Warshipping Explained

In computer network security, warshipping is using a physical package delivery service to deliver an attack vector to a target. This concept was first described^[1] in 2008 at the DEF CON hacking convention by Robert Graham and David Maynor as part of a talk entitled “Bringing Sexy Back: Breaking in with Style”, that included various penetration testing methods. In their implementation, an iPhone box was modified to include a larger battery, which powered a jailbroken iPhone. A first-generation iPhone was chosen for this attack based on the reported run-time of 5 days when coupled with an external battery, whereas newer 3G iPhones of the era would reportedly run for 1½ days. A social engineering pretext was described that would trick the recipient into believing they had won an iPhone, in order to explain the shipment.

The advancement of low-power electronics, thanks in part to maker culture, has greatly increased the effectiveness of this methodology as a credible method of attacking networks. In 2019, IBM X-Force Red coined the name “Warshipping” and described an attack platform that included several low-cost components that could be combined, shipped to targets, and controlled remotely for 2–3 weeks. A solar component was also described to allow the devices to run indefinitely.^{[2] [3]}

Aspects of a modern warshipping attack include the following:

• Devices that are hidden from the recipient, potentially inside objects or inside the packaging material or box structure itself.
• Command and Control (C2) capability via a dependable communication medium. Most commonly this is provided via cellular modems.
• A power management strategy that allows the device to operate for weeks. Solar panels may be utilized to lengthen the run-time of the device.
• One or more devices used for the operational attack. These can include radios that are built for protocols such as Bluetooth, Wireless LAN, Near Field Communication (NFC), and software-defined radio (SDR) devices for capturing multiple types of protocols. Microphones, cameras, and other capture devices could be included as well.
• Satellite navigation (GNSS) technology for reporting on the location of the device, allowing the activation of certain capabilities upon delivery to its target.
• Passive triangulation to get around GPS signal issues

The increasing use of large, online retailers contributes to the relevancy of this attack. In 2019, the United States Postal Service reports that they deliver 484.8 million mailpieces per day.^[4] The name is by analogy with wardriving and wardialling.^[5]

Notes and References

1. Web site: DEF CON 16 - Bringing Sexy Back - Breaking in with Style . . 25 November 2013 .
2. Web site: Hack-age delivery! Wardialing, wardriving... Now warshipping: Wi-Fi-spying gizmos may lurk in future parcels. Iain . Thomson. 7 Aug 2019. www.theregister.co.uk. en. 2019-08-08.
3. Web site: Package Delivery! Cybercriminals at Your Doorstep. Security Intelligence. en. 2019-08-08.
4. Web site: One Day in the Life of the U.S. Postal Service .
5. Web site: New 'warshipping' technique gives hackers access to enterprise offices. Osborne. Charlie. ZDNet. en. 2019-08-08.