Buying a “Used” RouterSomeone used my router to set up their own networkRouter forensicssecurity updates...

How can the probability of a fumble decrease linearly with more dice?

Subsurf on a crown. How can I smooth some edges and keep others sharp?

What is a DAG (Graph Theory)?

microtype error with lualatex: "attempt to call field warning a nil value"

Which RAF squadrons and aircraft types took part in the bombing of Berlin on the 25th of August 1940?

Why zero tolerance on nudity in space?

How much mayhem could I cause as a fish?

Updating Statistics: Estimated Number of Rows not equal to Actual for Index Scan. Why?

Changing the laptop's CPU. Should I reinstall Linux?

"Starve to death" Vs. "Starve to the point of death"

Does diversity provide anything that meritocracy does not?

What senses are available to a corpse subjected to a Speak with Dead spell?

What is the industry term for house wiring diagrams?

Can 5 Aarakocra PCs summon an Air Elemental?

Why do all the books in Game of Thrones library have their covers facing the back of the shelf?

Book where a space ship journeys to the center of the galaxy to find all the stars had gone supernova

Is there a lava-breathing lizard creature (that could be worshipped by a cult) in 5e?

How to deal with possible delayed baggage?

Why avoid shared user accounts?

Why does 0.-5 evaluate to -5?

Website seeing my Facebook data?

Cat is tipping over bed-side lamps during the night

The No-Straight Maze

Nuance between philia and mania?



Buying a “Used” Router


Someone used my router to set up their own networkRouter forensicssecurity updates for embedded firmware Tomato (router)Opensource firmware for WiFi routerHow can access to settings of a public router be (mis)used?Safe to download router firmware over unencrypted HTTP?Is my router not capable for WAN securityWork from home, remote monitoring software, vpn, privacyWhat are the risks of buying a used/refurbished computer? How can I mitigate those risks?Secure onion router setup













98















I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.



I'm a bit nervous that it could have been modified by whoever had it last.




  1. What are the main risks in this scenario?

  2. What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?


Update: The device model is a TP-Link AC4500 (archer) router.










share|improve this question




















  • 33





    @R.. Buying used goods isn't necessarily just about saving money

    – user2390246
    Feb 20 at 10:37






  • 2





    The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.

    – Kapten-N
    Feb 20 at 10:56






  • 1





    @Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.

    – Mołot
    Feb 20 at 14:41








  • 14





    Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.

    – Cristian Ciupitu
    Feb 21 at 5:04






  • 4





    @only_pro Reducing waste

    – user2390246
    Feb 22 at 16:34
















98















I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.



I'm a bit nervous that it could have been modified by whoever had it last.




  1. What are the main risks in this scenario?

  2. What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?


Update: The device model is a TP-Link AC4500 (archer) router.










share|improve this question




















  • 33





    @R.. Buying used goods isn't necessarily just about saving money

    – user2390246
    Feb 20 at 10:37






  • 2





    The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.

    – Kapten-N
    Feb 20 at 10:56






  • 1





    @Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.

    – Mołot
    Feb 20 at 14:41








  • 14





    Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.

    – Cristian Ciupitu
    Feb 21 at 5:04






  • 4





    @only_pro Reducing waste

    – user2390246
    Feb 22 at 16:34














98












98








98


15






I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.



I'm a bit nervous that it could have been modified by whoever had it last.




  1. What are the main risks in this scenario?

  2. What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?


Update: The device model is a TP-Link AC4500 (archer) router.










share|improve this question
















I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.



I'm a bit nervous that it could have been modified by whoever had it last.




  1. What are the main risks in this scenario?

  2. What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?


Update: The device model is a TP-Link AC4500 (archer) router.







hardware router firmware reinstall






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday







GWR

















asked Feb 19 at 17:23









GWRGWR

666159




666159








  • 33





    @R.. Buying used goods isn't necessarily just about saving money

    – user2390246
    Feb 20 at 10:37






  • 2





    The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.

    – Kapten-N
    Feb 20 at 10:56






  • 1





    @Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.

    – Mołot
    Feb 20 at 14:41








  • 14





    Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.

    – Cristian Ciupitu
    Feb 21 at 5:04






  • 4





    @only_pro Reducing waste

    – user2390246
    Feb 22 at 16:34














  • 33





    @R.. Buying used goods isn't necessarily just about saving money

    – user2390246
    Feb 20 at 10:37






  • 2





    The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.

    – Kapten-N
    Feb 20 at 10:56






  • 1





    @Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.

