Warshipping: The latest trick in the bad actor’s playbook

Start listening

Warshipping is yet another way hackers are taking advantage of how the pandemic has changed the workplace. Did you know you could be hacked by UPS, Fedex, or the postal service? Warshipping is shipping a self-powered device in a package so that it arrives at your office and is left unattended. (It’s sent to someone working from home.) The device then sits there, sniffing the wifi, and eventually cracking your WiFi network and attempting to steal secrets. This isn’t science fiction; it’s reality. It’s enabled by so much remote work, and by technology such as the Raspberry Pi. Read all about it in this article in DarkReading.com: https://www.darkreading.com/edge-articles/i-built-a-cheap-warshipping-device-in-just-three-hours-and-so-can-you

In this episode, Prasanna and Curtis discuss what this is, how it works, and what you need to do to stop this new attack vector.


[00:00:33] W. Curtis Preston: Hi and welcome to Backup Central’s Restore It All podcast, I’m your host, W. Curtis Preston, AKA Mr. Backup. And with me, I have my AirPod loss consultant, Prasanna Malaiyandi. How’s it going, Prasanna?

[00:00:47] Prasanna Malaiyandi: I’m good, Curtis. I’m good. Isn’t that? The problem with such small devices?

[00:00:52] W. Curtis Preston: It, it, it really is. And I haven’t even told you the, the end of the saga, right? Because you, you remember, I had, I had a, I had a missing AirPod, right. And, and just to make it worse, it was an AirPod pro, so it’s like more expensive and I didn’t, and no, I didn’t pay for the insurance, which, you know, given the costs and everything I really should have .

So. I, um, I couldn’t find the one, the one AirPod and I, as you may know, I recently have my office painted. So, you know, viewers that are watching this, you can see this, this is agreeable gray behind me is the official color of that. Um, cuz it was like peach for the longest time, cuz this was originally a nursery. And in the midst of cleaning my office, I found the missing AirPod.

[00:01:42] Prasanna Malaiyandi: Where was it?


[00:01:44] W. Curtis Preston: It was just literally laying on the floor over on the corner. So I went to my wife and I said, guess what? I found the missing AirPod. And she said, guess what? I found your AirPod case and your other AirPod. Where did you find it?

In the wash.

[00:02:00] Prasanna Malaiyandi: Did it actually run through the wash?

[00:02:02] W. Curtis Preston: Oh yeah. Yeah. Is, is muerto, my friend. So guess what I have now?

[00:02:10] Prasanna Malaiyandi: you just, well, I see that it looks like you’re wearing a new set of air pods.

[00:02:14] W. Curtis Preston: But guess what? This one has.

[00:02:18] Prasanna Malaiyandi: A tile on the back. Wait, so are you gonna put one for of the air pods too?

[00:02:26] W. Curtis Preston: No, the thing is the AirPods themselves has if the AirPods themselves. So first off, I’m gonna be much more like if I can’t find my AirPods right now, I’m gonna make it my top priority to find the missing AirPod at that moment. Right. I’m not gonna go, oh, I find it later. Cuz you gotta find it while it has charge.

But I also would misplace it them in a case. Right. Because there’s no, there’s no feature to find the case. And uh, so. Yeah. So I decided to put a tile and it looks doofy as hell, but you know, it is what it is. I, I, I’m such a big fan of the tile family, if you will. Uh, I have a tile, I have a wall, the credit card tile in my wallet.

I have a tile on my, on my keys and, this is a very easy segue into what I wanted to talk about this week. Which is this concept of warshipping, which is a, not to be confused with worshipping, which is very different.


[00:03:25] Prasanna Malaiyandi: I didn’t,

[00:03:25] W. Curtis Preston: they, they sound very similar to the non-native English speaking ear, uh, war, as in battle and shipping, uh, what, what would you, what would you define war shipping as.

[00:03:42] Prasanna Malaiyandi: it’s almost like remote hacking, if you will. Right. Where except. It’s taking that plus you’re adding in, like, I know we’ve talked about sort of physical penetration testing before in the past where you’re trying to break into a building. Warshipping is like doing that without having to take as much risk. Right.

You’re basically shipping a device to a company. And letting it sit in the company and using it in remotely accessing and try to gather all this information from their networks, etcetera, all remotely, without ever having to be anywhere near the company. And the fact that they don’t even know that that device is there potentially.

[00:04:25] W. Curtis Preston: That is. Yeah. And by the way, we, the first time I saw war shipping demonstrated if you will, is in what TV show? No.

