Buying a “Used” RouterSomeone used my router to set up their own networkRouter forensics“Rebuild”...
How can I differentiate duration vs starting time
Can I use a larger HVAC Hard Start kit than is recommended?
How to achieve gender equality in physical?
Can I legally make a website about boycotting a certain company?
Exploding Numbers
Is Apex Sometimes Case Sensitive?
How can I portray body horror and still be sensitive to people with disabilities?
Someone wants me to use my credit card at a card-only gas/petrol pump in return for cash
Current measurement op-amp calculation
How does the income of your target audience matter for logo design?
Are encryption algorithms with fixed-point free permutations inherently flawed?
Why does finding small effects in large studies indicate publication bias?
Identical projects by students at two different colleges: still plagiarism?
Is layered encryption more secure than long passwords?
Ramanujan's radical and how we define an infinite nested radical
Why is quixotic not Quixotic (a proper adjective)?
Coworker is trying to get me to sign his petition to run for office. How to decline politely?
Almost normal subgroup
Found a major flaw in paper from home university – to which I would like to return
Why Third 'Reich'? Why is 'reich' not translated when 'third' is? What is the English synonym of reich?
How to know if I am a 'Real Developer'
Define function that behaves almost identically to Mathematica function
How to not forget my phone in the bathroom?
How to encircle section of matrix in LaTeX?
Buying a “Used” Router
Someone used my router to set up their own networkRouter forensics“Rebuild” firmware on routerRouter infecting my computers?How can access to settings of a public router be (mis)used?Router common vulnerabilitiesRepeated “Dos Attack” from remote IPsDoes someone have it out for me, or is this router “features”?ZTE router antihacking optionSecure onion router setup
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
router
asked yesterday
GWRGWR
44449
|
show 1 more comment
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
router
asked yesterday
GWRGWR
44449
9
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
22 hours ago
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
22 hours ago
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
18 hours ago
@Mołot You must still be connected to it and power it while you do the install. Who knows that the device does then? A compromised device could infect other devices that it is connected to.
– Kapten-N
18 hours ago
Just be sure to check the alignment and buy all new bits for it.
– Hot Licks
15 hours ago
|
show 1 more comment
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
router
asked yesterday
GWRGWR
44449
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
router
router
asked yesterday
GWRGWR
44449
asked yesterday
GWRGWR
44449
asked yesterday
GWRGWR
44449
asked yesterday
GWRGWR
44449
asked yesterday
GWRGWR
44449
44449
9
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
22 hours ago
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
22 hours ago
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
18 hours ago
@Mołot You must still be connected to it and power it while you do the install. Who knows that the device does then? A compromised device could infect other devices that it is connected to.
– Kapten-N
18 hours ago
Just be sure to check the alignment and buy all new bits for it.
– Hot Licks
15 hours ago
|
show 1 more comment
9
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
22 hours ago
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
22 hours ago
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
18 hours ago
@Mołot You must still be connected to it and power it while you do the install. Who knows that the device does then? A compromised device could infect other devices that it is connected to.
– Kapten-N
18 hours ago
Just be sure to check the alignment and buy all new bits for it.
– Hot Licks
15 hours ago
9
9
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
22 hours ago
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
22 hours ago
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
22 hours ago
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
22 hours ago
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
18 hours ago
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
18 hours ago
@Mołot You must still be connected to it and power it while you do the install. Who knows that the device does then? A compromised device could infect other devices that it is connected to.
– Kapten-N
18 hours ago
@Mołot You must still be connected to it and power it while you do the install. Who knows that the device does then? A compromised device could infect other devices that it is connected to.
– Kapten-N
18 hours ago
Just be sure to check the alignment and buy all new bits for it.
– Hot Licks
15 hours ago
Just be sure to check the alignment and buy all new bits for it.
– Hot Licks
15 hours ago
|
show 1 more comment
6 Answers
6
active
oldest
votes
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered yesterday
ThoriumBRThoriumBR
22.5k65470
4
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
yesterday
48
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
yesterday
7
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
yesterday
28
Trust me, you're not that interesting.
– hft
yesterday
4
@Nelson you mean xkcd.com/538?
– Baldrickk
23 hours ago
|
show 6 more comments
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered yesterday
schroeder♦schroeder
76.3k29170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
yesterday
3
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
yesterday
1
Sure, if available.
– schroeder♦
yesterday
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
yesterday
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss?
– FreeMan
18 hours ago
|
show 1 more comment
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered yesterday
btabta
21114
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered 22 hours ago
NobodyNobody
40529
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered 23 hours ago
SjoerdSjoerd
19k84362
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
6 hours ago
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
2 hours ago
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered 19 hours ago
jeroninojeronino
111
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
protected by schroeder♦ 19 hours ago
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered yesterday
ThoriumBRThoriumBR
22.5k65470
4
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
yesterday
48
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
yesterday
7
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
yesterday
28
Trust me, you're not that interesting.
– hft
yesterday
4
@Nelson you mean xkcd.com/538?
– Baldrickk
23 hours ago
|
show 6 more comments
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered yesterday
ThoriumBRThoriumBR
22.5k65470
4
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
yesterday
48
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
yesterday
7
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
yesterday
28
Trust me, you're not that interesting.
