides, done "properly" it doesn't have to be inside company wifi range for too long if it finds the security holes its looking for and breaches them. Lot of trouble though, and some risk of it getting traced back.

        It'd be easier for a "guest" carrying a briefcase to just waltz in, and sit in the lobby for a while. In this era of self-service front desks, someone sitting idly by "waiting for someone to come get them" is so common that nobody bats an eye, or even NOTICES them.... I suspect this already occurs a lot, and would be a good reason to hire receptionist/greeters again for each company building.

        For pure chuckle value: Maybe it would be a good idea to locate the mailroom at Ted Kazynsky's log cabin.

    3. JeffyPoooh
      Pint

      Poor hardware-averse design concept

      Too many batteries.

      Get out a soldering iron and build a little low power, power controller. The mW-class hardware turns off the Pi for most of the time, and just powers it up on a fairly low duty cycle. Perhaps triggered by motion using a little mechanical wiggle switch. The Pi in turn could communicate back to the uC to tell him to leave the power on right now, because it's an interesting location. Overall, the duty cycle would be a small fraction of 100%. Thus the whole thing would run for weeks (intermittently) on just a few cells.

      1. PiltdownMan
        Headmaster

        Re: Poor hardware-averse design concept

        Even Piltdown Man knows that those are 18650 3.7 volt CELLS, wired into at least one if not two BATTERIES.

        But he does agree with you that are too many cells.

        /End friendly Pedanticism

        1. Trigonoceps occipitalis

          Re: Poor hardware-averse design concept

          Piltdown Man, now there's a concept, half man/half macaque. IP lawyers start your engines!

      2. Pookietoo

        Re: Poor hardware-averse design concept

        Just buy one of these.

    4. JeffyPoooh
      Pint

      Re: Not likely to succeed

      "Most banks and other interesting targets..."

      ...do not run their IT networks on Wifi. Ever. Never ever.

      1. Billa Bong

        Re: Not likely to succeed

        It would be far easier to pretend to be a courier delivering a "brand new laptop" to the IT dept. (which has been stuffed full of sniff software). Even if they're not stupid enough to plug into the corp network, some bright spark in IT will think "we didn't order this and there's no way to RMA it - I'll use it myself", load up vpn and all his software and is owned.

        I've never done this, by the way...

        EDIT: The new laptop is stuffed full of sniff software, not the target IT Dept. though if done right, shortly...

        1. Ashton Black

          Re: Not likely to succeed

          In the unlikely event that this happened, any self respecting IT bod would be blatting the OS, as a matter of course, and sticking an OEM Windows or Linux de jour on there. This goes double if it's a Windows hate box. So unless the "sniffer" software is baked into something (UEFI/BIOS re-write or similar), the plan is probably doomed to a rather expensive gift to a stranger.

      2. Robert Helpmann??
        Childcatcher

        Re: Not likely to succeed

        Have an up-vote for making me laugh. Very, very funny!

  2. Anonymous Coward
    WTF?

    Great idea

    Make sure you put on a return address on.

    SWAT team in 3....2.....1

    1. Oninoshiko

      Re: Great idea

      I agree!

      I would pick the address someone who got that promotion you wanted.

  3. Gordon 10
    WTF?

    Eh

    Ok I haven't watched the video but does the payload on the Pi include automated Wifi crackers against the in-house wifi? Otherwise how does it communicate back to the Black Hat? Is he (for its always a he) sat outside in a car or at the starbucks across the road?

    If its just speculative - send one to me - I could do with some free pi. Although our mail room does xray stuff so the chances of it getting to me are slim.

    1. Lionel Baden

      Re: Eh

      Uhhmm I thought they sat in darkened messy rooms with sunglasses on, and some Ultra trendy trance music that nobody knows but the elite of the music scene.

      ohhh almost forgot the beeping keyboard & a projector pointed right in their eyes !!!

    2. Doctor_Wibble

      Re: Eh

      > Otherwise how does it communicate back to the Black Hat? Is he (for its always a he) sat outside in a car or at the starbucks across the road?

      Presumably you have to staple a mobile to the back of it and send a string of SMS though if the post room is in the basement you are SOL.

      Or create a mini mechanism to use the final dregs of power to put the memory card in an envelope and fire it out of the side in the hope that some kindly soul sees it and drops it into the post for you.

