'Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping." Using less than $100 worth of gear—including a Raspberry Pi Zero W, a small battery, and a cellular modem—the X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer dropped into a shipping box or embedded in objects such as a stuffed animal or plaque. At the Black Hat security conference here last week, Ars got a close look at the hardware that has weaponized cardboard. We've looked at such devices, typically referred to as "drop boxes," before. Ars even used one in our passive surveillance of an NPR reporter, capturing his network traffic and routing a dump of his packets across the country for us to sift through. Covert drop boxes (once a specialty of Pwnie Express) have taken the form of "wall wart" device chargers, Wi-Fi routers, and even power strips. And mobile devices have also been brought to play, allowing "war walking"—attacks launched remotely as a device concealed in a bag, suitcase, or backpack is carried nonchalantly into a bank, corporate lobby, or other targeted location. But unless you're trying to get your daily steps in, IBM X-Force Red Global Managing Partner and Head Charles Henderson told Ars that you can just let a shipping company do the work for you. "There have been people that have shipped cell phones, things like that," Henderson noted. "The thing that's cool about this is, this is the wall of the box. It can be easily built into the cardboard. If you get a phone shipped to you, you're suspicious of it. If you get a box or maybe a plaque that says you're the new [chief information security officer] of the year, you might not." The plaque might just go right up on the wall. "Put a $13 solar charger panel on the plaque, and that makes it a permanent fixture in a CISO's office... a $13 panel that, and actually, by the time it discharges the battery, between times when we check in, that can charge it back up. So technically you could do pretty much infinite, up to the life of the battery, if you set that in the right place." The hardware has also been planted in a stuffed animal and even inside the case of a normal Wi-Fi router.' -- source: https://arstechnica.com/information-technology/2019/08/hack-in-the-box-hacki... Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/