back to article Hack-age delivery! Wardialing, wardriving... Now warshipping: Wi-Fi-spying gizmos may lurk in future parcels

IBM's X-Force hacking team have come up with an interesting variation on wardriving – you know, when you cruise a neighborhood scouting for Wi-Fi networks. Well, why not try using the postal service instead, and called it "warshipping," Big Blue's eggheads suggested earlier today. To demonstrate this approach, the X-Force team …

  1. Anonymous Coward
    Anonymous Coward

    I bet the NSA are having a good chuckle at the size of this.

  2. Stuart Dole

    Complicated way to do basic spy tech.

  3. Stuart Dole

    Complicated way to do basic spy tech.

    You could just walk into the lobby and leave something like this in the planter.

    1. Will Godfrey Silver badge
      Thumb Down

      Re: Complicated way to do basic spy tech.

      ... and be immediately identified on their CCTV

    2. bazza Silver badge

      Re: Complicated way to do basic spy tech.

      Posting it is cheaper. And more scalable...

    3. Anonymous Coward
      Anonymous Coward

      Re: Complicated way to do basic spy tech.

      2015 during a pentest at a London financial institution the Red team installed a harvester package comprising of RFID badge cloner, Blutooth jacker and camera inside the smokers bin by the back door. In their defence security did challenge them twice (upon installation & removal) but did not check if the firm actually had contracted out the cleaning of the bin.

  4. Anonymous Coward
    Anonymous Coward

    Hmm...

    "Once it arrives, it can be activated remotely over the internet, or when it detects it is near its destination using GPS. It can be instructed to scan for vulnerable networks to infiltrate – a la the TJX wireless hacking in the mid-2000s – or spoof nearby legit wireless networks to harvest passphrases from those connecting, or get up to other mischief over the air."

    "it can be activated remotely over the internet". That is a hefty bit of hand waving. If it can find a router with an unchanged, standard password... maybe. It's going to configure itself to spoof my router, and then get someone to login? I doubt that, too. Now, could someone with a bit of knowledge stand outside my home and do all this? Maybe. But a device delivered by the mailman and subsequently trashed (or sent to police) is not going to self configure to spoof my network and trick people into logging in, nor are is it going to get into my router. I suspect that the device will have less than about 30 or 40 seconds to do whatever it can do before I open the box. It has about 3 seconds to live after that. So if someone out there thinks they can compromise the security of my home network in 30 or 40 seconds via a package sent (for appx $100), have at it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm...

      Thing is though it's not just you, if someone nearby has an easy to access network (default password/upnp/unsecured) they now have access to the device so they don't need to stand outside your home. The device itself can easily be hidden in the box and you wont know plus how long before you take the box for recycling if it doesn't fit in your bin?

      To be fair this is all hypothetical and I doubt anyone is going to be hell bent on hacking mine or your network unless they are after my coveted cats doing funny things videos.

    2. Henry Hallan

      Re: Hmm...

      "...consisting of a $100 single-board computer with built-in 3G..."

      Presumably the 3G is to allow it to phone home without needing to access an external route via local networks.

      1. bazza Silver badge

        Re: Hmm...

        And with 3G, it would be perfectly possible to off-load any heavy duty number crunching back to some server. So whilst it's a small, puny device, it might have access to the compute resources of something very big to aid it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Hmm...

      SIM..

      1. doublelayer Silver badge

        Re: Hmm...

        Yes, the connection to 3G would possibly identify the source, depending on the availability of prepaid anonymous SIMs in the target country. However, that requires that the device be found. The idea of hiding it in the cardboard of the box would be a pretty interesting idea, with the battery being the main stumbling block.

        1. John Brown (no body) Silver badge

          Re: Hmm...

          "The idea of hiding it in the cardboard of the box would be a pretty interesting idea, with the battery being the main stumbling block."

