Will Plummer's Raspberry Pi-Powered "Warshipping" Gadget Highlights the Risk of "Phygital" Attacks

Will Plummer, chief security officer at RaySecur, has demonstrated the risk of "phygital" or "warshipping" attacks by building a Raspberry Pi-based attack device in around three hours — and offers advice for both building your own and protecting against them.

"Essentially, a malicious hacker creates an Internet-enabled device — for example, a miniature computer — and sends it through physical mail in an attempt to compromise a company's computer network," Plummer explains of the warshipping concept in a piece for DarkReading's The Edge. "What's more, because so many employees have yet to return to their physical offices post-lockdown, these devices can easily sit for months unattended in unopened mail on desks and in mailrooms, gathering data and exploiting vulnerabilities in a company's network."

In the early days of computing, computers were much too bulky, power-hungry, and expensive to be used in such a manner — but today, devices are available for a fistful of dollars and capable of running on battery power. "The foundation of any warshipping device is as simple as a hobbyist circuit board not much bigger than a credit card," Plummer explains. "which can operate like a miniature computer. One example is a Raspberry Pi, which is easily found online and arrives with the required software, or at least software that can also be easily found online.

"Your actual warshipping software comes in two parts: your optional GPS software if you want to keep track of your device location and Kismet or a similar network-detecting software. Kismet acts as a packet sniffer, which finds and captures packets of data from a network to store or forward that information. So Kismet can potentially be used to grab data from your network."

Building a warshipping gadget is one thing, but how can you defend against them? A combination, Plummer suggests, of processing packages with invalid addresses as quickly as possible, opening mail early, potentially X-raying all packages if you're a real target of interest, employee education, and the use of network discovery software to sniff the sniffers.

Plummer's full article is now available on DarkReading.