    – Mołot
    Feb 20 at 14:41








  • 14





    Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.

    – Cristian Ciupitu
    Feb 21 at 5:04






  • 4





    @only_pro Reducing waste

    – user2390246
    Feb 22 at 16:34








33




33





@R.. Buying used goods isn't necessarily just about saving money

– user2390246
Feb 20 at 10:37





@R.. Buying used goods isn't necessarily just about saving money

– user2390246
Feb 20 at 10:37




2




2





The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.

– Kapten-N
Feb 20 at 10:56





The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.

– Kapten-N
Feb 20 at 10:56




1




1





@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.

– Mołot
Feb 20 at 14:41







@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.

– Mołot
Feb 20 at 14:41






14




14





Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.

– Cristian Ciupitu
Feb 21 at 5:04





Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.

– Cristian Ciupitu
Feb 21 at 5:04




4




4





@only_pro Reducing waste

– user2390246
Feb 22 at 16:34





@only_pro Reducing waste

– user2390246
Feb 22 at 16:34










9 Answers
9






active

oldest

votes


















167














Short answer: do a factory reset, update the firmware, and you are good to go.



The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.



The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.



So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.






share|improve this answer





















  • 9





    Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.

    – Luc
    Feb 19 at 21:20






  • 96





    The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...

    – ThoriumBR
    Feb 19 at 21:27






  • 18





    Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...

    – ThoriumBR
    Feb 19 at 21:29






  • 82





    Trust me, you're not that interesting.

    – hft
    Feb 19 at 23:16






  • 24





    @Nelson you mean xkcd.com/538?

    – Baldrickk
    Feb 20 at 9:41



















23














The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.



You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.



But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.



Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.






share|improve this answer



















  • 1





    what about downloading a new firmware from the router's support site (rather than openWRT)?

    – dandavis
    Feb 19 at 17:35






  • 4





    If there is one available from the router's manufacturer, it should be the preferred one!

    – CyberDude
    Feb 19 at 18:04






  • 1





    Sure, if available.

    – schroeder
    Feb 19 at 18:08











  • Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).

    – tim
    Feb 19 at 20:57






  • 1





    @FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.

    – schroeder
    Feb 20 at 14:51



















18














By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.



Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.



Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.






share|improve this answer








New contributor




bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




























    8














    In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.



    I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.



    But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.



    Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).



    And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.






    share|improve this answer
























    • "and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.

      – i486
      Feb 21 at 14:13





















    7















    What are the main risks in this scenario?




    I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.






    share|improve this answer



















    • 1





      You mean website logins & passwords? Saved cookies? How & where do routers save those?

      – Xen2050
      Feb 21 at 3:05






    • 1





      I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.

      – Sjoerd
      Feb 21 at 7:09






    • 2





      IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.

      – Criggie
      Feb 22 at 3:41



















    5














    If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.



    Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.






    share|improve this answer








    New contributor




    jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.




























      2














      Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.



      Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.






      share|improve this answer































        1














        As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.






        share|improve this answer































          0














          Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.



          You need to open the router before using it.



          If you see something like this...





          ...then chances are someone could easily sniff your Ethernet packets with one of these:





          Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.



          If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.



          I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.






          share|improve this answer



















          • 1





            It would be pretty easy to compromise a router without a hardware implant.

            – forest
            2 days ago










          protected by schroeder Feb 20 at 14:12



          Thank you for your interest in this question.
          Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



          Would you like to answer one of these unanswered questions instead?














          9 Answers
          9






          active

          oldest

          votes








          9 Answers
          9






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          167














          Short answer: do a factory reset, update the firmware, and you are good to go.



          The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.



          The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.



          So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.






          share|improve this answer





















          • 9





            Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.

            – Luc
            Feb 19 at 21:20






          • 96





            The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...

            – ThoriumBR
            Feb 19 at 21:27






          • 18





            Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...

            – ThoriumBR
            Feb 19 at 21:29






          • 82





            Trust me, you're not that interesting.

            – hft
            Feb 19 at 23:16






          • 24





            @Nelson you mean xkcd.com/538?

            – Baldrickk
            Feb 20 at 9:41
















          167














          Short answer: do a factory reset, update the firmware, and you are good to go.



          The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.



          The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.



          So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.






          share|improve this answer





















          • 9





            Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.

            – Luc
            Feb 19 at 21:20






          • 96





            The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...

            – ThoriumBR
            Feb 19 at 21:27






          • 18





            Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...