          I've seen some pretty robust cardboard boxes with foldover supports built in to provide support of the contents. Or some fairly dense polystyrene mouldings, eg protecting screens being delivered. Or expanding foam injection to plastic bags for instant custom packaging. Or a cut out in the bottom of a 1" think honeycomb strengthening layer glued into the bottom of a box. I think it could be quite easy to hide something the approximate size and weight of a mobile phone in a box + packaging, especially larger boxes.

    4. doublelayer Silver badge

      Re: Hmm...

      Depending on what it's doing, it might be able to impact your network. The main thing to consider is that it probably has a lot more time than you've given it credit for. After it gets delivered, it will sit in your mailbox until you get home or come outside to retrieve it. Even if your mail is delivered directly into your house, you have to actively go to the location to retrieve the mail. Depending on how it could be hidden, that might give it several minutes if you're at home at the time of delivery or several hours if it can sit happily in your mailbox and attack the network from there. As for automatic configuration, that's very dependent on what evil thing it wants to do. If it just wants to collect data and phone home, that doesn't take that long. If it wants to try default passwords or vulnerabilities on network devices, that's probably two minutes or so. If it wants to masquerade as a network device to catch a user or something of that nature, it will need a lot more time and, for that matter, a lot more battery power to get that done.

    5. John Brown (no body) Silver badge

      Re: Hmm...

      "I suspect that the device will have less than about 30 or 40 seconds to do whatever it can do before I open the box. It has about 3 seconds to live after that."

      Are you as important as a large corporate or CEO type that you think they would spend time and effort targetting you at your home?

  5. Shadow Systems Silver badge

    I'm not so sure.

    A company mail room has to sort & get any incoming packages to the person for whom it's intended quickly, so it's unlikely to sit & molder for very long. Sure it might wait an entire weekend if nobody works then, but the postal service doesn't deliver on Sundays so that cuts the window time by half.

    The person whom gets the box probably won't let it sit on their desk for very long either, natural Human curiosity will take care of that. The moment they find some strange electronic gizmo in the box they'll be on the phone to security with a potential bomb threat. Kiss your package goodbye. If the person is on vacation & may not get the box for a while, there's a very good chance the company has rerouted their incoming mail to someone else to take care of issues in the meantime. The package is unlikely to sit for very long.

    If sent to a residential location then it might sit for a few hours until the resident returns home, unless it gets stolen at which point the crooks on both ends of the package will have fun with each other. Once the resident returns & retrieves the box, that whole curiosity thing won't let it sit for very long. I'm not sure about you, but most folks would probably freak out if sent some strange electronic gadget by an anonymous sender; cue a call to the cops, a possible bomb scare, or at least a quick trip to the garage for a very big hammer.

    And it all depends on the device being able to find a signal to connect to so it can get online to phone home. If there's little/no/wonky signal, if the location doesn't have wifi, or if the package is kept in a metal storeage locker for safe keeping, all bets are off. No signal, no phone home, no problem.

    I don't doubt it would be effective if everything goes right, but all it takes is for one thing not to & the whole house of cards crumbles to the floor.

    1. Kimo

      Re: I'm not so sure.

      Step one: send a series of emails, not spammy enough to go straight to the junk folder, and search for out-of-office auto-replies. "I'm on vacation until..." is gold. Step two: ship a small box spoofing an office-supply chain return address. Those don't get checked often. Now you have a box sitting on site for some time.

      1. DontFeedTheTrolls Silver badge
        Alert

        Re: I'm not so sure.

        "A company mail room has to sort & get any incoming packages to the person for whom it's intended quickly, so it's unlikely to sit & molder for very long."

        Not from my experience. If you're really lucky and it arrived before 9am then you *might* get it before the end of the day, but its typically 2-3 days in the mailrooms control, and it probably goes round the building a couple of times on the trolley before they find the recipient (unless it's the boss's secretary who gets daily deliveries from Amazon).

      2. Chris the bean counter

        Re: I'm not so sure.

        Better not to have a return address. That way if the item is reasonably valuable...maybe a phone (advantage of phone is the bug in the packaging less likely to be detected) then the instinct is to leave package on a shelf and wait a few days until someone asks for it. maybe address it to the Personla assistant of the CIO.

