Hackers looking to gain access to your Wi-Fi network don’t necessarily have to lurk around your home or office, warns IBM X-Force Red .

Instead, writes Charles Henderson, global head of that security unit, they could simply ship you a package with a tiny, concealed device they can remotely control.

“In fact, they could ship multiple devices to their target location thanks to low build cost,” Henderson writes. “The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.”

While the company doesn’t report having seen such an attack actually used, it built a proof-of-concept device (a common practice in the security industry) to demonstrate the ease with which a package-based hack could be launched. The battery-powered device IBM built periodically checks in with a cellular modem to see whether it had commands from its creators or should go to sleep to conserve power. By transmitting GPS coordinates, it could let its creators know when it arrived at its intended destination and then go to work eavesdropping on wireless transmissions.

Such a device could even set up a rogue wireless network of its own to sniff login credentials to use on the real target network, according to the post. Devices made for the technique, which IBM has dubbed warshipping, can be built for under $100, the company says.

To avoid such attacks, Henderson’s team recommends companies set up policies to inspect and isolate packages and potentially discourage employees from getting personal shipments at work. The company also recommends training workers to detect and avoid suspicious Wi-Fi hotspots and locking down networks to keep intruders out.