            – ThoriumBR
            Feb 19 at 21:29






          • 82





            Trust me, you're not that interesting.

            – hft
            Feb 19 at 23:16






          • 24





            @Nelson you mean xkcd.com/538?

            – Baldrickk
            Feb 20 at 9:41














          167












          167








          167







          Short answer: do a factory reset, update the firmware, and you are good to go.



          The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.



          The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.



          So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.






          share|improve this answer















          Short answer: do a factory reset, update the firmware, and you are good to go.



          The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.



          The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.



          So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 19 at 20:45

























          answered Feb 19 at 17:57









          ThoriumBRThoriumBR

          23.2k75570




          23.2k75570








          • 9





            Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.

            – Luc
            Feb 19 at 21:20






          • 96





            The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...

            – ThoriumBR
            Feb 19 at 21:27






          • 18





            Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...

            – ThoriumBR
            Feb 19 at 21:29






          • 82





            Trust me, you're not that interesting.

            – hft
            Feb 19 at 23:16






          • 24





            @Nelson you mean xkcd.com/538?

            – Baldrickk
            Feb 20 at 9:41














          • 9





            Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.

            – Luc
            Feb 19 at 21:20






          • 96





            The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...

            – ThoriumBR
            Feb 19 at 21:27






          • 18





            Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...

            – ThoriumBR
            Feb 19 at 21:29






          • 82





            Trust me, you're not that interesting.

            – hft
            Feb 19 at 23:16






          • 24





            @Nelson you mean xkcd.com/538?

            – Baldrickk
            Feb 20 at 9:41








          9




          9





          Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.

          – Luc
          Feb 19 at 21:20





          Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.

          – Luc
          Feb 19 at 21:20




          96




          96





          The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...

          – ThoriumBR
          Feb 19 at 21:27





          The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...

          – ThoriumBR
          Feb 19 at 21:27




          18




          18





          Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...

          – ThoriumBR
          Feb 19 at 21:29





          Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...

          – ThoriumBR
          Feb 19 at 21:29




          82




          82





          Trust me, you're not that interesting.

          – hft
          Feb 19 at 23:16





          Trust me, you're not that interesting.

          – hft
          Feb 19 at 23:16




          24




          24





          @Nelson you mean xkcd.com/538?

          – Baldrickk
          Feb 20 at 9:41





          @Nelson you mean xkcd.com/538?

          – Baldrickk
          Feb 20 at 9:41













          23














          The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.



          You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.



          But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.



          Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.






          share|improve this answer



















          • 1





            what about downloading a new firmware from the router's support site (rather than openWRT)?

            – dandavis
            Feb 19 at 17:35






          • 4





            If there is one available from the router's manufacturer, it should be the preferred one!

            – CyberDude
            Feb 19 at 18:04






          • 1





            Sure, if available.

            – schroeder
            Feb 19 at 18:08











          • Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).

            – tim
            Feb 19 at 20:57






          • 1





            @FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.

            – schroeder
            Feb 20 at 14:51
















          23














          The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.



          You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.



          But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.



          Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.






          share|improve this answer



















          • 1





            what about downloading a new firmware from the router's support site (rather than openWRT)?

            – dandavis
            Feb 19 at 17:35






          • 4





            If there is one available from the router's manufacturer, it should be the preferred one!

            – CyberDude
            Feb 19 at 18:04






          • 1





            Sure, if available.

            – schroeder
            Feb 19 at 18:08











          • Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).

            – tim
            Feb 19 at 20:57






          • 1





            @FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.

            – schroeder
            Feb 20 at 14:51














          23












          23








          23







          The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.



          You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.



          But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.



          Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.






          share|improve this answer













          The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.



          You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.



          But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.



          Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Feb 19 at 17:30









          schroederschroeder

          77.1k30170206




          77.1k30170206








          • 1





            what about downloading a new firmware from the router's support site (rather than openWRT)?

            – dandavis
            Feb 19 at 17:35






          • 4





            If there is one available from the router's manufacturer, it should be the preferred one!

            – CyberDude
            Feb 19 at 18:04






          • 1





            Sure, if available.

            – schroeder
            Feb 19 at 18:08











          • Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).

            – tim
            Feb 19 at 20:57






          • 1





            @FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.

            – schroeder
            Feb 20 at 14:51














          • 1





            what about downloading a new firmware from the router's support site (rather than openWRT)?

            – dandavis
            Feb 19 at 17:35






          • 4





            If there is one available from the router's manufacturer, it should be the preferred one!