[00:04:38] Prasanna Malaiyandi: That’s

[00:04:39] W. Curtis Preston: actually, Mr robot was the one I was thinking of. It’s quite possible. I’ve see, you know, I watched a lot of alias. I was a big fan of alias, but the thing was the tech in alias was often so like out there, right.

Like I remember there was the one that I really think about was that they wanted to suck a bunch of data out of a server and they couldn’t physically break into the server room, but they could physically break into. They could hover over the server room, like, you know, like the scene in, um,

[00:05:11] Prasanna Malaiyandi: Mission impossible.

[00:05:13] W. Curtis Preston: like that.

So like hover in that way. And what they got was she had a hard drive with a built in wireless modem. And all she had to do was like, like hang upside down within like two feet of the server. And all of the data would transfer wirelessly up to this device via the wireless modem.

And it was like,

[00:05:34] Prasanna Malaiyandi: cone from 2000

[00:05:36] W. Curtis Preston: Yeah. I mean, it’s totally possible.

Right. And the thing was, I don’t remember what the number was, but it was something like 20 terabytes and it’s like, you know, cuz they actually gave the size. They’re like, oh this is 20 terabytes of data. And I’m like, so 20 terabytes of data. Wirelessly, nevermind the fact that just, I don’t understand how it’s supposed to connect to the server, but let’s just let that go.

You’re gonna transfer 20 terabytes of data wirelessly in 30 seconds. I want that box. That’s what I remember thinking, but no, that’s not what I was thinking about. I was thinking about, uh, as I recall, didn’t he want to hack didn’t he want to hack into what did they call it? Steel mountain.

[00:06:16] Prasanna Malaiyandi: Yes, I think it was called steel mountain. Yep.

[00:06:19] W. Curtis Preston: Clearly an allusion to iron mountain. Right. They wanted to hack into the evil Corp and, and so they, they sent a device and as I recall, didn’t

[00:06:30] Prasanna Malaiyandi: it was like a cellular device. Yeah. It was a cellular device. I believe that had like a wifi hotspot and would attack their network and allow them to take over like the security controls and other things like

[00:06:42] W. Curtis Preston: Right. Right. And because as you know, we often know that physical access is if you can gain physical access, all bets are off. Right. I, I think warshipping. I, I don’t, I’m not sure if that would qualify as war shipping because this is a specific, you know, and again, I’m not a cybersecurity expert, but to me, I think the idea is you’re not even gonna do the physical penetration.

You’re gonna do it remotely via something.

[00:07:14] Prasanna Malaiyandi: I, but I think though the first part of what they did in that episode, I know it’s a fictional show that we’re talking about Mr. Robot, but I think at least the first part could be considered warshipping. Right. Because he is sending a device remotely letting it sit there. I think it was sitting in the mail room if I recall.

Right. And it got.

[00:07:32] W. Curtis Preston: I, I, yeah, well, if that’s the case and I withdraw my objection, your honor. But what I remember was that he like stuck it, that he actually went in

[00:07:39] Prasanna Malaiyandi: Oh, he went in

[00:07:40] W. Curtis Preston: on a wall. Yeah. That’s why I’m saying, but anyway, again, it doesn’t matter, but that’s the thing that matters is that we’re shipping a device.

[00:07:47] Prasanna Malaiyandi: Yep.

[00:07:48] W. Curtis Preston: that is going to somehow remotely, uh, monitor. And this article that we found, which, which I’ll put it into the, um, into the show notes in a, a site called darkreading.com, which is, it’s not a little light reading, it’s dark reading Um, and the idea is that. What, what he was saying or, uh, yeah. Will plumber chief security officer at Ray secure the, is that there are so many of these many computers and he specifically called out The raspberry pi.

[00:08:27] Prasanna Malaiyandi: pie. Yep.

[00:08:29] W. Curtis Preston: Um, and you know, that it comes, it comes with everything you need. then you just need to give it some storage and some power and, and, uh, it says, um, so it’s just interesting. Yeah. So the idea is that he described how you could easily build a warshipping device that could fit in an envelope. itself for quite a long time and then get shipped to a company and then just sit there, sucking up all the data that it could.

So my question to you Prasanna is why wouldn’t that device get noticed?

[00:09:07] Prasanna Malaiyandi: Well, it depends right now, if we’re in the middle of a pandemic where no one’s going into an office, right. That’s a perfect opportunity. You ship something. No, one’s gonna really be checking the mail that often people aren’t going by the mail room and pulling a package. Right. So it might go into the mail room.

Someone’s like, oh yeah, it’s Steve Smith’s mail. They leave it on Steve Smith’s desk. Steve Smith may not show up at the office for like two weeks, three weeks, or he may never come in. Right. And that’s a lot of time for a device to be sitting there listening to all the network connections, not being discovered because who’s gonna open your mail.