        First rule of a secure workspace is ban people from listing on linkedin (impossible I know but makes all illegal activities so much easier)

    2. Tom 38 Silver badge

      Re: I'm not so sure.

      Employee parcels in our office go in one big room, and wait there to be collected. No-one is opening it.

      Besides, you would want to make it look like something else. It should look like something that you ordered online, except you didn't. Inside the brown packaging box, you'd have some kind of shrink wrapped box containing the actual device ("huh, I didn't order a big box of vibrators, best check with H/SWMBO tonight/return it, I'll just hide it quickly so no-one in the office sees it")

      So many ways to do this.

  6. a_yank_lurker Silver badge

    Practical?

    It seems like something that is easily defeated by many companies with good security practices. For a home delivery, it might slurp up some access but most people know what they order and from whom. So an unexpected package should set off alarm bells.

    1. Throatwarbler Mangrove Silver badge
      Holmes

      Re: Practical?

      Yes, and it's an excellent way of penetrating companies with poor security practices. Not that those exist, of course.

  7. Throatwarbler Mangrove Silver badge
    Go

    Pair with corporate swag

    With a little investigation, you can easily figure out some vendors that your target company does business with. Buy some cheap swag (e.g. a solar-powered bobblehead doll), slap the vendor's logo on it, embed this device in the item, and odds are good that someone in the company will park it on their desk or in a window, where the solar panel can continue to power the device indefinitely. Hell, if you can figure out how to infiltrate the supply chain of a major sports organization, you have the opportunity to spy on the networks of thousands of sports fans. Or do the same with a tech conference--the gift of choice there is already IoT gear; how hard would it be to substitute kit like this?

    Umm . . . I'll be back, I have to go urgently smash several things with a hammer.

  8. Anonymous Coward
    Anonymous Coward

    But when it reaches the mailroom...

    Any serious mailroom x-rays inbound packages, a mass of wiring with a battery would probably involve building evac and the bomb squad (observed precisely this in the past myself with a suspicious powered pc card, bomb squad images circulated after the controlled detonation)

    1. doublelayer Silver badge

      Re: But when it reaches the mailroom...

      Your mail people might either be more security conscious or more paranoid than the ones I've seen. At companies I've seen, many people ship electronics to the company. Some people need some components or general hardware, and get that ordered. Some others have weird package delivery problems at their home and have personal shipments routed to the company. In both cases, electronics are rather common and wouldn't be immediately reported.

    2. Anonymous Coward
      Anonymous Coward

      Re: But when it reaches the mailroom...

      We had a Furby "subjected to controlled explosion". Batteries and wires in a package delivered to the "Fraud Department" that wasn't located in that building.

    3. Mage Silver badge

      Re: But when it reaches the mailroom...

      In a gazillion years of visiting companies and working for various, I've never seen X-Ray in a mailroom. I've no doubt some do have them.

  9. Glen 1 Bronze badge

    Seems like you could do similar stuff with an ESP32 and an accelerometer for a fraction of the cost.

    You don't need the GPS when a) you know where you're posting it b) the battery life can be measured in days. (More than enough to reach destination)

    Also: if you're just sniffing WiFi for de-auths and recording the handshake, you can extend battery life further by only using 2G/Edge. You'd probably need 4G/LTE to spoof a full grown internet connection.

  10. Allan George Dyer Silver badge
    Coat

    RFC 1149 FTW

    "checking deliveries with a suitable radio frequency scanner"

    I can avoid this detection by using IP over Avian Carriers. Do you think the birdseed and cooing will be a problem?

    1. Glen 1 Bronze badge

      Re: RFC 1149 FTW

      latency is a problem though, and don't forget packet loss caused by Highly Agitated Winged Killers

  11. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921 Bronze badge

    My postie will hate having to carry a faraday cage

  12. Joe Harrison

    Actually happened to me

    I buy a lot of small items from China and the deliveries do get a bit weird sometimes. One day a wireless mains adaptor turned up with correct name and address but which I had not ordered. I did realise of course that it would have been an ideal hacking thing so I didn't plug it in. Surely much more likely though that it was somehow just wrongly delivered.