            – CyberDude
            Feb 19 at 18:04






          • 1





            Sure, if available.

            – schroeder
            Feb 19 at 18:08











          • Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).

            – tim
            Feb 19 at 20:57






          • 1





            @FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.

            – schroeder
            Feb 20 at 14:51








          1




          1





          what about downloading a new firmware from the router's support site (rather than openWRT)?

          – dandavis
          Feb 19 at 17:35





          what about downloading a new firmware from the router's support site (rather than openWRT)?

          – dandavis
          Feb 19 at 17:35




          4




          4





          If there is one available from the router's manufacturer, it should be the preferred one!

          – CyberDude
          Feb 19 at 18:04





          If there is one available from the router's manufacturer, it should be the preferred one!

          – CyberDude
          Feb 19 at 18:04




          1




          1





          Sure, if available.

          – schroeder
          Feb 19 at 18:08





          Sure, if available.

          – schroeder
          Feb 19 at 18:08













          Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).

          – tim
          Feb 19 at 20:57





          Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).

          – tim
          Feb 19 at 20:57




          1




          1





          @FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.

          – schroeder
          Feb 20 at 14:51





          @FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.

          – schroeder
          Feb 20 at 14:51











          18














          By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.



          Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.



          Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.






          share|improve this answer








          New contributor




          bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.

























            18














            By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.



            Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.



            Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.






            share|improve this answer








            New contributor




            bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.























              18












              18








              18







              By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.



              Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.



              Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.






              share|improve this answer








              New contributor




              bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.










              By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.



              Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.



              Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.







              share|improve this answer








              New contributor




              bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.









              share|improve this answer



              share|improve this answer






              New contributor




              bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.









              answered Feb 19 at 19:55









              btabta

              28015




              28015




              New contributor




              bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





              New contributor





              bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.






              bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.























                  8














                  In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.



                  I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.



                  But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.



                  Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).



                  And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.






                  share|improve this answer
























                  • "and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.

                    – i486
                    Feb 21 at 14:13


















                  8














                  In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.



                  I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.



                  But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.



                  Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).



                  And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.






                  share|improve this answer
























                  • "and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.

                    – i486
                    Feb 21 at 14:13
















                  8












                  8








                  8







                  In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.



                  I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.



                  But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.



                  Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).



                  And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.






                  share|improve this answer













                  In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.



                  I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.



                  But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.



                  Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).



                  And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 20 at 10:56









                  NobodyNobody

                  45529




                  45529













                  • "and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.

                    – i486
                    Feb 21 at 14:13





















                  • "and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.

                    – i486
                    Feb 21 at 14:13



















                  "and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.

                  – i486
                  Feb 21 at 14:13







                  "and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.

                  – i486
                  Feb 21 at 14:13













                  7















                  What are the main risks in this scenario?




                  I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.






                  share|improve this answer



















                  • 1





                    You mean website logins & passwords? Saved cookies? How & where do routers save those?

                    – Xen2050
                    Feb 21 at 3:05






                  • 1





                    I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.

                    – Sjoerd
                    Feb 21 at 7:09






                  • 2





                    IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.

                    – Criggie
                    Feb 22 at 3:41
















                  7















                  What are the main risks in this scenario?




                  I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.






                  share|improve this answer



















                  • 1





                    You mean website logins & passwords? Saved cookies? How & where do routers save those?

                    – Xen2050
                    Feb 21 at 3:05






                  • 1





                    I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.

                    – Sjoerd
                    Feb 21 at 7:09






                  • 2





                    IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.

                    – Criggie
                    Feb 22 at 3:41














                  7












                  7








                  7








                  What are the main risks in this scenario?




                  I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.






                  share|improve this answer














                  What are the main risks in this scenario?




                  I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 20 at 9:49









                  SjoerdSjoerd

                  19.4k94662




                  19.4k94662








                  • 1





                    You mean website logins & passwords? Saved cookies? How & where do routers save those?

                    – Xen2050
                    Feb 21 at 3:05






                  • 1





                    I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.

                    – Sjoerd
                    Feb 21 at 7:09






                  • 2





                    IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.

                    – Criggie
                    Feb 22 at 3:41














                  • 1





                    You mean website logins & passwords? Saved cookies? How & where do routers save those?

                    – Xen2050
                    Feb 21 at 3:05






                  • 1





                    I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.

                    – Sjoerd
                    Feb 21 at 7:09






                  • 2





                    IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.

