Aug 7, 2019

Hackers arrive via special delivery

Postal employee unloading boxes

A Miami Post Office employee unloads packages in 2015. Photo: Joe Raedle/Getty Images

If it's too hard to breach a network over the internet, hackers may successfully resort to mailing an employee a device designed to steal passwords or implant malware over WiFi, IBM demonstrated in a novel proof-of-concept.

Why it matters: Organizations spend millions of dollars in products, manpower and training to screen incoming internet traffic for malicious attackers, but this snail mail technique could see helpful office managers bringing a hack right to their desk.

How it works: A common way to break into networks is what's known as an "evil twin" attack, setting up fake WiFi access points using the same name as a target WiFi network.

  • IBM's X-Force Red, which companies hire to test their defenses against hackers, built devices that perform evil twin attacks and phone home with results. It then mailed them to employees they knew would be on vacation. In tests, the packages typically made it into the office without incident.
  • "People welcome packages with open arms," Charles Henderson, global lead for IBM's X-Force Red, told Axios. "And when people welcome an attack with open arms, that's the litmus test for us to get excited."

The devices cost around $100 to make and are small enough to hide in the kinds of corporate swag typically sent to companies as promotional items, providing cover for when employees eventually open the package.

  • IBM calls the attack "warshipping," a play on "war dialing," where hackers of yore dialed lists of numbers with their modems, looking for a computer to respond, and "wardriving," where hackers drove around cities looking for free WiFi that spilled out onto the street.

What's next: There are a bunch of clever ways to add onto the attack. Henderson noted if he sent a large box, people might carry it with the base around hip level — the perfect height to place a device that copies the radio chip on an employee ID.

  • Current versions of the attack already include a GPS chip. "We could follow the package as it went out for delivery," he said, "and find other WiFi networks along the route."

Go deeper: Why hackers ignore most security flaws

Go deeper