IBM’s Red Team says it has built a DIY device for less than $100 (£82) that can be posted to businesses – then be remotely controlled to sniff for and crack local Wi-Fi, giving attackers access to sensitive corporate networks.
In an attack it dubs “Warshipping”, IBM X-Force Red, the company’s penetration testing specialist team, built the device (comprising a low power single-board computer and an IoT modem) using off-the-shelf components, then controlled it from their remote servers to launch a successful attack.
Such devices, powered by a cellphone battery, could be hidden in a seemingly innocuous gift like a teddy bear (perhaps an unlikely unsolicited corporate gift) simply in packaging, or a disguise of the hackers choice.
Enterprises are particularly vulnerable to such attacks around e-commerce events like Black Friday or Cyber Monday, when employees often order deliveries to the office, IBM noted in a new post today.
Detailing the attack, demonstrated on an unnamed client, IBM said: “For this project, we chose to conduct a passive wireless attack by listening for packets that we could use to break into our victim’s systems.
“As an example, we listened for a handshake, a packet signaling that a device established a network connection. One of the warship devices transmitted the captured hash to our servers, which we then utilised on the backend to crack the preshared key, essentially the user’s wireless password, and gain Wi-Fi access”, the team said.
They added: “With our warship device, we could also launch other active wireless attacks, such as a deauthentication attack or ‘evil twin’ Wi-Fi attack. By launching an evil twin Wi-Fi network, we could then set up a rogue Wi-Fi network with the warship device and coax our target to join our new decoy network.”
The team also managed to keep power consumption down and the device active for far longer than a live smartphone would manage, saying: “Applying some clever hacks, we were able to turn these devices into low-power gadgets when active and power them off completely when dormant.”
While in transit, the device does periodic basic wireless scans, similar to what a laptop does when looking for Wi-Fi hotspots. It transmits its location coordinates via GPS back to the command control (C&C) server.
Charles Henderson Global Head of IBM X-Force Red stated that: “Once we see that a warship device has arrived at the target’s front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target’s wireless access.”
Warshipping what’s the threat?
Henderson notes that warshipping is an evolved format of the older hacking techniques wardialing and wardriving.
He commented: “These are all techniques that allow cybercriminals to infiltrate a network remotely. In the 1980s and 1990s, the age of dial-up internet, cybercriminals used wardialing to gain unauthorised access to networks by systematically calling a block of numbers until they landed on a weak system that they then could attack.”
Warshipping Mitigation: Don’t Count on Signal Strength
In order to protect themselves against this type of attack companies are advised to treat packages as they would visitors and submit them to an appropriate security process.
IBM added: “Signal strength is not a security control;do not count on it. Businesses must secure their network’s signal strength as if it were a wireless technology in the middle of a metro area. In the case of Wi-Fi, make sure your organization uses a strong Wi-Fi Protected Access (WPA2) implementation. If you are using a non-wireless protocol, ensure you use strong encryption and additional controls as needed.
“Avoid using preshared keys in corporate environments… In some high-security wireless deployments, a virtual private network (VPN) using multifactor authentication (MFA) is utilised as a gateway to protect the internal network.”