Buying a “Used” RouterSomeone used my router to set up their own networkRouter forensicssecurity updates...
How can the probability of a fumble decrease linearly with more dice?
Subsurf on a crown. How can I smooth some edges and keep others sharp?
What is a DAG (Graph Theory)?
microtype error with lualatex: "attempt to call field warning a nil value"
Which RAF squadrons and aircraft types took part in the bombing of Berlin on the 25th of August 1940?
Why zero tolerance on nudity in space?
How much mayhem could I cause as a fish?
Updating Statistics: Estimated Number of Rows not equal to Actual for Index Scan. Why?
Changing the laptop's CPU. Should I reinstall Linux?
"Starve to death" Vs. "Starve to the point of death"
Does diversity provide anything that meritocracy does not?
What senses are available to a corpse subjected to a Speak with Dead spell?
What is the industry term for house wiring diagrams?
Can 5 Aarakocra PCs summon an Air Elemental?
Why do all the books in Game of Thrones library have their covers facing the back of the shelf?
Book where a space ship journeys to the center of the galaxy to find all the stars had gone supernova
Is there a lava-breathing lizard creature (that could be worshipped by a cult) in 5e?
How to deal with possible delayed baggage?
Why avoid shared user accounts?
Why does 0.-5 evaluate to -5?
Website seeing my Facebook data?
Cat is tipping over bed-side lamps during the night
The No-Straight Maze
Nuance between philia and mania?
Buying a “Used” Router
Someone used my router to set up their own networkRouter forensicssecurity updates for embedded firmware Tomato (router)Opensource firmware for WiFi routerHow can access to settings of a public router be (mis)used?Safe to download router firmware over unencrypted HTTP?Is my router not capable for WAN securityWork from home, remote monitoring software, vpn, privacyWhat are the risks of buying a used/refurbished computer? How can I mitigate those risks?Secure onion router setup
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
Update: The device model is a TP-Link AC4500 (archer) router.
hardware router firmware reinstall
asked Feb 19 at 17:23
GWRGWR
666159
|
show 6 more comments
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
Update: The device model is a TP-Link AC4500 (archer) router.
hardware router firmware reinstall
asked Feb 19 at 17:23
GWRGWR
666159
33
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
Feb 20 at 10:37
2
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
Feb 20 at 10:56
1
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
Feb 20 at 14:41
14
Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.
– Cristian Ciupitu
Feb 21 at 5:04
4
@only_pro Reducing waste
– user2390246
Feb 22 at 16:34
|
show 6 more comments
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
Update: The device model is a TP-Link AC4500 (archer) router.
hardware router firmware reinstall
asked Feb 19 at 17:23
GWRGWR
666159
I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
- What are the main risks in this scenario?
- What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?
Update: The device model is a TP-Link AC4500 (archer) router.
hardware router firmware reinstall
hardware router firmware reinstall
asked Feb 19 at 17:23
GWRGWR
666159
asked Feb 19 at 17:23
GWRGWR
666159
edited yesterday
GWR
asked Feb 19 at 17:23
GWRGWR
666159
asked Feb 19 at 17:23
GWRGWR
666159
asked Feb 19 at 17:23
GWRGWR
666159
666159
33
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
Feb 20 at 10:37
2
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
Feb 20 at 10:56
1
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
Feb 20 at 14:41
14
Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.
– Cristian Ciupitu
Feb 21 at 5:04
4
@only_pro Reducing waste
– user2390246
Feb 22 at 16:34
|
show 6 more comments
33
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
Feb 20 at 10:37
2
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
Feb 20 at 10:56
1
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
Feb 20 at 14:41
14
Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.
– Cristian Ciupitu
Feb 21 at 5:04
4
@only_pro Reducing waste
– user2390246
Feb 22 at 16:34
33
33
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
Feb 20 at 10:37
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
Feb 20 at 10:37
2
2
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
Feb 20 at 10:56
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
Feb 20 at 10:56
1
1
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
Feb 20 at 14:41
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
Feb 20 at 14:41
14
14
Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.