– hft
yesterday
4
@Nelson you mean xkcd.com/538?
– Baldrickk
23 hours ago
|
show 6 more comments
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered yesterday
ThoriumBRThoriumBR
22.5k65470
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered yesterday
ThoriumBRThoriumBR
22.5k65470
edited yesterday
answered yesterday
ThoriumBRThoriumBR
22.5k65470
answered yesterday
ThoriumBRThoriumBR
22.5k65470
answered yesterday
ThoriumBRThoriumBR
22.5k65470
22.5k65470
4
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
yesterday
48
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
yesterday
7
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
yesterday
28
Trust me, you're not that interesting.
– hft
yesterday
4
@Nelson you mean xkcd.com/538?
– Baldrickk
23 hours ago
|
show 6 more comments
4
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
yesterday
48
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
yesterday
7
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
yesterday
28
Trust me, you're not that interesting.
– hft
yesterday
4
@Nelson you mean xkcd.com/538?
– Baldrickk
23 hours ago
4
4
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
yesterday
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
yesterday
48
48
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
yesterday
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
yesterday
7
7
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
yesterday
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
yesterday
28
28
Trust me, you're not that interesting.
– hft
yesterday
Trust me, you're not that interesting.
– hft
yesterday
4
4
@Nelson you mean xkcd.com/538?
– Baldrickk
23 hours ago
@Nelson you mean xkcd.com/538?
– Baldrickk
23 hours ago
|
show 6 more comments
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered yesterday
schroeder♦schroeder
76.3k29170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
yesterday
3
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
yesterday
1
Sure, if available.
– schroeder♦
yesterday
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
yesterday
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss?
– FreeMan
18 hours ago
|
show 1 more comment
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered yesterday
schroeder♦schroeder
76.3k29170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
yesterday
3
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
yesterday
1
Sure, if available.
– schroeder♦
yesterday
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
yesterday
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss?
– FreeMan
18 hours ago
|
show 1 more comment
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered yesterday
schroeder♦schroeder
76.3k29170206
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered yesterday
schroeder♦schroeder
76.3k29170206
answered yesterday
schroeder♦schroeder
76.3k29170206
answered yesterday
schroeder♦schroeder
76.3k29170206
answered yesterday
schroeder♦schroeder
76.3k29170206
76.3k29170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
yesterday
3
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
yesterday
1
Sure, if available.
– schroeder♦
yesterday
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
yesterday
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss?
– FreeMan
18 hours ago
|
show 1 more comment
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
yesterday
3
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
yesterday
1
Sure, if available.
– schroeder♦
yesterday
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
yesterday
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss?
– FreeMan
18 hours ago
1
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
yesterday
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
yesterday
3
3
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
yesterday
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
yesterday
1
1
Sure, if available.
– schroeder♦
yesterday
Sure, if available.
– schroeder♦
yesterday
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
yesterday
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
yesterday
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss?
– FreeMan
18 hours ago
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss?
– FreeMan
18 hours ago
|
show 1 more comment
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered yesterday
btabta
21114
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered yesterday
btabta
21114
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered yesterday
btabta
21114
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered yesterday
btabta
21114
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
btabta
21114
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
btabta
21114
answered yesterday
btabta
21114
21114
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered 22 hours ago
NobodyNobody
40529
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered 22 hours ago
NobodyNobody
40529
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered 22 hours ago
NobodyNobody
40529
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered 22 hours ago
NobodyNobody
40529
answered 22 hours ago
NobodyNobody
40529
answered 22 hours ago
NobodyNobody
40529
answered 22 hours ago
NobodyNobody
40529
40529
add a comment |
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered 23 hours ago
SjoerdSjoerd
19k84362
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
6 hours ago
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
2 hours ago
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered 23 hours ago
SjoerdSjoerd
19k84362
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
6 hours ago
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
2 hours ago
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered 23 hours ago
SjoerdSjoerd
19k84362
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered 23 hours ago
SjoerdSjoerd
19k84362
answered 23 hours ago
SjoerdSjoerd
19k84362
answered 23 hours ago
SjoerdSjoerd
19k84362
answered 23 hours ago
SjoerdSjoerd
19k84362
19k84362
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
6 hours ago
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
2 hours ago
add a comment |
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
6 hours ago
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
2 hours ago
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
6 hours ago
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
6 hours ago
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
2 hours ago
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
2 hours ago
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered 19 hours ago
jeroninojeronino
111
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered 19 hours ago
jeroninojeronino
111
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered 19 hours ago
jeroninojeronino
111
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered 19 hours ago
jeroninojeronino
111
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 19 hours ago
jeroninojeronino
111
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 19 hours ago
jeroninojeronino
111
answered 19 hours ago
jeroninojeronino
111
111
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
protected by schroeder♦ 19 hours ago
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
9
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
22 hours ago
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
22 hours ago
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
18 hours ago
@Mołot You must still be connected to it and power it while you do the install. Who knows that the device does then? A compromised device could infect other devices that it is connected to.
– Kapten-N
18 hours ago
Just be sure to check the alignment and buy all new bits for it.
– Hot Licks
15 hours ago