Secondhand IoT Devices, Firsthand Threats to Security
From thermostats and voice assistants to fitness trackers and toys, smart and internet-connected gadgets are now found in nearly every room of most homes. It’s tempting to try and save money on these devices by capitalizing on less expensive secondhand products sold by third-parties like eBay, Craigslist and even friends or family. But, you may want to think twice before doing this.
The Risk of the Unknown
There are serious cybersecurity risks associated with buying secondhand IoT devices. It’s very difficult to have full visibility into the device’s history, leaving consumers unaware of any modifications – malicious or otherwise – that have been made to the product since leaving the factory floor. Is a device’s camera sending captured footage elsewhere? Is that router pre-infected with a distributed-denial-of-service bot? Or is the smart light bulb sharing movement data to inform when you’re not home? These may seem like extreme examples, but the reality is for most consumers there’s no way to know if secondhand IoT devices have been compromised. Unfortunately, these risks are often unknown or overlooked in favor of cheap, easily accessible deals on internet-connected devices found through sites that many consumers, myself included, deem credible.
To ensure the integrity of any connected device, it’s best to purchase devices directly from the manufacturer or prominent retailers. However, if you are choosing to purchase a secondhand device, there are steps you can take to reduce the cyber risks associated with these products.
Mitigating Threats
The best way to protect yourself is to perform a factory reset on any device – and it’s easy to do! This will restore the device to its original state, essentially erasing all of the information, settings, applications and data previously added to the device by other users. You might even have some experience taking this critical first step because earlier this year, the Federal Bureau of Investigation asked U.S. households to reset home Wi-Fi routers to prevent a malicious bug called VPNFilter from gaining control of home networks. No matter what type of device you are purchasing secondhand, the first action you take should always be to perform a factory reset.
Unfortunately, cybercriminals are taking advantage of the popularity and resulting growth in smart devices to launch attacks and invade privacy. It’s easy for these actors to purchase new devices, infect them with malware and then sell the devices at a reduced rate to unsuspecting consumers. What’s worse, device manufacturers rarely build IoT devices with security in mind, leaving consumers open to greater risk. Another precaution people can take to mitigate these risks is to update default passwords to be more complex and make sure the latest firmware available from the manufacturer is downloaded and updated on all smart devices.
These lessons also apply to people selling their unwanted or old devices. Always do a factory reset before selling your device so you don’t end up sharing your data or personal information with its new owner. You don’t want to inadvertently share account information for an application with other people – even if it’s just your Netflix queue!
Education is Key
As you’re looking for ways to make your home secure, look no further than your smart devices. These devices can often add convenience and value to our lives, but not without risks. Educate yourself and your household about the risks associated with connected devices and how to best protect your data and privacy. It’s okay to take advantage of secondhand markets to snag the latest and greatest products or offload old or unwanted devices to be reused by new owners. Just make sure to practice good cyber hygiene and take the necessary precautions to protect your privacy.
By Laurence Pitt
Published with permission from forums.juniper.net/t5/Blogs/ct-p/blogs