– Cristian Ciupitu
Feb 21 at 5:04
Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.
– Cristian Ciupitu
Feb 21 at 5:04
4
4
@only_pro Reducing waste
– user2390246
Feb 22 at 16:34
@only_pro Reducing waste
– user2390246
Feb 22 at 16:34
|
show 6 more comments
9 Answers
9
active
oldest
votes
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
9
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
Feb 19 at 21:20
96
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
Feb 19 at 21:27
18
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
Feb 19 at 21:29
82
Trust me, you're not that interesting.
– hft
Feb 19 at 23:16
24
@Nelson you mean xkcd.com/538?
– Baldrickk
Feb 20 at 9:41
|
show 13 more comments
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
Feb 19 at 17:35
4
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
Feb 19 at 18:04
1
Sure, if available.
– schroeder♦
Feb 19 at 18:08
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
Feb 19 at 20:57
1
@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.
– schroeder♦
Feb 20 at 14:51
|
show 1 more comment
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered Feb 19 at 19:55
btabta
28015
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered Feb 20 at 10:56
NobodyNobody
45529
"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.
– i486
Feb 21 at 14:13
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
1
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
Feb 21 at 3:05
1
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
Feb 21 at 7:09
2
IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.
– Criggie
Feb 22 at 3:41
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered Feb 20 at 13:53
jeroninojeronino
511
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.
Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.
answered Feb 22 at 3:39
CriggieCriggie
31019
add a comment |
As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
add a comment |
Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.
You need to open the router before using it.
If you see something like this...
...then chances are someone could easily sniff your Ethernet packets with one of these:
Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.
If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.
I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.
answered 2 days ago
David RefouaDavid Refoua
1428
1
It would be pretty easy to compromise a router without a hardware implant.
– forest
2 days ago
add a comment |
protected by schroeder♦ Feb 20 at 14:12
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
9 Answers
9
active
oldest
votes
9 Answers
9
active
oldest
votes
active
oldest
votes
active
oldest
votes
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
9
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
Feb 19 at 21:20
96
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
Feb 19 at 21:27
18
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
Feb 19 at 21:29
82
Trust me, you're not that interesting.
– hft
Feb 19 at 23:16
24
@Nelson you mean xkcd.com/538?
– Baldrickk
Feb 20 at 9:41
|
show 13 more comments
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
9
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
Feb 19 at 21:20
96
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
Feb 19 at 21:27
18
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
Feb 19 at 21:29
82
Trust me, you're not that interesting.
– hft
Feb 19 at 23:16
24
@Nelson you mean xkcd.com/538?
– Baldrickk
Feb 20 at 9:41
|
show 13 more comments
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
edited Feb 19 at 20:45
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
answered Feb 19 at 17:57
ThoriumBRThoriumBR
23.2k75570
23.2k75570
9
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
Feb 19 at 21:20
96
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
Feb 19 at 21:27
18
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
Feb 19 at 21:29
82
Trust me, you're not that interesting.
– hft
Feb 19 at 23:16
24
@Nelson you mean xkcd.com/538?
– Baldrickk
Feb 20 at 9:41
|
show 13 more comments
9
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
Feb 19 at 21:20
96
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
Feb 19 at 21:27
18
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
Feb 19 at 21:29
82
Trust me, you're not that interesting.
– hft
Feb 19 at 23:16
24
@Nelson you mean xkcd.com/538?
– Baldrickk
Feb 20 at 9:41
9
9
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
Feb 19 at 21:20
Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site.
– Luc
Feb 19 at 21:20
96
96
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
Feb 19 at 21:27
The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible...
– ThoriumBR
Feb 19 at 21:27
18
18
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
Feb 19 at 21:29
Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have...
– ThoriumBR
Feb 19 at 21:29
82
82
Trust me, you're not that interesting.
– hft
Feb 19 at 23:16
Trust me, you're not that interesting.
