Supply Chain Risk: Raspberry Pi Device Used for War Shipping

An interesting post on supply chain security over at Security Affairs. The post looks at a new approach to supply chain surveillance (and, presumably, attacks): ‘war shipping.’

A demonstration at Derbycon highlighted a small, wireless attack device capable of being shipped to a target firm via UPS.
A demonstration at Derbycon highlighted a small, wireless attack device capable of being shipped to a target firm via UPS.

War shipping is, of course, a play on the ‘war driving’ scene from the early days of consumer wifi, in which cars outfitted with antennae would canvas whole cities, documenting open wi-fi hotspots that could be used to grab some free Internet.

In this case, Security Affairs notes a shippable board-sized package designed by security expert Larry Pesce of Paul’s Security Weekly (fka Pauldotcom). The device can be contained in a standard UPS shipping box and delivered to a target network to passively surveil or even attack it.

The kit is built on a Raspberry Pi b_ with an AWUS051NH wireless card, a cheap battery charger, kismet and custom software. Pesce demonstrated the device at Derbycon, a Louisville, Kentucky based event last month.

The device includes both sniffing and attacking functionalities, as well as geo-location of the device that is used by attackers to track the package to its final destination before launching a malicious payload. Attackers could purposely send it to a former (or non-existent) employee – or a traveling executive, guaranteeing that it would linger in the company’s mail room, Pesce theorized.

Read more via War shipping, hacking corporate WLan with a Raspberry Pi | Security Affairs.

Comments are closed.