You've heard about wardriving, but what about warshipping? Researchers at IBM X-Force Red have detailed a new tactic that they say can break into victims' Wi-Fi networks from far.
The company calls the technique warshipping, and it is a more efficient evolution of wardriving, a popular technique among hackers seeking access to any wireless network they can find. Whereas wardrivers drive around a wide area with a directional antenna looking for wireless networks to crack, IBM's researchers took a more targeted approach.
Speaking at Black Hat USA, IBM researchers explained how they used off-the-shelf components costing under $100 to create a single-board computer with Wi-Fi and 3G capability. This enables it to connect to a Wi-Fi network to harvest data locally and then send it to a remote location using its cellular connection. The small device runs on a cell phone battery and easily fits into a small package.
Attackers can then send the device to a company via regular mail, where it will probably languish in a mail room for a while. During this time, it can connect to any Wi-Fi networks it finds in the building and harvest data – typically a hashed network access code. It sends this back to the attacker, who can then use their own resources (or a cloud-based cracking service) to extract the original access code. At this point, they have access to the company's Wi-Fi network.
The warship device could access the Wi-Fi network and mount a man-in-the-middle attack, impersonating a legitimate Wi-Fi access point and coaxing company employees to access it. It would then be able to harvest their credentials and other secrets, IBM explained.
The device could be programmed to wake up periodically and use its 3G network to check a command and control server for instructions on whether to begin its attack or go back to sleep. This would help preserve its battery, IBM said.
The concept works in practice, warned the company, which said: "In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target’s systems."
Chris Henderson, global head of IBM X-Force Red, has written up the attack at SecurityIntelligence.