Right. That’s just kind creepy.

[00:09:45] W. Curtis Preston: well it’s and, you know, and it’s a federal crime depending on, to whom the mail is addressed. Right. So, yeah, so that it’s . Yet another example. And we’ve talked about this before on the podcast. It’s yet another example of how the pandemic has created another opportunity for hackers.

So in this case, you know, we’ve talked about how that. So many people have, have moved to work remotely and because they’re working remotely, they’re no longer behind their company’s firewall and they’re working in, you know, Starbucks or whatever. And they, uh, they, you know, so they’re, they’re more open perhaps to being attacked directly. By ransomware or, or other malware. And in this case, this is it’s the, the data center it’s sort of now the data center or the, or the, or the office as it were, has been ignored. And so all these people are receiving packages and. Those packages could very easily contain one of these war shipping devices, which could then sit on the network for a really long time.

So my question to you, and again, go ahead.

[00:11:02] Prasanna Malaiyandi: But I think there’s a couple things I wanna bring up, right. The first is that yes, it could sit there and it doesn’t just directly get onto your wifi. Right. There are packages, software packages out there that allow to either passively or actively try to attack and break into the wireless network by listening to packets, trying to break the, uh, encryption.

Right. Figuring out what the key is to be able to access the network. Right. So assuming it’s done that though. I think actually the fact that there are less people in the office should trigger alarms when a unknown device shows up on your network, right? It’s not like you’re gonna have hundreds of people who are coming into the office now logging in bringing their own device, etcetera.

Right? If this is really a shut down office, right? The fact that a new wifi device joined your network should hopefully flag or trigger some alert.

[00:11:57] W. Curtis Preston: It’s funny. This is gonna be, this is a total non sequitor, but it’s not shut down is another one of those words. It’s a compound word in English where as a, as a noun, it’s one word as a verb. It’s two words, just like backup.

Backup is two words when it’s a verb

And it’s one

word when it’s a noun.

[00:12:15] Prasanna Malaiyandi: Gotcha.

[00:12:17] W. Curtis Preston: anyway, sorry, you know, for those, you know what, if you learn nothing today, you learn that backup is two words when it’s a verb and it’s one word when it’s a noun. I, if I back up, I create a backup. If I back. That’s two words.

And why is it two words? Because I, I, back up, he backs up, she backs up, he backed up, right? So it allows for different tenses. Anyway, sorry. I digress.

[00:12:46] Prasanna Malaiyandi: And today’s grammar lesson brought to you by the letters a and E

[00:12:52] W. Curtis Preston: it’s one of my pet peeves, by the way, uh, when people spell backup as the

[00:12:57] Prasanna Malaiyandi: with two.

[00:12:59] W. Curtis Preston: With with, with, with no, as one as one word, uh, or vice versa, either way, either way. I I’m I’m easily peeved as you know, but, but yeah, so, so we’ll talk about some preventative stuff in a minute. Uh, my question, you know, you said, cuz that was gonna be my question.

Well, I, when I go in, when I go into the Druva corporate network, for example, by the way, Prasanna and I work for different companies. He works for Zoom. I work for Druva. This is not a podcast of either company and the opinions that you hear are ours. Also be sure to rate us at ratethispodcast.com/restore and, um, or, uh, just click, you know, scroll that, especially if you’re on apple podcast, just scroll to the bottom, hit the stars, give us a comment.

We love it. And, uh, we also love to hear from you if you know, more stuff, if you know more about this warshipping stuff than we do, which by the way, that’s pretty possible. Uh, because we’re, we’re totally faking it at this point

[00:14:04] Prasanna Malaiyandi: Or if you have other movies that it happens

[00:14:06] W. Curtis Preston: or yeah. Yeah. Actually, if you wanna discuss, if you wanna discuss why the technology in alias was way better than I think it was, you know, whatever.

Um, anyway, I’m just saying I’ve met Jennifer Garner. I’m just saying. I met her and I’m pretty sure she, it was as memorable of an experience for her as it was for me. So

[00:14:29] Prasanna Malaiyandi: and.

[00:14:31] W. Curtis Preston: So here’s my question. So you, so that was what I remember asking you. Well, just because when I go into the Druva office and, and if I have a new device getting onto the Druva corporate network is not easy peasy, I’ve got to have the right S S I D I’ve gotta have the right, uh, password. How, how does that happen if you’ve just got a random device that doesn’t have that information,

[00:14:55] Prasanna Malaiyandi: So

[00:14:56] W. Curtis Preston: how does it get onto the


[00:14:57] Prasanna Malaiyandi: sure it’s not as secure as you think. The fact that people go and say hide network from broadcasting SS, I D doesn’t actually prevent anything. Right. It’s kind of, uh, it’s hidden, but there are tons of tools that are still able to figure out what the SS I D is based on what’s being broadcast.