                    – Criggie
                    Feb 22 at 3:41








                  1




                  1





                  You mean website logins & passwords? Saved cookies? How & where do routers save those?

                  – Xen2050
                  Feb 21 at 3:05





                  You mean website logins & passwords? Saved cookies? How & where do routers save those?

                  – Xen2050
                  Feb 21 at 3:05




                  1




                  1





                  I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.

                  – Sjoerd
                  Feb 21 at 7:09





                  I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.

                  – Sjoerd
                  Feb 21 at 7:09




                  2




                  2





                  IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.

                  – Criggie
                  Feb 22 at 3:41





                  IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.

                  – Criggie
                  Feb 22 at 3:41











                  5














                  If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.



                  Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.






                  share|improve this answer








                  New contributor




                  jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.

























                    5














                    If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.



                    Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.






                    share|improve this answer








                    New contributor




                    jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.























                      5












                      5








                      5







                      If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.



                      Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.






                      share|improve this answer








                      New contributor




                      jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.










                      If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.



                      Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.







                      share|improve this answer








                      New contributor




                      jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      share|improve this answer



                      share|improve this answer






                      New contributor




                      jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      answered Feb 20 at 13:53









                      jeroninojeronino

                      511




                      511




                      New contributor




                      jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





                      New contributor





                      jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.























                          2














                          Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.



                          Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.






                          share|improve this answer




























                            2














                            Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.



                            Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.






                            share|improve this answer


























                              2












                              2








                              2







                              Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.



                              Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.






                              share|improve this answer













                              Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.



                              Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered Feb 22 at 3:39









                              CriggieCriggie

                              31019




                              31019























                                  1














                                  As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.






                                  share|improve this answer




























                                    1














                                    As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.






                                    share|improve this answer


























                                      1












                                      1








                                      1







                                      As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.






                                      share|improve this answer













                                      As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.







                                      share|improve this answer












                                      share|improve this answer



                                      share|improve this answer










                                      answered 2 days ago









                                      Yury SchkatulaYury Schkatula

                                      1512




                                      1512























                                          0














                                          Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.



                                          You need to open the router before using it.



                                          If you see something like this...





                                          ...then chances are someone could easily sniff your Ethernet packets with one of these:





                                          Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.



                                          If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.



                                          I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.






                                          share|improve this answer



















                                          • 1





                                            It would be pretty easy to compromise a router without a hardware implant.

                                            – forest
                                            2 days ago
















                                          0














                                          Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.



                                          You need to open the router before using it.



                                          If you see something like this...





                                          ...then chances are someone could easily sniff your Ethernet packets with one of these:





                                          Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.



                                          If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.



                                          I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.






                                          share|improve this answer



















                                          • 1





                                            It would be pretty easy to compromise a router without a hardware implant.

                                            – forest
                                            2 days ago














                                          0












                                          0








                                          0







                                          Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.



                                          You need to open the router before using it.



                                          If you see something like this...





                                          ...then chances are someone could easily sniff your Ethernet packets with one of these:





                                          Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.



                                          If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.



                                          I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.






                                          share|improve this answer













                                          Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.



                                          You need to open the router before using it.



                                          If you see something like this...





                                          ...then chances are someone could easily sniff your Ethernet packets with one of these:





                                          Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.



                                          If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.



                                          I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.







                                          share|improve this answer












                                          share|improve this answer



                                          share|improve this answer










                                          answered 2 days ago









                                          David RefouaDavid Refoua

                                          1428




                                          1428








                                          • 1





                                            It would be pretty easy to compromise a router without a hardware implant.

                                            – forest
                                            2 days ago














                                          • 1





                                            It would be pretty easy to compromise a router without a hardware implant.

                                            – forest
                                            2 days ago








                                          1




                                          1





                                          It would be pretty easy to compromise a router without a hardware implant.

                                          – forest
                                          2 days ago





                                          It would be pretty easy to compromise a router without a hardware implant.

                                          – forest
                                          2 days ago





                                          protected by schroeder Feb 20 at 14:12



                                          Thank you for your interest in this question.
                                          Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                                          Would you like to answer one of these unanswered questions instead?



                                          Popular posts from this blog

                                          “%fieldName is a required field.”, in Magento2 REST API Call for GET Method Type The Next...

                                          How to change City field to a dropdown in Checkout step Magento 2Magento 2 : How to change UI field(s)...

                                          變成蝙蝠會怎樣? 參考資料 外部連結 导航菜单Thomas Nagel, "What is it like to be a...