A Miami Post Office employee unloads packages in 2015. Photo: Joe Raedle/Getty Images

If it's too hard to breach a network over the internet, hackers may successfully resort to mailing an employee a device designed to steal passwords or implant malware over WiFi, IBM demonstrated in a novel proof-of-concept.

Why it matters: Organizations spend millions of dollars in products, manpower and training to screen incoming internet traffic for malicious attackers, but this snail mail technique could see helpful office managers bringing a hack right to their desk.

How it works: A common way to break into networks is what's known as an "evil twin" attack, setting up fake WiFi access points using the same name as a target WiFi network.

  • IBM's X-Force Red, which companies hire to test their defenses against hackers, built devices that perform evil twin attacks and phone home with results. It then mailed them to employees they knew would be on vacation. In tests, the packages typically made it into the office without incident.
  • "People welcome packages with open arms," Charles Henderson, global lead for IBM's X-Force Red, told Axios. "And when people welcome an attack with open arms, that's the litmus test for us to get excited."

The devices cost around $100 to make and are small enough to hide in the kinds of corporate swag typically sent to companies as promotional items, providing cover for when employees eventually open the package.

  • IBM calls the attack "warshipping," a play on "war dialing," where hackers of yore dialed lists of numbers with their modems, looking for a computer to respond, and "wardriving," where hackers drove around cities looking for free WiFi that spilled out onto the street.

What's next: There are a bunch of clever ways to add onto the attack. Henderson noted if he sent a large box, people might carry it with the base around hip level — the perfect height to place a device that copies the radio chip on an employee ID.

  • Current versions of the attack already include a GPS chip. "We could follow the package as it went out for delivery," he said, "and find other WiFi networks along the route."

Go deeper: Why hackers ignore most security flaws

Go deeper

Trump signs bill to prevent government shutdown

Senate Majority Leader Mitch McConnel and President Trump arrives at the U.S. Capitol in March. Photo: Samuel Corum/Getty Images

President Trump signed a bill to extend current levels of government funding into early December, White House spokesperson Judd Deere confirmed early Thursday.

Driving the news: The Senate on Tuesday passed the legislation to fund the federal government through Dec. 11, by a vote of 84-10. The move averts a government shutdown before the Nov. 3 election, though funding did expire briefly before the bill was signed.

Editor's note: This is a developing news story. Please check back for updates.

Updated 28 mins ago - Science

In photos: Deadly wildfires devastate California's wine country

The Shady Fire ravages a home as it approaches Santa Rosa in Napa County, California, on Sept. 28. The blaze is part of the massive Glass Fire Complex, which has razed over 51,620 acres at 2% containment. Photo: Samuel Corum/Agence France-Presse/AFP via Getty Images

More than 1700 firefighters are battling 26 major blazes across California, including in the heart of the wine country, where one mega-blaze claimed the lives of three people and forced thousands of others to evacuate this week.

The big picture: More than 8,100 wildfires have burned across a record 39 million-plus acres, killing 29 people and razing almost 7,900 structures in California this year, per Cal Fire. Just like the deadly blazes of 2017, the wine country has become a wildfires epicenter. Gov. Gavin Newsom has declared a state of emergency in Napa, Sonoma, and Shasta counties.

Updated 1 hour ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 12:30 a.m. ET: 33,880,896 — Total deaths: 1,012,964 — Total recoveries: 23,551,663Map.
  2. U.S.: Total confirmed cases as of 12:30 a.m. ET: 7,232,823 — Total deaths: 206,887 — Total recoveries: 2,840,688 — Total tests: 103,939,667Map.
  3. Education: School-aged children now make up 10% of all U.S COVID-19 cases.
  4. Health: Moderna says its coronavirus vaccine won't be ready until 2021
  5. Travel: CDC: 3,689 COVID-19 or coronavirus-like cases found on cruise ships in U.S. waters — Airlines begin mass layoffs while clinging to hope for federal aid
  6. Business: Real-time data show economy's rebound slowing but still going.
  7. Sports: Steelers-Titans NFL game delayed after coronavirus outbreak.