So that’s not a good way to protect the network. In fact, a lot of people. Don’t even bother hiding it because it just makes things more complicated for guests and other people to find your network right now, once you know what the SS I D is, right. There are tools. That’ll sit there, suck up all the packets.

Right. And then eventually things have gotten smarter that they’re able to break the encryption key and figure out what’s the passcode to get into your network. Right. So it’s not bulletproof.

[00:15:42] W. Curtis Preston: that sounds bad.

[00:15:43] Prasanna Malaiyandi: And especially if you have a war shipping device sitting there for a day a week, right. Just sucking up all this information.

It can just sit there and passively listen. Right? Because airwaves are airwaves. So anyone can listen in on those airwaves of the fact it’s going back and forth, right. Especially in networks where maybe they’re using WPA two or even WPA, the older standards, right. Not WPA three, which is the latest and greatest, or they, or they’re using.

TKIP rather than AES for the encryption. Right. Don’t ask me what it stands for. I just know that T I P is less secure than AEs. Right. But there are all these things,

[00:16:18] W. Curtis Preston: It’s it’s it stands for the keys. I prefer.

[00:16:23] Prasanna Malaiyandi: Is it really? I don’t think

[00:16:26] W. Curtis Preston: have no idea. No, I don’t think so. I have no idea what T K I P stands for.

[00:16:31] Prasanna Malaiyandi: But there, there are all these issues. Right. And so. there are ways to break into networks or say you have a vulnerability, or you don’t have the latest patches on your access points. Right. That could also be another way. So it’s not unknown. Right.

[00:16:47] W. Curtis Preston: right.

[00:16:47] Prasanna Malaiyandi: a matter of time. And like you said, if you have a warshipping device that’s sitting in your, at your corporate office, right.

It can sit there for weeks without being recognized and just keep sucking up all this data.

[00:16:59] W. Curtis Preston: why wouldn’t I, why would I go through that trouble? Why wouldn’t I just like drop one of these things, like right outside your building,

[00:17:10] Prasanna Malaiyandi: Someone might

[00:17:11] W. Curtis Preston: and remotely access your yeah, no, that’s a good

[00:17:15] Prasanna Malaiyandi: someone might see. It depends also on how the wifi is configured. Right? Some people might not have full coverage really outside, or they might have sort of different networks sitting on the outside versus the inside. right. Depending on

[00:17:30] W. Curtis Preston: Uh, I mean, I mean, yeah, it might just be a weak signal outside, but yeah, but this is a super easy way. Send it to a person that’s a remote employee and, you know, or just send a bunch of them. Right. You only have to get right with one of them. The, um, So, so you’re saying that over time, given enough time, you could, you know, theoretically, and again, this is one of those things where you don’t have to be successful with everybody.

You just have to be successful with one company.

[00:18:02] Prasanna Malaiyandi: Yeah. And the

[00:18:03] W. Curtis Preston: yet another method

[00:18:05] Prasanna Malaiyandi: the other thing also is computers have gotten blazingly fast processing and computing. That what used to take a while to try to break like an encryption algorithm right now, it doesn’t take as long as it used to. And like you see right with the raspberry pi and other things like that.

Right. It’s conceivable that it won’t take you that long to actually break that encryption.

[00:18:28] W. Curtis Preston: Yeah, he talked about, um, he said he talked about a raspberry pi. Um, and then he said, he’d use a wifi dongle. Um, so he can connect to the internet. Right. Uh, and then

[00:18:42] Prasanna Malaiyandi: I think actually the wi the wifi dons, actually to connect to the wifi network of the company. And

[00:18:49] W. Curtis Preston: Yeah, so basically he’s talking about two different connections. One to be able to, to do a, a, to get a SIM card and a sell, click connection, an optional GPS device. That’s.

Right. Um, but all these are little things that you can easily plug to a raspberry pi without very much cost and, and send it in.

Right. And again, I, I don’t want the, I don’t want this to be, you know, blaming the tool. Right. Raspberry pi is a pretty cool device. This isn’t raspberry pi’s fault. It’s just what, what, I think what the true culprit, if you will here is that you have this ability. Where you have all these offices that are, that are, you know, relatively unnocupied, right.

