Warshipping: attack a target network by shipping a cellular-enabled wifi cracker to a company's mail-room

Originally published at: https://boingboing.net/2019/08/07/warchakalakaboom.html

1 Like

This is either not that new or someone owes John Rogers a commission, because I am pretty sure I saw a variation of this on Leverage about ten years ago.


Being on their network shouldn’t give the attackers any special privileges. A company that gives internal vs. external connections any approval (without authentication) is asking for trouble. If the targets inside the network are locked down properly, who cares if some package gains access to the network?

Granted, my home network isn’t much of a target, but all of my systems are locked down tightly, and my wifi is wide open so the neighbors and guests can share it. What do I care? Good security shouldn’t be affected by who can hack your wifi.


I was telling someone exactly this the other day. We have a customer asking whether to run TLS on internal services.

Yes, definitely do!


“Shouldn’t” being the operative qualifier. I, myself, have worked at a small.company whose sole IT guy swore that they only needed digital security at the login screen for the company website and at individual workstation logins. Which seems about as sensible, to me, as having a single lock on the front door and another single lock on about half the interior office doors of a military base…


Flat networks abound, to this day.

As dangerous as this sounds, I suspect as a tool it is useful only when attacking buildings where only one company is inside, and an office complex where the building is shared by two or more companies will already be slightly paranoid about guests logging into the WiFi network. Right now, for example, I can see two networks from my own company (one for guests), two from the company one floor below us (Foo and Foo Guests) and three from the company next door (Bar_Internal, Bar_Mobile and Bar_Visitors).

And don’t get me started on how many networks I see at my flat, where half of them have the same name (ModemMaker Model 1234 or ModemMaker Model 1235b). And none of them play nice, and keep crowding the others out of the selected bandwidth.

1 Like

At least it isn’t “Case Nightmare Green”


Hacked your company? Me? I warship the ground you walk on.


How do they think mail rooms work? Is the expectation that this box just permanently lives at that address once delivered? Isn’t it likely that someone will open the box and become suspicious, and wouldn’t that likely compromise whatever black hat hijinks are under way?

1 Like

CNG is just around the corner.


Now that’s what I call a Trojan!

1 Like

Good point!
Maybe a little social engineering could establish that someone is away for a week or more, allowing a package to be addressed to that person, remaining undisturbed long enough?

I’ve worked for an institution that gave access to certain systems by IP address; if you’re on-site, you’re in. Nothing individually critical, but things like the intranet, contact directories, etc., which could reveal weaknesses, such as staff absences, as I mentioned above.


If the attacker could find someone in the company on vacation, working out-of-town or a leave of absence, and address it to them? (Mock up the outside to look personal/unimportant so that no one else will open it.)


Sending something that looks personal to someone on vacation is a great way for that package to just disappear. At least on some of the campuses I’ve worked on.


It will be an authenticated wireless connection. Right in the summary it includes breaking a login and getting valid wireless credentials. If those happen to be the same as used for other stuff (single login, likely) then they’ll have valid credentials for all kinds of things. This all assumes they can break the wifi login.

If it’s breaking the WiFI login, then it doesn’t matter. It’s a targeted attack, looking for a specific network and then breaking the WiFi login.

How do you think mail rooms in large companies work?

Create a box that looks like some promotional junk. Include some larger pamphlet’s/small book in the box, maybe a sticker, or a little trinket, maybe some logo socks. Anything that needs it to have an internal structure to organize and present it “just right” when it’s open. Beneath that structure, in the packaging deadspace, there’s lots of room.

Bonus, mail it to someone who left the company recently, or is just on vacation, or it probably doesn’t matter as long as it’s a valid person. The box will get delivered to a mail drop on the floor where the person works. And likely sit there, unopened for weeks, as everyone ignores the clearly junk mail.

A little trip down LinkedIn, Facebook, Twitter, and you can probably identify someone that meets many of these criteria. Probably including vendors they’re likely to be targeted by for advertisements.


What?! They didn’t quickly match IP to MAC address (to catch the casual intruders) then only authorize on the WiFi AP’s internal pf firewall with correct, verified, system and individual 2FA-secured SSH keys presented to the authpf subsystem? Time to spend some time with the OpenBSD manuals, that stuff comes for free. :face_with_raised_eyebrow:

I mean, fine for visitors on a home network, as long as it’s piped straight out to the sewer that is the public internet.

… but what do I know? I’m strictly an amateur in the security field…

1 Like

Then make it look official and bureaucratic? That would be part of the target research along with finding out who’s away. (For a campus, rather than a package, have someone who looks like a student carry it around.)

Still, it’s always fun to get mail.


So, that’s a Pi Zero W, a lith-ion battery, some power regulation stuff; and a dongle cell modem. I’m wondering if that is a WOL chip to power on/power off the PI when the cell modem gets an incoming message…

I missed how thin that solution was, you could easily hide it in the box or in internal packaging for something else and it may never be discovered; the box would just look empty. Whole new variation of the toner box scam.

If you had enough intel to determine who their vendor was for a particular type of product that the business used and could order something from that vendor and fake a shipment from them to the target… the target would likely either just ship it back (after letting it sit on the desk for a week while all the calls were made, voicemails were left, emails exchanged, and the vendor denies ever shipping it and they try to figure out the inventory mistake) or the vendor would let them keep it with their complements… either way, you’re in their building potentially on their network for a week or more.

1 Like