Most companies have strategies in place to educate employees about network security. But there has been far less awareness and education about how to reduce “phygital” risks, i.e. the physical devices that launch digital attacks against a company’s computer networks.
Another name for these phygital attacks is “war transport”. Essentially, a malicious hacker creates an Internet-enabled device – say, a miniature computer – and sends it through physical mail with the intent of compromising a company’s computer network. Additionally, since so many employees have yet to return to their physical offices post-lockdown, these devices can easily sit unattended for months in unopened mail on desks and in mailrooms, collecting data and exploiting vulnerabilities in a company’s network.
It’s scarily easy and inexpensive to create your own DIY version of a war transport device. With just three hours, a few hundred dollars, and a few YouTube videos, almost anyone can do it. To show you exactly how easy it is, I’m going to walk you through how I built a War Transport Device, then discuss what you can do to protect your business from these attacks.
Build a war machine
Prepare for a small technical leap in hardware and software. We don’t have the space here to go into every aspect of building a war transport, but what follows should give you a heartbreaking idea of how easy and expensive the process is.
Construction hardware. The basis of any war transport device is as simple as a hobbyist circuit board not much bigger than a credit card, which can function like a miniature computer. An example is a Raspberry Pi, which is easily found online and comes with the required software, or at least software that can also be easily found online.
Next, you need a wifi dongle of some sort so that your war device can connect to the internet wirelessly. A USB Wi-Fi adapter and memory card with at least 32 GB of storage, along with a SIM card to enable cellular connection and an optional GPS device, will complete the hardware requirements.
Software prerequisites. Raspberry Pis have their own Ubuntu-based operating system (OS) called Raspberry Pi OS.
Next, you will need to establish remote access. You need to find your device’s IP address so that you can connect to it through your computer or other device. You can do this by running a scan on your local network or using a smartphone app. Then enter the default password for a Raspberry Pi, which is “raspberry”. You now have a working war transport device.
Ready for war navigation. Finally, you can install your shipping software. Your current war transport software consists of two parts: your optional GPS software if you want to keep track of your device’s location, and Kismet or similar network detection software.
Kismet acts as a packet sniffer, which finds and captures data packets from a network to store or transmit this information. Thus, Kismet can potentially be used to retrieve data from your network.
Your device is now ready to cause a world of pain for a bad IT team. All you have to do is mail it, and when it arrives, you can access sensitive data or find a vulnerable access point for an attack over the cellular connection. You could then join the realm of malicious hackers who are costing businesses around the world $2.9 million per minute due to cybercrime.
Key points to remember
So what are the useful lessons from all of this?
First of all, you must realize that this threat is not going away. These attacks are simply too easy to cast and too difficult to counter. After all, who has time to sort through all that incoming mail as soon as it arrives?
Second, you need to develop phygital security measures as part of your overall cybersecurity efforts. Packages can sit in mailrooms for weeks — or these days, months — before someone processes them. Any of these packages can contain a war transport device that can use its idle time to collect data on your network. Since war transport devices can be small enough to fit between two pieces of cardboard, even an open empty box you keep in the mail room for later reuse could pose a threat.
To solve the problem, you can start by dealing with misaddressed packages immediately, as these will be returned to the sender. But you need to go above and beyond to process all unopened mail as quickly as possible and never keep used packing materials in the mailroom. You can also look into the latest mail scanning technology, which can detect these devices while avoiding the harmful effects of X-rays.
Third, network discovery software can help you detect unusual traffic and detect any new devices as soon as they join your network. This means you can potentially detect a war transport device before any damage is done. Additionally, the wave of layoffs in the recent big quit, insider threats from people who are or were authorized users of your network are just as common and may be more difficult to detect, as these people may have access to information credentials and approved devices.
Fourth, educate your employees. They probably have no idea that the packages they left on their desks for a few days while working remotely might have a war transport device inside, so do them a favor by alerting them to possible threat.
If there’s one thing you’ve learned from this article, it’s that the phygital world is a dangerous place. But just knowing the danger is half the battle. So now you know.