Hack in the box: Hacking into companies with “warshipping”

Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping."

Using less than $100 worth of gear—including a Raspberry Pi Zero W, a small battery, and a cellular modem—the X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer dropped into a shipping box or embedded in objects such as a stuffed animal or plaque. At the Black Hat security conference here last week, Ars got a close look at the hardware that has weaponized cardboard.

We've looked at such devices, typically referred to as "drop boxes," before. Ars even used one in our passive surveillance of an NPR reporter, capturing his network traffic and routing a dump of his packets across the country for us to sift through. Covert drop boxes (once a specialty of Pwnie Express) have taken the form of "wall wart" device chargers, Wi-Fi routers, and even power strips. And mobile devices have also been brought to play, allowing "war walking"—attacks launched remotely as a device concealed in a bag, suitcase, or backpack is carried nonchalantly into a bank, corporate lobby, or other targeted location.