– hft
Feb 19 at 23:16
24
24
@Nelson you mean xkcd.com/538?
– Baldrickk
Feb 20 at 9:41
@Nelson you mean xkcd.com/538?
– Baldrickk
Feb 20 at 9:41
|
show 13 more comments
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
Feb 19 at 17:35
4
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
Feb 19 at 18:04
1
Sure, if available.
– schroeder♦
Feb 19 at 18:08
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
Feb 19 at 20:57
1
@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.
– schroeder♦
Feb 20 at 14:51
|
show 1 more comment
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
Feb 19 at 17:35
4
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
Feb 19 at 18:04
1
Sure, if available.
– schroeder♦
Feb 19 at 18:08
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
Feb 19 at 20:57
1
@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.
– schroeder♦
Feb 20 at 14:51
|
show 1 more comment
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
answered Feb 19 at 17:30
schroeder♦schroeder
77.1k30170206
77.1k30170206
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
Feb 19 at 17:35
4
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
Feb 19 at 18:04
1
Sure, if available.
– schroeder♦
Feb 19 at 18:08
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
Feb 19 at 20:57
1
@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.
– schroeder♦
Feb 20 at 14:51
|
show 1 more comment
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
Feb 19 at 17:35
4
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
Feb 19 at 18:04
1
Sure, if available.
– schroeder♦
Feb 19 at 18:08
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
Feb 19 at 20:57
1
@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.
– schroeder♦
Feb 20 at 14:51
1
1
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
Feb 19 at 17:35
what about downloading a new firmware from the router's support site (rather than openWRT)?
– dandavis
Feb 19 at 17:35
4
4
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
Feb 19 at 18:04
If there is one available from the router's manufacturer, it should be the preferred one!
– CyberDude
Feb 19 at 18:04
1
1
Sure, if available.
– schroeder♦
Feb 19 at 18:08
Sure, if available.
– schroeder♦
Feb 19 at 18:08
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
Feb 19 at 20:57
Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great).
– tim
Feb 19 at 20:57
1
1
@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.
– schroeder♦
Feb 20 at 14:51
@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs.
– schroeder♦
Feb 20 at 14:51
|
show 1 more comment
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered Feb 19 at 19:55
btabta
28015
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered Feb 19 at 19:55
btabta
28015
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered Feb 19 at 19:55
btabta
28015
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
answered Feb 19 at 19:55
btabta
28015
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Feb 19 at 19:55
btabta
28015
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Feb 19 at 19:55
btabta
28015
answered Feb 19 at 19:55
btabta
28015
28015
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
bta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered Feb 20 at 10:56
NobodyNobody
45529
"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.
– i486
Feb 21 at 14:13
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered Feb 20 at 10:56
NobodyNobody
45529
"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.
– i486
Feb 21 at 14:13
add a comment |
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered Feb 20 at 10:56
NobodyNobody
45529
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
answered Feb 20 at 10:56
NobodyNobody
45529
answered Feb 20 at 10:56
NobodyNobody
45529
answered Feb 20 at 10:56
NobodyNobody
45529
answered Feb 20 at 10:56
NobodyNobody
45529
45529
"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.
– i486
Feb 21 at 14:13
add a comment |
"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.
– i486
Feb 21 at 14:13
"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.
– i486
Feb 21 at 14:13
"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update.
– i486
Feb 21 at 14:13
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
1
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
Feb 21 at 3:05
1
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
Feb 21 at 7:09
2
IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.
– Criggie
Feb 22 at 3:41
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
1
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
Feb 21 at 3:05
1
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
Feb 21 at 7:09
2
IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.
– Criggie
Feb 22 at 3:41
add a comment |
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
answered Feb 20 at 9:49
SjoerdSjoerd
19.4k94662
19.4k94662
1
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
Feb 21 at 3:05
1
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
Feb 21 at 7:09
2
IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.
