I'm not talking shipping as in boats, but shipping as in packages. David Maynor is giving a talk at Black Hat on his newest experiment: using a small and cheap WiFi platform that is remotely accessible over a WAN perform WiFi surveillance inside of a package delivered right to your victim. Guess what the cheap platform is? An iPhone of course. George Ou has some pictures and more details in his blog posting, The iPhone wireless LAN Ownage in a Box.
This new remote WiFi attack is particularly timely as a new indictment of 11 for ID theft of over 100 Million credit cards was handed down this week. Guess how they got in? They used War Driving to get on insecure internal WiFi networks and then used the internal access to install sniffing software. The attackers were mostly from foriegn countries and the companies attacked in the US. So at some point someone must have been in the country to physically scan the networks.
David Maynor's WarShipping trick solves this "need to be there" problem to do wireless attacks. Why travel and risk being physically apprehended when you can just mail a package with a WiFi and WAN enabled device and just hack remotely?
We will have to see how insecure these businesses that need to be PCI compliant are now that this massive WiFi attack has been made public. I find it takes a widely publicized attack of your organization or a close peer to actually get many security problems fixed. I bet some retailer's IT departments started scambling after this was made public.
Attackers like to keep updating their methods just ahead of compliance requirements. Sometimes I think that becoming compliant is protecting yourself from last year's attack due to the lag time between attacks becoming prevelant, compliance standards changing, and then organizations making security updates to meet complaince.
With application security we may already be a little behind. PCI requirement 6.6 kicked in June 2008 and requires organizations handling credit card data to audit their applications for the vulnerability classes outlined in OWASP Top Ten 2004 (yes, note the lag time). I fear a 100 Million ID theft scale compromise is still looming using application security attacks.