
I bet the NSA are having a good chuckle at the size of this.
IBM's X-Force hacking team have come up with an interesting variation on wardriving – you know, when you cruise a neighborhood scouting for Wi-Fi networks. Well, why not try using the postal service instead, and called it "warshipping," Big Blue's eggheads suggested earlier today. To demonstrate this approach, the X-Force team …
2015 during a pentest at a London financial institution the Red team installed a harvester package comprising of RFID badge cloner, Blutooth jacker and camera inside the smokers bin by the back door. In their defence security did challenge them twice (upon installation & removal) but did not check if the firm actually had contracted out the cleaning of the bin.
"Once it arrives, it can be activated remotely over the internet, or when it detects it is near its destination using GPS. It can be instructed to scan for vulnerable networks to infiltrate – a la the TJX wireless hacking in the mid-2000s – or spoof nearby legit wireless networks to harvest passphrases from those connecting, or get up to other mischief over the air."
"it can be activated remotely over the internet". That is a hefty bit of hand waving. If it can find a router with an unchanged, standard password... maybe. It's going to configure itself to spoof my router, and then get someone to login? I doubt that, too. Now, could someone with a bit of knowledge stand outside my home and do all this? Maybe. But a device delivered by the mailman and subsequently trashed (or sent to police) is not going to self configure to spoof my network and trick people into logging in, nor are is it going to get into my router. I suspect that the device will have less than about 30 or 40 seconds to do whatever it can do before I open the box. It has about 3 seconds to live after that. So if someone out there thinks they can compromise the security of my home network in 30 or 40 seconds via a package sent (for appx $100), have at it.
Thing is though it's not just you, if someone nearby has an easy to access network (default password/upnp/unsecured) they now have access to the device so they don't need to stand outside your home. The device itself can easily be hidden in the box and you wont know plus how long before you take the box for recycling if it doesn't fit in your bin?
To be fair this is all hypothetical and I doubt anyone is going to be hell bent on hacking mine or your network unless they are after my coveted cats doing funny things videos.
Yes, the connection to 3G would possibly identify the source, depending on the availability of prepaid anonymous SIMs in the target country. However, that requires that the device be found. The idea of hiding it in the cardboard of the box would be a pretty interesting idea, with the battery being the main stumbling block.
"The idea of hiding it in the cardboard of the box would be a pretty interesting idea, with the battery being the main stumbling block."
I've seen some pretty robust cardboard boxes with foldover supports built in to provide support of the contents. Or some fairly dense polystyrene mouldings, eg protecting screens being delivered. Or expanding foam injection to plastic bags for instant custom packaging. Or a cut out in the bottom of a 1" think honeycomb strengthening layer glued into the bottom of a box. I think it could be quite easy to hide something the approximate size and weight of a mobile phone in a box + packaging, especially larger boxes.
Depending on what it's doing, it might be able to impact your network. The main thing to consider is that it probably has a lot more time than you've given it credit for. After it gets delivered, it will sit in your mailbox until you get home or come outside to retrieve it. Even if your mail is delivered directly into your house, you have to actively go to the location to retrieve the mail. Depending on how it could be hidden, that might give it several minutes if you're at home at the time of delivery or several hours if it can sit happily in your mailbox and attack the network from there. As for automatic configuration, that's very dependent on what evil thing it wants to do. If it just wants to collect data and phone home, that doesn't take that long. If it wants to try default passwords or vulnerabilities on network devices, that's probably two minutes or so. If it wants to masquerade as a network device to catch a user or something of that nature, it will need a lot more time and, for that matter, a lot more battery power to get that done.
"I suspect that the device will have less than about 30 or 40 seconds to do whatever it can do before I open the box. It has about 3 seconds to live after that."
Are you as important as a large corporate or CEO type that you think they would spend time and effort targetting you at your home?
A company mail room has to sort & get any incoming packages to the person for whom it's intended quickly, so it's unlikely to sit & molder for very long. Sure it might wait an entire weekend if nobody works then, but the postal service doesn't deliver on Sundays so that cuts the window time by half.
The person whom gets the box probably won't let it sit on their desk for very long either, natural Human curiosity will take care of that. The moment they find some strange electronic gizmo in the box they'll be on the phone to security with a potential bomb threat. Kiss your package goodbye. If the person is on vacation & may not get the box for a while, there's a very good chance the company has rerouted their incoming mail to someone else to take care of issues in the meantime. The package is unlikely to sit for very long.
If sent to a residential location then it might sit for a few hours until the resident returns home, unless it gets stolen at which point the crooks on both ends of the package will have fun with each other. Once the resident returns & retrieves the box, that whole curiosity thing won't let it sit for very long. I'm not sure about you, but most folks would probably freak out if sent some strange electronic gadget by an anonymous sender; cue a call to the cops, a possible bomb scare, or at least a quick trip to the garage for a very big hammer.
And it all depends on the device being able to find a signal to connect to so it can get online to phone home. If there's little/no/wonky signal, if the location doesn't have wifi, or if the package is kept in a metal storeage locker for safe keeping, all bets are off. No signal, no phone home, no problem.
I don't doubt it would be effective if everything goes right, but all it takes is for one thing not to & the whole house of cards crumbles to the floor.
Step one: send a series of emails, not spammy enough to go straight to the junk folder, and search for out-of-office auto-replies. "I'm on vacation until..." is gold. Step two: ship a small box spoofing an office-supply chain return address. Those don't get checked often. Now you have a box sitting on site for some time.