And you, you just send a device and it can just sit there all this time. So let’s talk about, um, you know, you’ve talked about it already, but let’s talk about ways that you can prevent this. So, um, the, the first, you know, you, you’re saying that. We’re going back to sort of monitoring. You should be monitoring your network traffic for all kinds of things.

And before we even talk about this one, let’s talk about some of the things that we’ve mentioned on other episodes, things that you should be looking for first off, I, I agree a lot with. You know, we’ve had snorkel 42 from Reddit on here, and he talks a lot about preventing lateral movement. And I think that that’s a really important thing that you should be, you should be blocking.

You should also, I think, be looking for things that are trying to do lateral movement. Right. Um, and you should be. Um, and I think, and again, I understand that this is harder and you know, which therefore means it’s gonna come with more cost, but the idea of using some sort of machine learning to monitor what is normal network traffic for, for every device on your network.

And then when you see a new device or you see a significant change in. The the, the bandwidth utilization, especially upload, you know, cause somebody’s doing exfiltration. Um, he, he, then, then, then you, you shut that down, right? You shut that down, contact that person and go, Hey, what what’s going on? They’re like, oh, you know, I suddenly, I started producing videos for the company.

Oh crap. Sure. You know, no problem. Right. No big deal. Right. Sorry, Alex. Um, but so, but the, uh, but then you’re like, oh, I, I wasn’t doing anything. And you find out while the guys got ransomware and it’s uploading all this data. Right. Um, and then the other thing that I remember, um, snorkel talking about was the idea of blocking access to.

Um, new domains, right? Newly registered domains or newly activated domains. That’s a that, I think that’s an important one. And we’ve had the, the DDI folks on here, the, the idea of blocking access to weirdly named domains. Right? You remember that, that, that command and control servers have these really long domains and that no one would ever type.

The only reason they’re so long is because that each part of that domain. Name is a, is an instruction, right. Or a request. And then it responds with the appropriate instruction. And, um, there are a bunch of things that you can do like that to prevent malware from executing once it gets in. Right. Um, and this would be an example of a way that malware would get in.

[00:22:29] Prasanna Malaiyandi: Just going back to sort of the monitoring aspects and the flagging. I like the anomaly detection that you talked about looking at basic patterns. Um, I think what becomes challenging is as companies, and this was even pre pandemic. Right where people would bring their own devices. Right. Because I everyone’s like, Hey, I’m more efficient.

Right. And so you now have a lot of random devices that aren’t corporate controlled showing up on your network. Right. I think that becomes a challenge. It’s in terms of how do you ensure employees are productive, right. And have easy access to devices they want versus, um, locking everything down and securing it.

Right. This is kind of what snorkel also talked about. Right. It’s kind of the trade off between. Ease of use versus security. Right. And there’s always gonna be that tension that

[00:23:19] W. Curtis Preston: Well, he, he, he, he seemed to be okay with what I was suggesting though, of the, sort of the stomp on somebody’s foot and say, oh, sorry. I, you know, and then lift it up for that one person who has a legitimate reason. And by the way, I think, and again, I’m not an expert in those particular types of product, but I would think that that particular, uh, challenge would be easy to.

Would be easily dealt with, by for example, we have a standard profile for a new device. That’s on the network. A new device does a lot of lookups does a lot of browsing. Doesn’t send a lot of data,

[00:23:58] Prasanna Malaiyandi: But I, I

[00:24:00] W. Curtis Preston: And then when you know what I mean, I’m just saying on again, you could have, you could have a, a usage of a machine learning pattern for, this is what a new device looks like.

And then that device, that device that just came on, it’s sending a whole bunch of data up, shut it down and then go figure out why.

[00:24:18] Prasanna Malaiyandi: But I’m wondering.

[00:24:19] W. Curtis Preston: it’s impossible.

[00:24:20] Prasanna Malaiyandi: It’s not impossible, but I’m just wondering, given limited it budgets, given limited resources and skill sets, right. Are most companies really going to be able to invest and manage a tool like this? Or is it one of those things where people are like, yeah. warshipping or these random devices coming on the network?

I know it’s an issue, but it’s not the. Immediate thing. And like you said, going back to what you were talking about, right? How do you prevent lateral movement instead of trying to prevent them from coming in? How do you prevent the damage if they get it?

[00:24:53] W. Curtis Preston: Yeah. Um, I, I, I do think, and you, you may recall that that. That his advice was he had a longer list before we, before you got to what I’m talking about. He didn’t have any problem with what I was saying, but he, but he wanted to like block access to, to weird domains. He wanted to, uh, limit lateral movement.

