Most companies have strategies for educating employees about network security. But there has been much less awareness and education about mitigating “phygital” risks — that is, physical devices that carry out digital attacks on a company’s computer networks.
Another name for these phygital attacks is ‘warship’. Essentially, a malicious hacker creates a device with internet access, for example a miniature computer — and sends it through physical mail in an attempt to compromise a company’s computer network. In addition, with so many employees not yet required to return to their physical offices after the lockdown, these devices could easily be left unattended for months in unopened mail on desks and mailrooms. collecting data and exploiting vulnerabilities in a company’s network.
It’s terrifyingly easy and cheap to make your own DIY version of a warship. With just three hours, a few hundred dollars, and a few YouTube videos, almost anyone can do it. To show you exactly how easy it is, I’m going to talk about how I built a warship and then discuss what you can do to protect your business from these attacks.
Building a warship
Prepare for a technical leap in hardware and software. We don’t have the space here to go into every aspect of building a warship, but the following should give you a poignant idea of how easy and inexpensive the process can be.
Construction hardware. The foundation of any warship is as simple as a hobbyist printed circuit board, not much larger than a credit card, that can work like a miniature computer. An example is a Raspberry Pi, which is easy to find online and comes with the necessary software, or at least software that is also easy to find online.
Next, you need some kind of Wi-Fi dongle so that your warship can connect to the internet wirelessly. A USB Wi-Fi adapter and a memory card with at least 32 GB of storage, along with a SIM card to enable cellular connectivity and an optional GPS device, will meet the hardware requirements.
Software Requirements. Raspberry Pis have their own Ubuntu-based Operating System (OS) called Raspberry Pi Operating System†
Next, you need to set up remote access. You need to find the IP address of your device so that you can connect to it through your computer or other device. To do that, you can run a scan on your local network or use a smartphone app. Then enter the default password for a Raspberry Pi, which is ‘raspberry’. You now have a functional warship.
Ready for warship. Finally you can install your warship software. Your actual warship software consists of two parts: your optional GPS software if you want to track the location of your device and Kismet or a comparable network discovery software†
Kismet acts as a packet sniffer, finding and capturing data packets from a network to store or forward that information. So Kismet can potentially be used to extract data from your network.
Your device is now ready to cause a world of pain to a poor IT team. All you have to do is send it in the email, and when it arrives, you can access sensitive data over the cellular connection or find a vulnerable entry point for an attack. Then you could join the realm of malicious hackers who are costing companies worldwide money $2.9 million per minute due to cybercrime.
Key learning points
So what are some useful takeaways from all of this?
First, you need to realize that this threat is not going away. These attacks are just too easy to launch and too hard to tackle. After all, who has the time to sort all that inbound mail once it arrives?
Second, you need to develop phygital security measures as part of your overall cybersecurity efforts. Packages can sit in mailrooms for weeks – or now months – before someone processes them. Each of those packets could contain a warship that can use their idle time to collect data from your network. Because warships can be small enough to fit between two pieces of cardboard, even an open empty box that you keep in the mailroom to be reused later can pose a threat.
To solve the problem, you can immediately start processing packets that are incorrectly addressed as they will be bounced back to the sender. But you need to go further than that: handle all unopened mail as quickly as possible and never store used packaging materials in the mailroom. You can also look into the latest email scanning technology, which can detect these devices while avoiding the harmful effects of X-rays.
Third, network discovery software can help you catch unusual traffic and discover new devices as they connect to your network. That means you may be able to detect a warship before any damage is done. Additionally, in the spate of layoffs in the recent Great Resignation, insider threats from individuals who are or were authorized users on your network are just as common and potentially harder to detect, as these people may have access to approved credentials and devices.
Fourth, train your employees. They probably have no idea that packages they left on their desks for a few days while working remotely could contain a warship, so do them and yourself a favor by warning them of the potential threat.
If there’s one thing you learned from this article, it should be that the phygital world is a dangerous place. But just knowing what the danger is is half the battle. So now you know.