"A company mail room has to sort & get any incoming packages to the person for whom it's intended quickly, so it's unlikely to sit & molder for very long."
Not from my experience. If you're really lucky and it arrived before 9am then you *might* get it before the end of the day, but its typically 2-3 days in the mailrooms control, and it probably goes round the building a couple of times on the trolley before they find the recipient (unless it's the boss's secretary who gets daily deliveries from Amazon).
Better not to have a return address. That way if the item is reasonably valuable...maybe a phone (advantage of phone is the bug in the packaging less likely to be detected) then the instinct is to leave package on a shelf and wait a few days until someone asks for it. maybe address it to the Personla assistant of the CIO.
First rule of a secure workspace is ban people from listing on linkedin (impossible I know but makes all illegal activities so much easier)
Employee parcels in our office go in one big room, and wait there to be collected. No-one is opening it.
Besides, you would want to make it look like something else. It should look like something that you ordered online, except you didn't. Inside the brown packaging box, you'd have some kind of shrink wrapped box containing the actual device ("huh, I didn't order a big box of vibrators, best check with H/SWMBO tonight/return it, I'll just hide it quickly so no-one in the office sees it")
So many ways to do this.
With a little investigation, you can easily figure out some vendors that your target company does business with. Buy some cheap swag (e.g. a solar-powered bobblehead doll), slap the vendor's logo on it, embed this device in the item, and odds are good that someone in the company will park it on their desk or in a window, where the solar panel can continue to power the device indefinitely. Hell, if you can figure out how to infiltrate the supply chain of a major sports organization, you have the opportunity to spy on the networks of thousands of sports fans. Or do the same with a tech conference--the gift of choice there is already IoT gear; how hard would it be to substitute kit like this?
Umm . . . I'll be back, I have to go urgently smash several things with a hammer.
Any serious mailroom x-rays inbound packages, a mass of wiring with a battery would probably involve building evac and the bomb squad (observed precisely this in the past myself with a suspicious powered pc card, bomb squad images circulated after the controlled detonation)
Your mail people might either be more security conscious or more paranoid than the ones I've seen. At companies I've seen, many people ship electronics to the company. Some people need some components or general hardware, and get that ordered. Some others have weird package delivery problems at their home and have personal shipments routed to the company. In both cases, electronics are rather common and wouldn't be immediately reported.
Seems like you could do similar stuff with an ESP32 and an accelerometer for a fraction of the cost.
You don't need the GPS when a) you know where you're posting it b) the battery life can be measured in days. (More than enough to reach destination)
Also: if you're just sniffing WiFi for de-auths and recording the handshake, you can extend battery life further by only using 2G/Edge. You'd probably need 4G/LTE to spoof a full grown internet connection.
I buy a lot of small items from China and the deliveries do get a bit weird sometimes. One day a wireless mains adaptor turned up with correct name and address but which I had not ordered. I did realise of course that it would have been an ideal hacking thing so I didn't plug it in. Surely much more likely though that it was somehow just wrongly delivered.
The idea is still good though; if you send someone an unsolicited toaster containing hidden battery-powered hacking kit then my bet is that it will just sit there until they get round to sending it back or whatever they decide to do with it.
Send it hidden in a box with a free HID based device and "Marketing", such as a mouse. Or other "gift" (Trojan) to the required senior people.
This is pretty easy to do actually.
The "mouse" might even be able to use the laptop / All-in-one BT what the local WiFi password is. As well as capture all important web / company passwords/accounts.
Then the little computer avoids the corporate firewall by using GSM/Edge/3G/4G, which might be too much HW to fit in a mouse.
Anonymous SIMs are easy to get and with anonymous pre-pay credit may work in destinations were such SIMS / Credit can't be purchased.
The computer can be hidden in a gift, soles of nike/Converse or packaging (for a nice Trojan HID mouse or other thing) that's too nice to chuck out. It can be embedded in foam/silicone packaging mat so it's not noticed when/if packaging is dumped.
Could be fitted in a complementary smart speaker, TV sound bar or whatever. Then power is no issue. For some targets the cost is irrelevant. Full 24x7 covert surveillance by a human team is mindbogglingly expensive.
It's not needed if you have human access to the site. That's been using clocks, wall sockets, adaptors, copiers, coffee makers for radio / audio / video surveillance for maybe 15 years, often with a mobile connection and powered from the target's mains. It can communicate out of hours / radio silence / communicate on demand. Maybe even a rock in the company garden. Stuff now cheap on ebay if you have foolproof human access to a site.
So the only news here is that it's in IBM PR. This is well established.
Any Dark Arts Covert Surveillance team has probably been doing this for years.
Actually people are now paying to have surveillance installed:
Nest
Amazon doorbells
Smart Speakers
Connecting your Smart TV to LAN/WiFi, thus internet.
Windows 10
Android (free, but you have to buy phone/tablet)
Chrome OS Cloud Terminals
Most IoT stuff not listed above, such as toys or Baby monitors insecurely done.
Enabling uPNP on a router
Using IP6 without a proper IP6 Firewall.
Free options include Chrome Browser, Facebook, Linkedin and most Google services etc.
So you only need the more Covert options if you are not a large US corporation.
Doesn't this tool already pre-exist in a cheaper, more convenient form factor?
Any cheap android phone running the Kali Linux port can do this too - no need for bespoke kit. Add in a battery pack for a decent life and you're sorted.
With a bit more effort you can probably do it with one of those "prison phones" that are all over Amazon.