Uh, he wanted to do MFA everywhere. Uh, do least privilege everywhere. These are all basic concepts of computing that everyone should be doing everywhere they can. And the, uh, and no one should be administering a server via root anymore, right. Or administrator, it should, that should just never be happening.

And, um, the. Uh, and the only place you should be able to log in as root should be at the console and you know, all these different things. Right. And, uh, and I think it should be a, like a breaking glass situation, right? If someone needs the root password, the root password is somewhere available, but you gotta go through all these different levels of change to get the access, you know, all of those things.

I think those are all great. I guess the reason why I focus so much on. This concept of monitoring the network for even if again, something is better than nothing. That, that, that’s another concept that he talked about a lot about something is better than nothing. If you could get, you know, a basic tool that just did you know that just even if you, if, if you didn’t do the automated shutdown, but you got a basic tool that just monitored for the upload patterns of every device.

And then you, you found a device that suddenly was, you know, this really high and you could, you know, find out who the device is, right. Flag it. Right. Uh, again, with the, with the B Y O D situation. I don’t know how you figure out who that device is. Other end to shut it off, honestly, other than to shut it off it’s you probably won’t be able to do it automatically with a less expensive tool, but you shut it off and then what’s gonna happen is Fred’s gonna come to the it department and go, Hey man, I got good on the Yeah, well that’s because you were uploading stuff. Um, and, and then he’s like, I know what you’re talking about. Well, you found, you found your culprit, right? That, oh, by the way, I, I just want the reason why I’m so hot on. And maybe even more so, and again, it’s because of my backup background and that is that a good air gap.

Backup is the best defense against traditional ransomware.

[00:27:39] Prasanna Malaiyandi: Mm-hmm

[00:27:40] W. Curtis Preston: There is no defense against exfiltration once it has happened. None. And that’s why I, I perhaps focus on that a little bit more. I think all the other stuff is, is good. Uh, I just like this idea of somehow using something, you know, um, and, and another, I think maybe easier one on the built-in devices is, is whitelisting

right on the company.

Devices is whitelist, you know, application white listing.

[00:28:11] Prasanna Malaiyandi: Yep.

[00:28:12] W. Curtis Preston: everything I.

[00:28:13] Prasanna Malaiyandi: right.

[00:28:14] W. Curtis Preston: Yeah, applica, well, I think both right. Um, you know, application and, um, the other thing it’s like, you can, you know, there’s just ways, I think you could, you could somehow limit an individual devices, ability to start downloading or uploading the entire company’s intellectual property.

Okay. So enough about that, let’s talk about , let’s talk about what this episode’s actually

[00:28:41] Prasanna Malaiyandi: so, so going back to, this is an actual device. I think we kind of went down the, okay. How do you do it once it’s in your network? But I think there’s a whole bunch of basics, even before we get to that. Right. Curtis,

[00:28:53] W. Curtis Preston: Yeah. Yeah.

[00:28:55] Prasanna Malaiyandi: this is a physical device, right? It’s landing on someone’s desk. What can you do before?

It just like sits there.

[00:29:02] W. Curtis Preston: Well, I think one of the things, well, the question, you know, in no particular order, this is just what’s coming to my mind. One is, you know, physical security. Um, you, you know, this is, this is a physical security problem before it’s anything else? They’re talking about Physically processing packages.

And there also, there are mail scanning technologies. There’s a box. You can run all the mail through and go, Hey, this thing is, this thing is broadcasting a signal. You know, this is a problem, right? You can do that. You can scan the thing before it comes in. The other thing is what,

[00:29:37] Prasanna Malaiyandi: put it in a faraday day cage,

[00:29:39] W. Curtis Preston: what

[00:29:40] Prasanna Malaiyandi: put it in a faraday cage

[00:29:41] W. Curtis Preston: put all, can you buy a big faraday cage?

[00:29:46] Prasanna Malaiyandi: They did an enemy of the state.

[00:29:51] W. Curtis Preston: I just mean a big enough one, you know, can you make the mail room a faraday cage,

[00:29:55] Prasanna Malaiyandi: I bet you could.

[00:29:57] W. Curtis Preston: Yeah. So that, that, that could be another way to do it. Right. Uh, poor guys in the mail room, they don’t get any wifi. The, um, the, the other is the, the device white listing that you talked about. Everybody needs to have a conversation with it before their device is allowed on the network. Is that. So is that, is that unreasonable? What do you think?

[00:30:21] Prasanna Malaiyandi: So it it’s reasonable. I think the challenge is, or that they get segmented off into a separate wifi network where they get almost zero access. Right?

