Why tech holiday gifts could land you in hot water

As the holiday season approaches, the lights go up and the smell of pine fills the air — it’s your sign to start brainstorming gifts. We’re all guilty of procrastinating, and there’s no feeling like racking your brain to find the perfect gift for a friend at the last minute. 

For most people on a time crunch, tech gadgets are a convenient and safe bet. With anticipation of the holidays, shoppers flock to Amazon.com to stock up on smart thermostats, wearable tech gear, Ring Doorbells, Apple AirTags and Bluetooth headphones. Another popular online retailer in 2024 is TEMU (PDD Holdings), which draws 167 million budget-savvy users who can’t resist ridiculously cheap, off-brand tech. 

It’s only a matter of time before workers bring their new toys to the office or plug and play at home. Consumers, business leaders and IT professionals all ask a familiar question: Are these internet of things (IoT) devices a danger to organizational and personal data? 

From mug warmers and portable fans to smartwatches and wireless keyboards, the temptation to plug and pair these gadgets with corporate devices and networks often goes unquestioned. Some of the tech gifts that you receive during the holidays can unknowingly introduce unauthorized access to networks, open the door to cybercriminals and lead to costly cybersecurity problems. 

Imagine that you’re at a hotel attending a conference. You decide to pair new Bluetooth earbuds with your work laptop, only to discover that someone is eavesdropping on a sensitive conversation between you and a colleague, listening to every detail and preparing to exploit key information pertaining to a big project. 

Yes, Bluetooth devices are at risk. But there’s more than one way to hack them and countless other connected devices. Over the years, we’ve seen myriad incidents:

Last year, we saw one of the most notorious adversary-in-the-middle (AitM) attacks called BLUFFS. The attacks allowed hackers to hijack Bluetooth connections by exploiting two previously unknown vulnerabilities in Bluetooth standard’s session-key derivation mechanism. 

On the topic of AitM attacks, there was another incident in October of 2024 when, according to Acronis TRU Security, Mamba 2FA reared its ugly head. The phishing-as-a-service (PhaaS) platform targeted Microsoft 365 accounts through these attacks, where criminals were able to bypass MFA protections with fake, yet convincing login pages.

With corporate wellness initiatives trending, a growing number of companies are investing in on-site gyms to encourage healthier company culture, attract top talent and reduce employee stress. In August of 2023, Peloton announced Peleton for Business, a unified portfolio of B2B fitness and wellness solutions for enterprise clients. Employees love the perks of being able to pump iron just steps away from their workstation. But many companies are unaware that smart exercise machines can potentially pose cybersecurity risks.

Cybercriminals can break in while you’re breaking a sweat. In 2023, Dark Reading reported that Peloton vulnerabilities allowed hackers to remotely spy on Peloton users. Although Peloton determined that the flaws could only be exploited by adversaries with physical access to machines, the danger still looms for companies with digitally connected Peloton bikes. Moreover, Peloton bikes are equipped with front-facing cameras that, like any other smart camera, are fair game for hackers.

Another camera-equipped tech gadget that faced scrutiny was the Ring Doorbell. The United States Federal Trade Commission (FTC) issued a press release that reminded Ring customers of their privacy rights. The FTC charged Ring, the smart home security camera company, with unlawfully compromising their customers’ privacy. Ring employees had access to customers’ private videos. Also fueling the outrage was that Ring failed to implement fundamental privacy and security measures that allowed attackers to control Ring customer accounts, video recordings and cameras.

For companies, cameras could jeopardize organizational safety and sensitive information. How? A lot of businesses use Ring’s Wi-Fi-connected smart cameras to survey the comings and goings of employees, customers and visitors. Not only could hackers study the behavior and activities of those on camera, they could also listen in on sensitive conversations and perhaps see critical data. If cameras are pointed at computer monitors, hackers could track an employee’s every click and even watch them key in passwords.

In June of 2023, the U.S. Department of the Army’s Criminal Investigation Division (CID) reported suspicious smartwatches that were mailed to U.S. military service members. The CID alerted members and the public that the smartwatches could contain malware aimed at granting unauthorized access to sensitive data such as banking, contact and login information.

What’s jarring is that consumers and businesses are also targets. According to Deloitte, 48% of consumers showed major concern over data security and privacy on smartwatches and fitness trackers. The fear is spread across organizations, with 14.4% of working-age internet users owning wearable smart devices. Businesses need to grapple with employees who want to connect wearable tech to their work devices, like company smartphones.

According to a 2024 press release, over one third of cyberattacks result in job losses. The numbers are even more dismal than two years ago when it was estimated that one quarter of employees lost their job after making a mistake that compromised their company’s security. Undoubtedly, workers are facing big consequences for preventable mistakes. But the worst part is that employers can’t afford to give staff second chances.

In the cybersecurity community, there’s a well-known phrase used by many IT security leaders: “People are the weakest link in cybersecurity.” Unfortunately, the ramifications are damning for employees who accidentally break cybersecurity rules. Employers are taking controversial action with unexpected job dismissals that are not only costly to backfill but also cause disruption to existing teams. But in all fairness, letting go of an employee because of an embarrassing cybersecurity mishap isn’t an easy decision for managers and leadership either.

While you can’t swear off all tech gifts and other connected devices altogether, you can do your part by keeping cybersecurity best practices top of mind. Consider this: Take a moment to weigh the risks before you plug in or pair new tech gadgets with personal or corporate devices — especially while on company networks. It never hurts to send your IT department a quick message if you’re unsure of these risks. After all, the more business leaders and workers can build direct communication and a strong rapport with IT and security professionals, the more effective organizations will be at mitigating cyber risk. And if you’re a business owner or an IT professional, make sure that employees have comprehensive security awareness training.