A Miami Post Office employee unloads packages in 2015. Photo: Joe Raedle/Getty Images

If it's too hard to breach a network over the internet, hackers may successfully resort to mailing an employee a device designed to steal passwords or implant malware over WiFi, IBM demonstrated in a novel proof-of-concept.

Why it matters: Organizations spend millions of dollars in products, manpower and training to screen incoming internet traffic for malicious attackers, but this snail mail technique could see helpful office managers bringing a hack right to their desk.

How it works: A common way to break into networks is what's known as an "evil twin" attack, setting up fake WiFi access points using the same name as a target WiFi network.

  • IBM's X-Force Red, which companies hire to test their defenses against hackers, built devices that perform evil twin attacks and phone home with results. It then mailed them to employees they knew would be on vacation. In tests, the packages typically made it into the office without incident.
  • "People welcome packages with open arms," Charles Henderson, global lead for IBM's X-Force Red, told Axios. "And when people welcome an attack with open arms, that's the litmus test for us to get excited."

The devices cost around $100 to make and are small enough to hide in the kinds of corporate swag typically sent to companies as promotional items, providing cover for when employees eventually open the package.

  • IBM calls the attack "warshipping," a play on "war dialing," where hackers of yore dialed lists of numbers with their modems, looking for a computer to respond, and "wardriving," where hackers drove around cities looking for free WiFi that spilled out onto the street.

What's next: There are a bunch of clever ways to add onto the attack. Henderson noted if he sent a large box, people might carry it with the base around hip level — the perfect height to place a device that copies the radio chip on an employee ID.

  • Current versions of the attack already include a GPS chip. "We could follow the package as it went out for delivery," he said, "and find other WiFi networks along the route."

Go deeper: Why hackers ignore most security flaws

Go deeper

Updated 9 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 9 p.m. ET: 12,220,166 — Total deaths: 553,438 — Total recoveries — 6,696,632Map.
  2. U.S.: Total confirmed cases as of 9 p.m. ET: 3,111,902 — Total deaths: 133,195 — Total recoveries: 969,111 — Total tested: 38,032,966Map.
  3. Public health: More young people are spreading the virus Cases rise in 33 statesFlorida reports highest single-day death toll since pandemic began.
  4. Science: World Health Organization acknowledges airborne transmission of coronavirus.
  5. 1 🐂 thing: How the world could monitor for potential pandemic animal viruses.
2 hours ago - Podcasts

Inside Joe Biden's economic plan

Joe Biden on Thursday returned to his hometown of Scranton, Pennsylvania, to give his first major speech on economic policy since becoming the Democratic Party’s presumptive presidential nominee.

Axios Re:Cap digs into Biden's plans, how they developed and how they may change, with former U.S. Commerce secretary and campaign surrogate Penny Pritzker.

2 hours ago - World

Countries grapple with whether to lock back down as hotspots emerge

Tokyo in the time of coronavirus. Photo: Charly Triballeau/AFP via Getty

Many politicians and public health officials sounded a similar lockdown refrain in the spring: let’s do this right so we only have to do it once.

Reality check: While some countries have thus far managed to keep cases under control after opening up, dozens of countries that had initially turned a corner are now seeing a worrying rebound. They have to decide if and how to return to lockdown — and whether their populations will stand for it.