The US Postal Service handles half a billion mail items every day, and with the rise of next-day delivery, company mailrooms around the globe are almost always piled high with unidentified parcels.

Many may not think twice about accepting a delivery from a courier, but a seemingly innocuous parcel may in fact be a way for a cybercriminal to carry out an attack right from your doorstep.

This is according to X-Force Red, the offensive security division of IBM Security. This team of researchers is employed to test the limits of organisations’ security, uncovering weak points in both physical and cybersecurity that may be exploitable by attackers.

By “thinking like a criminal” X-Force Red comes up with new and creative ways of infiltrating organisations before an attacker does.

“If you're sitting in the parking lot with a directional antenna, people notice you.”

One such technique has been dubbed “warshipping”. Researchers have successfully shipped packages containing cheap but powerful computers, small enough to go unnoticed, making it possible to infiltrate an organisation from within its walls.

These Trojan horses then enable X-Force Red to scan for security vulnerabilities, with the aim of helping the organisation to fix them. But the same method also represents a potential attack vector for nefarious actors.

“If you're sitting in the parking lot with a directional antenna, people notice you. Just like for a criminal, for someone doing this type of work being low profile is very important,” says Charles Henderson, global managing partner and head of X-Force Red.

“We started looking at new and interesting ways we could get on folks' wireless networks, in ways that we could also do surveillance on our clients that they may not have thought of with their physical security practices, and warshipping came out of that.”

Targeted attacks for as little as $100

Warshipping evolves from a technique called wardriving, in which attackers infiltrate wifi networks, usually from a nearby vehicle. However, what makes warshipping stand out is its scalability.

Using a device costing less than $100, it is possible to achieve what many cybercriminals dream of: entering an organisation entirely undetected.

Like spear phishing, warshipping can also be used to engineer personalised targeted attacks.

“We could put anything in the box, we could put something very mundane [inside], and I don't even care if they throw that something in the box away, there's a tendency to keep the box and bring it into a facility,” says Henderson.

“If I have a specific target in mind at a company, I can actually address it to them and it's delivered to them. I mean that's a pretty targeted concept. You can think of it as spear shipping. Warshipping is very directed.”

The financial incentive for warshipping

Although there are no reports of this technique being deployed by cybercriminals yet, the relative ease in which this type of operation can be carried out could make it an attractive prospect, and certainly one cybersecurity professionals should be aware of. Henderson explains that, like other breaches, the financial incentive for this type of attack is huge.

“Once you get in, you're looking for lateral movement. You know, what kinds of information can I get access to, keeping in mind that we're trying to look for things that would be attractive to a criminal, and criminals are generally about one primary thing – that being money,” he says.

“They're looking to monetise stuff... or they're looking for some sort of objective. You can think of that as anything from someone with a political or nation-state objective. But either way, you're looking to move laterally and upwards within the organisation.

“So either vertical, meaning I'm going to increase my access or lateral, meaning I'm going to get similar access in other areas of the business and you're looking to expand your footprint. Today's criminal [is] really not picky about the information they get.”

Physical security often overlooked

Henderson explains that this is in part due to a disconnect between cybersecurity and physical security. During a recent operation, the team was able to eavesdrop on a highly secure organisation.

“With one client, we were targeting their secure facility, the facility that actually as a person, even as a trusted vendor, I was not allowed into, and when you went in, you were swept for electronic devices. You couldn't bring a cell phone in. It was a very highly secured R&D facility. We shipped warshipping in, and not only did it get in in one day, it was walked right into the facility.

“And they actually had what's called a Faraday cage that prevented RF [radio frequencies] from leaving the facility, they had it shielded.

And the warship is smart enough to start recording everything in that facility, and it can't get home over the mobile network while in the facility, but it records to memory on the device. And when it was removed from the facility and could phone home, it dumped all that data.”

“My son told his kindergarten teacher, ‘my dad steals things for a living but it's okay because he gets paid for it’.”

For X-Force Red, staying one step ahead of attackers is the name of the game. For many, being paid to carry out faux-heists may sound like an enviable career, but it is one that require an abundance of creative thinking:

“We're constantly looking at new and innovative ways to undermine someone's security. My son told his kindergarten teacher, ‘my dad steals things for a living but it's okay because he gets paid for it’.”

“You hear about all these people that pay for these escape room experiences...I get paid to do that same kind of problem solving!”

Jelly doughnut heist

The team had to deploy this outside of the box thinking in a recent operation, with an urgent security flaw in a major organisation’s security uncovered thanks to a box of doughnuts.

Henderson recalls how, when carrying out a physical adversarial simulation on a Fortune 200 financial organisation “that everyone’s heard of”, the team purchased jackets and computer backs with the firm’s logo from an online swag shop.

“Monday morning, [the team] picked up a box of jelly doughnuts. The plan was to create a situation where they were let onto the executive floor and they did this by using a device that caused the badge reader on the first floor to malfunction for a short period of time, and they were led up to the executive floor,” explains Henderson.

“The flaw in question meant that it was possible to access the administrative credentials for the swift wire transfer system.”

“Once they got to the executive floor they put a small end table outside the main conference room door, put the jelly doughnuts on the table and put a sign up that said, ‘apologies we have a financial audit that needs to use the conference room. Sorry for any inconvenience.

“Please enjoy a free jelly doughnut. Your meetings will be rescheduled to alternate conference rooms.’ And because everyone likes jelly doughnuts, no one reported it!”

This may sound like a plot out of Ocean’s 11, but the result of this operation was the uncovering of a major vulnerability in the company’s security. The flaw in question meant that it was possible to access the administrative credentials for the swift wire transfer system, which has the potential to be exploited to commit financial fraud.

Fixing, not just breaking in

However, X-Force Red is not only in the business of identifying security problems, but fixing them too. Henderson explains that once an operation is complete, an organisation must be left better prepared to face cybercriminals.

“Think of it as creative problem solving for the problems that you've created.”

“We need to make sure that whatever fixes we're suggesting, whatever remediation we take, we're doing something that doesn't get in the way of the primary business objective. It needs to be cooperative and that means that you get to be creative again.

“Think of it as creative problem solving for the problems that you've created. And sometimes that can be just as fun as breaking in is playing the cat and mouse game with yourself…All of this goes towards how we leave an organisation more prepared to face criminals than they were when we came in.”

With a plethora of new methods at their disposal, how can organisations prepare for the type of attack cybercriminals may deploy next? Henderson believes this involves a more complete vision of security.

“Treat a package just like you would a criminal. Meaning, if you wouldn't let a person into a facility, why are you letting an untrusted package in?...More importantly, though, on a grander scheme, start thinking like an attacker, whether it's physical, whether it's your network, whether it's an application layer, even whether it's hardware.

“You need to think through the eyes of an attacker.”

Back to top

Share this article