– Criggie
Feb 22 at 3:41
add a comment |
1
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
Feb 21 at 3:05
1
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
Feb 21 at 7:09
2
IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.
– Criggie
Feb 22 at 3:41
1
1
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
Feb 21 at 3:05
You mean website logins & passwords? Saved cookies? How & where do routers save those?
– Xen2050
Feb 21 at 3:05
1
1
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
Feb 21 at 7:09
I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface.
– Sjoerd
Feb 21 at 7:09
2
2
IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.
– Criggie
Feb 22 at 3:41
IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site.
– Criggie
Feb 22 at 3:41
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered Feb 20 at 13:53
jeroninojeronino
511
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered Feb 20 at 13:53
jeroninojeronino
511
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered Feb 20 at 13:53
jeroninojeronino
511
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
answered Feb 20 at 13:53
jeroninojeronino
511
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Feb 20 at 13:53
jeroninojeronino
511
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Feb 20 at 13:53
jeroninojeronino
511
answered Feb 20 at 13:53
jeroninojeronino
511
511
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
jeronino is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.
Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.
answered Feb 22 at 3:39
CriggieCriggie
31019
add a comment |
Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.
Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.
answered Feb 22 at 3:39
CriggieCriggie
31019
add a comment |
Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.
Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.
answered Feb 22 at 3:39
CriggieCriggie
31019
Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.
Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.
answered Feb 22 at 3:39
CriggieCriggie
31019
answered Feb 22 at 3:39
CriggieCriggie
31019
answered Feb 22 at 3:39
CriggieCriggie
31019
answered Feb 22 at 3:39
CriggieCriggie
31019
31019
add a comment |
add a comment |
As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
add a comment |
As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
add a comment |
As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
answered 2 days ago
Yury SchkatulaYury Schkatula
1512
1512
add a comment |
add a comment |
Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.
You need to open the router before using it.
If you see something like this...
...then chances are someone could easily sniff your Ethernet packets with one of these:
Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.
If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.
I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.
answered 2 days ago
David RefouaDavid Refoua
1428
1
It would be pretty easy to compromise a router without a hardware implant.
– forest
2 days ago
add a comment |
Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.
You need to open the router before using it.
If you see something like this...
...then chances are someone could easily sniff your Ethernet packets with one of these:
Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.
If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.
I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.
answered 2 days ago
David RefouaDavid Refoua
1428
1
It would be pretty easy to compromise a router without a hardware implant.
– forest
2 days ago
add a comment |
Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.
You need to open the router before using it.
If you see something like this...
...then chances are someone could easily sniff your Ethernet packets with one of these:
Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.
If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.
I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.
answered 2 days ago
David RefouaDavid Refoua
1428
Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.
You need to open the router before using it.
If you see something like this...
...then chances are someone could easily sniff your Ethernet packets with one of these:
Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.
If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.
I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.
answered 2 days ago
David RefouaDavid Refoua
1428
answered 2 days ago
David RefouaDavid Refoua
1428
answered 2 days ago
David RefouaDavid Refoua
1428
answered 2 days ago
David RefouaDavid Refoua
1428
1428
1
It would be pretty easy to compromise a router without a hardware implant.
– forest
2 days ago
add a comment |
1
It would be pretty easy to compromise a router without a hardware implant.
– forest
2 days ago
1
1
It would be pretty easy to compromise a router without a hardware implant.
– forest
2 days ago
It would be pretty easy to compromise a router without a hardware implant.
– forest
2 days ago
add a comment |
protected by schroeder♦ Feb 20 at 14:12
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
33
@R.. Buying used goods isn't necessarily just about saving money
– user2390246
Feb 20 at 10:37
2
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers.
– Kapten-N
Feb 20 at 10:56
1
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question.
– Mołot
Feb 20 at 14:41
14
Sometimes you can't even trust new routers: Photos of an NSA “upgrade” factory show Cisco router getting implant.
– Cristian Ciupitu
Feb 21 at 5:04
4
@only_pro Reducing waste
– user2390246
Feb 22 at 16:34