Mailroom Security – Warshipping

When it comes to physical security, your organization faces risks from every angle. One of the most overlooked and neglected components of a physical security plan is mail safety. A thorough assessment of how your organization deals with threats through the mail is paramount. 

When performing this assessment you have to think outside the box and be open to the evolution of threats and what they may look like in the future. The never-ending battle against cybercriminals has been fought on many fronts and the mailroom is now one of them. 

There is a new technique IBM X-Force Red is calling warshipping and it has been gaining some much-needed attention. X-Force Red presented this technique at the annual Black Hat Cybersecurity Conference and opened a few eyes to the ever-evolving nature of security.

Let’s talk through what worshipping is and two things you can do to help protect your organization.

What is warshipping?

Warshipping is when a small, computerized device is mailed to your organization with the intent to gain entrance to your network.

Using a cheap computer, which draws minimal power, this technique bypasses your physical security measures by entering your organization through the mail stream. It gets the attacker the close-proximity he needs, as he can operate it from a remote location, minimizing physical exposure to the target. The device can be as small as a cellphone allowing it to be concealed in a number of ways. 

A simple package, which looks like any other piece of mail your organization processes, can bypass your existing physical security measures, leaving your organization vulnerable.

Warshipping is a simple and cheap way for cybercriminals to utilize the mail to execute an attack on your organization. It allows an adversary to introduce the threat through one of the most vulnerable components of an organizations security, the mailroom.  

According to Charles Henderson, head of IBM’s Offensive Operations arm, “The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.”

How can you prevent warshipping?

As an organization who is vulnerable to these types of attacks, what can you do to protect yourself?

1. Prioritize a strong network security

As technology and tactics evolve it is paramount to be up to date on techniques, trends, and more. Network audits, up-to-date wireless and mobile device policies, and constant training are just a few of the many things you need to stay on top of. As with all of your security efforts, complacency can your worst enemy.

2. Ensure your mail handling and mail screening procedures address threats such as these. 

Restricting personal delivery, using remote mailrooms for processing and screening, package imaging, cellular intrusion detection, and limiting connectivity are just a few of the options. Be sure to take a comprehensive look at your mail security to find the best way to integrate it into your security plan.


Solving a specialized problem requires specialized experience 

Your employee safety, financial loss due to downtime, and brand reputation is at risk. A security plan only works if it’s comprehensive. Mail security is often overlooked or neglected.
There are many qualified physical security consultants, but mail security requires specialized training and experience. The United States Postal Inspection Service is the only organization that can adequately train security experts in mail-related threats. You need this experience AND someone who is focused on your organization’s goals.

We have the necessary real-world experience screening and investigating high-profile bomb, biological, and white powder cases. As subject matter experts, we’ve developed dangerous mail training and conducted screening for America’s most senior political leaders and largest sporting events.

When your optimized mail screening efforts are combined with robust physical security, you can rest easy knowing you have a comprehensive plan in place.

Working together is simple. We’ll look at the security problems you’re trying to solve, develop a plan, and you’ll feel confident knowing your employee safety, organizational downtime, and brand reputation are secure.

Contact us to schedule a call. We can tell you more about Risk Strategy Group and go into detail about how our experience can help your company.

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Form