Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa Bay news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Charlotte news in your inbox

Catch up on the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

A Miami Post Office employee unloads packages in 2015. Photo: Joe Raedle/Getty Images

If it's too hard to breach a network over the internet, hackers may successfully resort to mailing an employee a device designed to steal passwords or implant malware over WiFi, IBM demonstrated in a novel proof-of-concept.

Why it matters: Organizations spend millions of dollars in products, manpower and training to screen incoming internet traffic for malicious attackers, but this snail mail technique could see helpful office managers bringing a hack right to their desk.

How it works: A common way to break into networks is what's known as an "evil twin" attack, setting up fake WiFi access points using the same name as a target WiFi network.

  • IBM's X-Force Red, which companies hire to test their defenses against hackers, built devices that perform evil twin attacks and phone home with results. It then mailed them to employees they knew would be on vacation. In tests, the packages typically made it into the office without incident.
  • "People welcome packages with open arms," Charles Henderson, global lead for IBM's X-Force Red, told Axios. "And when people welcome an attack with open arms, that's the litmus test for us to get excited."

The devices cost around $100 to make and are small enough to hide in the kinds of corporate swag typically sent to companies as promotional items, providing cover for when employees eventually open the package.

  • IBM calls the attack "warshipping," a play on "war dialing," where hackers of yore dialed lists of numbers with their modems, looking for a computer to respond, and "wardriving," where hackers drove around cities looking for free WiFi that spilled out onto the street.

What's next: There are a bunch of clever ways to add onto the attack. Henderson noted if he sent a large box, people might carry it with the base around hip level — the perfect height to place a device that copies the radio chip on an employee ID.

  • Current versions of the attack already include a GPS chip. "We could follow the package as it went out for delivery," he said, "and find other WiFi networks along the route."

Go deeper: Why hackers ignore most security flaws

Go deeper

46 mins ago - World

Putin foe Navalny to be detained for 30 days after returning to Moscow

Russian opposition leader Alexey Navalny. Photo: Oleg Nikishin/Epsilon/Getty Images

Russian opposition leader Alexey Navalny has been ordered to remain in pre-trial detention for 30 days, following his arrest upon returning to Russia on Sunday for the first time since a failed assassination attempt last year.

Why it matters: The detention of Navalny, an anti-corruption activist and the most prominent domestic critic of Russian President Vladimir Putin, has already set off a chorus of condemnations from leaders in Europe and the U.S.

Biden picks Warren allies to lead SEC, CFPB

Photo: Justin Sullivan/Getty Images

President-elect Joe Biden has selected FTC commissioner Rohit Chopra to be the next director of the Consumer Financial Protection Bureau (CFPB) and Obama-era Wall Street regulator Gary Gensler to lead the Securities and Exchange Commission (SEC).

Why it matters: Both picks are progressive allies of Sen. Elizabeth Warren (D-Mass.) and viewed as likely to take aggressive steps to regulate big business.

The perils of organizing underground

Illustration: Aïda Amer/Axios

Researchers see one bright spot as far-right extremists turn to private and encrypted online platforms: Friction.

Between the lines: For fringe organizers, those platforms may provide more security than open social networks, but they make it harder to recruit new members.