When you think about getting hacked, you probably imagine hackers using stolen credentials, undertaking a phishing attack, or exploiting a vulnerability in your network. What you probably don’t expect is for them to come through the front door, and access your systems via a remote control device delivered in a physical package.
That’s precisely what security researchers at IBM were able to do recently. Fortunately, they were white hat hackers, simply testing for vulnerabilities, but the next target could be you or one of your clients. As with all security issues, it’s something you have to prepare for.
The researchers dubbed the technique “warshipping.” It involves placing a small computer inside a package and mailing it to the target. These devices are cheap, easy to build, and allow a hacker to remotely access a network from virtually anywhere in the world.
As Charles Henderson of IBM’s X-Force Red white hacking team wrote on the IBM Security Intelligence blog this week, “The device is a 3G-enabled, remotely controlled system, that is no bigger than the palm of your hand. It can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear, and delivered right into the hands or desk of an intended victim.”
Activating the Trojan Horse
As he pointed out, who would be suspicious of a box or suspect that it included a device for getting inside your network, especially in the age of e-commerce when boxes are delivered to homes or offices constantly. “Think of the volume of boxes moving through a corporate mailroom daily, or consider the packages dropped off on the porch of a CEO’s home sitting within range of their home Wi-Fi. Using warshipping, X-Force Red was able to infiltrate corporate networks undetected,” Henderson wrote.
In the age of e-commerce and delivery, hackers are using remote control devices inside of physical packages to bypass unsuspecting targets. #Warshipping #CyberSecurity
That’s a scary thought. You have probably considered that well-funded criminal syndicates and nation states could be working to get into corporate networks for a variety of reasons, including espionage and outright theft, but these scenarios tend to take gobs of money to pay talented hackers to do their bidding.
The devices in question cost less than $100 (plus the cost of shipping). That’s trivial, and once the device has been delivered, the hacker can try a number of techniques to break into the network. In fact, IBM’s researchers were able to get full network access using this technique.
None of this is good news for an MSP who is responsible for securing a client’s network, but forewarned is forearmed. Knowing about this technique allows you to warn your clients to be thinking about this, and to be aware that the next package delivery might contain more than you think.
Photo: Roschetzky Photography / Shutterstock