    The idea is still good though; if you send someone an unsolicited toaster containing hidden battery-powered hacking kit then my bet is that it will just sit there until they get round to sending it back or whatever they decide to do with it.

  13. Mage Silver badge
    Big Brother

    Also expanding the Trojan Horse

    Send it hidden in a box with a free HID based device and "Marketing", such as a mouse. Or other "gift" (Trojan) to the required senior people.

    This is pretty easy to do actually.

    The "mouse" might even be able to use the laptop / All-in-one BT what the local WiFi password is. As well as capture all important web / company passwords/accounts.

    Then the little computer avoids the corporate firewall by using GSM/Edge/3G/4G, which might be too much HW to fit in a mouse.

    Anonymous SIMs are easy to get and with anonymous pre-pay credit may work in destinations were such SIMS / Credit can't be purchased.

    The computer can be hidden in a gift, soles of nike/Converse or packaging (for a nice Trojan HID mouse or other thing) that's too nice to chuck out. It can be embedded in foam/silicone packaging mat so it's not noticed when/if packaging is dumped.

    Could be fitted in a complementary smart speaker, TV sound bar or whatever. Then power is no issue. For some targets the cost is irrelevant. Full 24x7 covert surveillance by a human team is mindbogglingly expensive.

    It's not needed if you have human access to the site. That's been using clocks, wall sockets, adaptors, copiers, coffee makers for radio / audio / video surveillance for maybe 15 years, often with a mobile connection and powered from the target's mains. It can communicate out of hours / radio silence / communicate on demand. Maybe even a rock in the company garden. Stuff now cheap on ebay if you have foolproof human access to a site.

    So the only news here is that it's in IBM PR. This is well established.

    Any Dark Arts Covert Surveillance team has probably been doing this for years.

    1. Mage Silver badge
      Black Helicopters

      Re: probably been doing this for years

      Actually people are now paying to have surveillance installed:

      Nest

      Amazon doorbells

      Smart Speakers

      Connecting your Smart TV to LAN/WiFi, thus internet.

      Windows 10

      Android (free, but you have to buy phone/tablet)

      Chrome OS Cloud Terminals

      Most IoT stuff not listed above, such as toys or Baby monitors insecurely done.

      Enabling uPNP on a router

      Using IP6 without a proper IP6 Firewall.

      Free options include Chrome Browser, Facebook, Linkedin and most Google services etc.

      So you only need the more Covert options if you are not a large US corporation.

  14. ItsMeDammit
    FAIL

    This is never likely to be a large scale issue...

    ... when the Raspberry Pi Foundation are still insisting that their suppliers limit Pi Zero W sales to 1 per customer and have done since it's launch in February 2017. Come on. Really ? Still ?

  15. Gordon 10 Silver badge
    FAIL

    Hang on a sec

    Doesn't this tool already pre-exist in a cheaper, more convenient form factor?

    Any cheap android phone running the Kali Linux port can do this too - no need for bespoke kit. Add in a battery pack for a decent life and you're sorted.

    With a bit more effort you can probably do it with one of those "prison phones" that are all over Amazon.

  16. Anonymous Coward
    Anonymous Coward

    "Mom, I finally got a job!"

    "That's wonderful son, what are you doing?"

    "Mail Room Security Specialist for XXY Company - oh, and do you know if my baseball bat is still in the hall closet; got to have my own tools they told me."

  17. FlippingGerman

    But then someone opens the box and sees a load of electronics. Isn't that a bit suspicious? Sure, it might be too late, but that opens a whole new set of ways to catch the perpetrator.

  18. jobst

    The teddy bear can be used as a camera device as well. Use the infrared lights as eyes and pop the camera into the nose ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019