[00:30:31] W. Curtis Preston: they get, they basically, this is guest versus

[00:30:33] Prasanna Malaiyandi: yeah. Yeah. Now,

[00:30:35] W. Curtis Preston: Doesn’t see anything in the corporate network. All it gets is ability to Google stuff.

[00:30:40] Prasanna Malaiyandi: yeah. Now the only challenge is how you end up doing that white listing. Um, there are issues, depending on what sort of method you use. If for instance, you’re just using Mac address, filtering Mac addresses can be spoofed, right? So it’s not a great mechanism to

[00:30:56] W. Curtis Preston: But you would,

[00:30:57] Prasanna Malaiyandi: device

[00:30:58] W. Curtis Preston: I mean for this device, sorry to interrupt there, but for this device, you know, you’re, we’re assuming that this device is just a dumb device that wouldn’t know what Mac address to spoof.

[00:31:09] Prasanna Malaiyandi: oh, it could.

[00:31:09] W. Curtis Preston: You know?

[00:31:10] Prasanna Malaiyandi: It could, if it’s sniffing all the wireless packets, it would be able

[00:31:13] W. Curtis Preston: Oh, you’re saying, you’re saying it’s oh, geez, man.

[00:31:17] Prasanna Malaiyandi: And, and especially if

[00:31:18] W. Curtis Preston: stuff, man.

[00:31:19] Prasanna Malaiyandi: and especially if it’s a passive device, right. It’s just sitting there listening to everything coming across the airway. So

[00:31:25] W. Curtis Preston: so, alright, so you, you clearly know more about wifi than I do. Can we monitor for this device that is sniffing packets? Can

[00:31:34] Prasanna Malaiyandi: if it’s

passive, if it’s passive, you can’t tell at all, because it’s just airwaves right. Wifi is just a signal.

[00:31:41] W. Curtis Preston: Right. Right. So what,

[00:31:45] Prasanna Malaiyandi: So the, which is why I said from a, the best thing is, like you said, go back to the physical security aspects, right? Try to prevent the wifi device from sitting or the warshipping device from sitting in your corporate mail room or in your location for long periods of time. Right. Have a process to take the packages, scan it.

If you can, if you don’t have a scanning ability. Contact the recipient say you have this package, come pick it up with a certain amount of time, forward it off to the person. If you have to right. Ask them if they’re expecting a package or even if you can open the package. Right. If they’re not expecting something, ask can I open it?

Right. There are so many different options,

[00:32:28] W. Curtis Preston: So number one, you’ve got to have someone actively managing all of the mail from all of these people that are getting mail during the pandemic, right?

[00:32:38] Prasanna Malaiyandi: Yep.

[00:32:38] W. Curtis Preston: this is gonna be at, at a minimum. This is gonna be a bulky envelope, right? One of those puff.

[00:32:44] Prasanna Malaiyandi: Yeah.

[00:32:46] W. Curtis Preston: Envelopes and possibly a box. And you have rules specifically for those you contact, you need to contact a person and ask what should be done with this thing.

Right. Uh, and if they’re not expecting a package, perhaps yeah. You could create a policy. Right. Um, I don’t think you should be randomly opening mail from people that

[00:33:08] Prasanna Malaiyandi: Without their permission

[00:33:09] W. Curtis Preston: to do it. Right. Right.

[00:33:11] Prasanna Malaiyandi: you should yeah. Or forward it off to them or whatever else is. Yeah.

[00:33:16] W. Curtis Preston: I, I think that basic based on what I’m hearing from you, this is really the only choice,

[00:33:22] Prasanna Malaiyandi: I,

[00:33:23] W. Curtis Preston: right.

Because the white listing, the, the device white listing wouldn’t stop the person, you know, the, the box that his SPO has, you know, sniffed packets

has spoofed the

[00:33:36] Prasanna Malaiyandi: well, And this is where I was saying that it depends on what methodology you’re using for whitelisting. There’s other things like radius authentication and other certificate based authentication and other things, which you could also use for whitelist. Right. And so that’s why I said, if you’re just doing basic Mac address filtering, it’s not strong enough.

[00:33:57] W. Curtis Preston: Okay. So, so, so then we, we do have this additional, this is, this is all in the line of like four more money

[00:34:05] Prasanna Malaiyandi: Yeah. Yeah.

[00:34:07] W. Curtis Preston: stop this completely by a more robust whitelisting system than Mac addressed

[00:34:14] Prasanna Malaiyandi: Yeah,

[00:34:15] W. Curtis Preston: Yeah. Okay. Yeah. That makes sense. Um, but I, I think it, I think like a lot of it, you don’t, you don’t leave your data center open, wide open, and so you shouldn’t do this. This is essentially an intrusion into your data center, right. Or into your corporate network. And so you shouldn’t leave that wide open. I guess there are many people like me that just never thought of war shipping as a way to get into a corporate network.