      Better yet, make it auto-hack the nearest phone, copy the data to it, plant a custom app and wait for the person to get near a signal, auto-activate, send you the data and delete itself like I saw in that documentary with that Harold guy. Plus or minus smiley face, skull and crossbones or some warning about 'mess with the best'...

      Or send to someone non-existent and return to non-existent sender at somewhere with open wi-fi to do a last-gasp data-dump.

      1. Destroy All Monsters Silver badge

        Re: Eh

        Otherwise how does it communicate back to the Black Hat? Is he (for its always a he) sat outside in a car or at the starbucks across the road?

        I suggest you look into ... a trained bucket brigade of WarKitteh, strategically positioned all over the town because your crazy prepared skills are crazy.

        gendo_pose.jpg

      2. phil dude
        Thumb Up

        Re: Eh

        "Or create a mini mechanism to use the final dregs of power to put the memory card in an envelope and fire it out of the side in the hope that some kindly soul sees it and drops it into the post for you."

        Thank you! I gurgled my OJ over that one, and had "Was this a Stephen Spielberg movie?" moment...

        P.

  4. Anonymous Coward
    Anonymous Coward

    You can attack WiFi from outside a typical building though, so I'm not entirely sure exactly how much this adds, other than you don't have to be physically so close? Of course you could also get a job with your target company if you really wanted to break them...

  5. banjomike

    Price?

    The Raspberry and the Awus051NH (not HN spelling mistake) will set you back £50-ish and that is a LOT of rechargeable batteries even if the recharger is 'repurposed'.

    I wonder if a WiFi jammer in the postroom would block it?

  6. Jim Lewis

    Would creating a faraday cage around your mail holding room and inspecting all parcels in quaratine prior to distribution not prevent this from working?

    1. Anonymous Coward
      Anonymous Coward

      Would creating a faraday cage around your mail holding room and inspecting all parcels in quaratine prior to distribution not prevent this from working?

      Probably, but you can easily count the number of mail rooms so equipped on the hands of someone working at a not-so-safety-conscious sawing mill. I also wonder if stealing a company laptop won't be more efficient.

      Personally, I don't think WiFi should be used in any company without an extra VPN layer. That way, security becomes independent from the safety of the carrier so even airport WiFi would not pose a problem. To me, WiFi ranks as safe as raw Internet in terms of security.

    2. Ross K Silver badge

      Would creating a faraday cage around your mail holding room and inspecting all parcels in quaratine prior to distribution not prevent this from working?

      If you're *that* paranoid, you're probably using Royal Mail's Secure Mail Opening service already.

      This "war-posting" thing is a cute idea but if you want to go mapping networks in a built-up area you'd be better off using a drone with the same hardware attached. Failing that, why not let War Kitteh loose on the secretaries at your target company?

  7. Chris G

    Cook it

    A low power magnetron in the post room would block some or all usable WiFi with this device given the noise at a range of frequencies that are emitted by microwave ovens that are the same as or close to WiFi signals.

    Better yet give all your mail a minute at 400W , mmm toasty mail!

  8. David Pollard
    Coat

    Beware of geeks bearing gifts

    I'll get my ...

  9. Version 1.0 Silver badge

    An interesting exercise

    However, rather than mailing it, I'd simple attach it to a sales-droid - or something pretending to be one. How about the cleaning staff?

    As G.K. Chesterton observed, there are lot's of people who can wander around even the most secure premises and never get seen at all .. Many years ago I needed access to somewhere that I was not allowed to visit - all it took was a white lab coat ... of course, these days I'd need to be walking around talking on the phone too - you have to look "busy".

    1. Nifty Silver badge

      Re: An interesting exercise

      Very interesting. I'm off now so I get my...

      where is it?

  10. Cliff

    Still has to get to the post room

    And unless the post is xray-ed offsite, plenty of opportunity to join or attempt to join any networks it sniffs. A courier could have it sit for half a day in reception quite easily. If it has a building and floor and pillar number on it, it might even make it's way to a pigeonhole for a few days. Last big corporate I worked at had such a flow of staff from other global sites, etc., nobody would think it looked odd for a small package to sit for a week with a reasonable sounding name and 'to collect from pigeonholes in B3F2Z1' on it.

  11. Kay Burley ate my hamster

    Simple answer

    Install Ubuntu on an Android Nexus phone along with the required software, plug in external battery and package for posting.

  12. Nifty Silver badge

    Aren't there even smarter hacks available here?

    How about planting essentially the same device, but this time instead of just sniffing an attempting a brute force decryption attack on the local WiFi, act as a bogus WiFi access point with no password needed? Sooner or later some dumbo will connect to it.

  13. All names Taken
    Paris Hilton

    If it is public news ...

    ... it must be old history to security bods?

    Besides, the post is merely one attack vector - how about a drone, a bystanders pocket, back-orifice IT guys backpack sandwich box, ...

    1. Jason Bloomberg Silver badge

      Re: If it is public news ...

      Indeed. It highlights an attack vector and shows proof of concept but it's nothing new. Get any clever bit of kit into an organisation and it can start snooping around and doing its stuff.

      A suitably hacked shiny new mobe left where an employee could find it could do the job just as well, attract less attention, and the finder would probably keep it charged up allowing it to be more effective.

      The pi is actually an unsuitable board for low-power use and anyone wanting to actually attack a company would unlikely be overly concerned about cost. It's also a rather risky venture as waking up regularly to see if it's reached its target could leave a trail of bread crumbs right back to the sender. Every pi has a unique serial number which often manifests itself through the MAC address, so it may be possible to track them down quite quickly.

      Ultimately it may be no more than fuel for the fire for those who want to log all our interactions on the net to prevent this sort of thing happening and catch people when it does.

      1. Anonymous Coward
        Anonymous Coward

        Re: If it is public news ...

        "Every pi has a unique serial number which often manifests itself through the MAC address, so it may be possible to track them down quite quickly."

        Clearly, you are unfamiliar with this whole 'second-hand purchase with cash' concept I hear so much about. It's all the rage.

    2. Nifty Silver badge

      Re: If it is public news ...

      Drone with wifi payload that parks on the roof and which can be recovered for re-use. I like it.

  14. G Watty What?

    You'll always be caught?

    So I post this thing to someone, it gets there and I snaffle some tasty data treats, put in some back doors etc, etc.

    But as soon as someone opens my package then they'll know something is up. Doesn't this severely limit the amount of time that you'll get to launch an attack and also make your mark completely aware that they've been targeted and probably compromised?

    Given the complexity of all this, it appears it might be a better idea to deploy the old "I'll give you a Mars bar for your login details" scam. Even if that doesn't work, you've saved on the cost of building this thing AND you'll have a load of chocolate to munch on.

    [http://news.bbc.co.uk/1/hi/technology/3639679.stm]

  15. Irongut

    Easier to sit outside in the car park with a laptop

    surely

    1. Anonymous Coward
      Anonymous Coward

      Re: Easier to sit outside in the car park with a laptop

      Nah, sit in the parking lot across the interstate and just use a directional antenna.

      I was able to connect to my work wifi network from the Rooms-to-Go parking lot on the opposite side of I-85.

    2. Anonymous Coward
      Anonymous Coward

      Re: Easier to sit outside in the car park with a laptop

      If you sat in our car park for any length of time, our facilities manager would come out to ask what you were doing there. Parking's at a premium, and you're not on the list of car registrations, never mind that whole security thing. I doubt this situation is rare.

  16. Anonymous Coward
    Anonymous Coward

    was done in the Cold War

    US/NSA CIA actually paid for a large box[shipping crate] to be overlanded from Vladivostok to Moscow, partly done by train, IIRC, stuffed with ELINT/SIGINT recorders. It worked!

    inevitable, really, that secret tech of 30 years ago from .mil, now becomes kid+dog via an R.pi

  17. tekHedd

    WiFi network map?

    If all you want is a map of the wifi access points, you could just convince any one of the people in the company to play Ingress. Oh, and buy Google.

  18. handle

    "being improve continually upgraded"

    Sounds like you should apply that to your sub-editing...

  19. Anonymous Coward
    Anonymous Coward

    Your doing it wrong.

    Just leave some USB flash memory lying around to be picked up.

    Like the Mossad/NSA/CIA did with Stuxnet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like