And so they’re not thinking about these incoming packages as a potential.

[00:34:55] Prasanna Malaiyandi: Yep.

[00:34:55] W. Curtis Preston: And so you need to think about those packages as an internal, as a, as a potential risk. And they need to be handled physically before they can do any damage.

[00:35:05] Prasanna Malaiyandi: The other thing to consider is I know we’ve been talking a lot about corporate environments and warshipping, but also if you get a random device in your mail, right from someone and it looks like a camera or something else. And you’re like, oh, that’s kind of cool. Let me plug it in. Don’t plug it in. Right.

Be very careful at home also of putting random things on

[00:35:27] W. Curtis Preston: your network.

I read this article and I was like, dang, that is just something I never thought about in my life.

[00:35:34] Prasanna Malaiyandi: so it’s interesting because there was actually an uptick in these articles about warshipping back in 2019 as well. When I did some Googling.

[00:35:43] W. Curtis Preston: Uh huh.

[00:35:44] Prasanna Malaiyandi: So this isn’t the first time it’s come out. But I think specifically with the pandemic and everything else, it’s kind of coming back to the forefront. In fact, warshipping here’s something.

I was just looking it up. I don’t know how accurate this is. Warshipping is a term coined by IBM in 2019.

[00:36:08] W. Curtis Preston: All right. That’s kind of cool. Good old, IBM still, still setting the bar, raising the bar, whatever you wanna call it.

[00:36:16] Prasanna Malaiyandi: that’s probably why all those articles started in 2019

[00:36:20] W. Curtis Preston: You could put it in a place in your building that doesn’t have wifi.

[00:36:24] Prasanna Malaiyandi: Yeah.

[00:36:25] W. Curtis Preston: There are places in your building that you know, where they are because you tried to use the wifi there and it doesn’t work.

[00:36:32] Prasanna Malaiyandi: Or you just have all packages delivered to an offsite facility. Don’t have it delivered to your

corporate network.

[00:36:37] W. Curtis Preston: you know what you could have, you could have your, you could have packages, like I’m sure that that could be managed for you.

[00:36:43] Prasanna Malaiyandi: Yeah.

[00:36:45] W. Curtis Preston: That wouldn’t be free, but it could be managed for you.

[00:36:47] Prasanna Malaiyandi: Yeah.

[00:36:50] W. Curtis Preston: All right. Well, once again, we have solved world peace. Uh, so thanks for, thanks for helping me keep people safe.


[00:36:58] Prasanna Malaiyandi: Anytime. And thanks for sharing that article, Curtis. Yeah. It’s now we’ll have to go back and watch Mr. Robot and figure out what exactly he did if it was warshipping or something else.

[00:37:08] W. Curtis Preston: Yeah, I, yeah. My memory is like he was a janitor. Like he pretended to be a janitor and then stuck the thing. Thanks to the listeners. Uh, for those of you that stuck out this long and remember to subscribe so that you can restore it all.

1 comment
  • The r-pi 4 ‘official’ power supply is 5V 3A. I suspect 1A or less is more reasonable for a warshipped device not running all cores at 100%. Assuming you want to scan wifi for a week, that’s 168 hours, so 168 Ah at 5V, or a 840 Wh battery. Probably going to be 3 kg just for the battery. TSA allows up to 100 Wh max for carry-on lithium batteries, so we’re talking a pretty hefty power source. (Also, the r-pi series isn’t known for power management; after all, at heart it’s a set-top box chip!)

    Why not a rooted Android cell phone instead? You could use the wifi to scan and the cell network to upload and do the passcode cracking offsite with a beefy server. Scan for bluetooth, too, while you’re at it. It’d also be a lot less suspicious if anyone opened the package. Well, maybe not if it’s plugged into a half dozen USB power banks to run the phone for a week or two… 😉

    Haven’t watched Mr. Robot in a long time, but as I recall he wanted a tour of Steel Mountain, they blew him off, the team built a Wikipedia page in realtime, then he got his tour after they looked him up as Sam Sepiol. Once in he ran into Tyrell, turned his nose up at the mess hall, ended up in the executive dining room, and was able to install the r-pi in place of (an HVAC control panel?) which had an LAN connection. I guess then they could use their remote access to override the HVAC temperature and warm it up enough to ruin all the tapes? Damn, that was a fun show, even if it sorta went off the rails there at the end.

    Enjoyed the podcast, guys. (Must resist urge to search for cheap old LTO hardware to play with…)

%d bloggers like this: