Buying a "Used" Router

Question

I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.

I'm a bit nervous that it could have been modified by whoever had it last.

What are the main risks in this scenario?
What specific steps should one take before and during setup of a new router that someone else may have had access to in the past?

Update: The device model is a TP-Link AC4500 (archer) router.

@R.. Buying used goods isn't necessarily just about saving money — user2390246, Feb 20 '19 at 10:37
The answers are mostly talking about firmware. That there might be custom firmware that could be harmful, but can be fixed by doing a factory reset or installing the latest firmware from the manufacturer. But how can one be sure that there are no hardware changes? I don't think that it takes much to read or modify the traffic. Also, if you're going to download and install new firmware you must first connect it, aren't you already compromised then? I would never buy anything other than untouched routers. — Kapten-N, Feb 20 '19 at 10:56
@Kapten-N of course no one forces you to download such firmware using this particular switch. One can do it at work (if company policy allows), internet cafe, free wi-fi, mobile phone and so on. Rest of your comment looks like a separate question. — Mołot, Feb 20 '19 at 14:41
@Mołot You must still be connected to it and power it while you do the install. Who knows that the device does then? A compromised device could infect other devices that it is connected to. — Kapten-N, Feb 20 '19 at 15:03
Just be sure to check the alignment and buy all new bits for it. — Hot Licks, Feb 20 '19 at 18:07
Sometimes you can't even trust new routers: [Photos of an NSA “upgrade” factory show Cisco router getting implant](https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/). — Cristian Ciupitu, Feb 21 '19 at 05:04
@user2390246 In the case of a router, what other *possible* reason could you have? I mean, maybe if you wanted one specific model that's no longer made, but that seems like a very extreme and unusual use case, and you could still probably find it new somewhere. — user91988, Feb 22 '19 at 16:20
If you are concerned then don't do it. You might risk someone having access to your cottage IT network. — copper.hat, Feb 24 '19 at 06:20
If I sell you a used router with an added rpi zero inside, does doing a factory reset still works? ;-P — Rui F Ribeiro, Feb 24 '19 at 14:24

ThoriumBR · Accepted Answer · 2019-02-19T20:45:24.910

168

Short answer: do a factory reset, update the firmware, and you are good to go.

The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.

The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.

So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.

edited Feb 19 '19 at 20:45

answered Feb 19 '19 at 17:57

ThoriumBR

50,648
13
127
142

9

Wouldn't most people on stackoverflow/serverfault be persons of interest? They make software that gets deployed in lots of places, or manage systems for corporations. Even so, I agree with your answer in that "the risk is very low, bordering on zero", but the "person of special interest" category is broader than people often realize. Intelligence agencies are known to target sysadmins in particular. As a security consultant who knows of vulnerabilities before they are fixed, I can imagine what interest I might attract, and boy do I feel ordinary compared to the interesting people on this site. – Luc Feb 19 '19 at 21:20
98

The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy, go there before, buy all the routers on the place, put a backdoor on each one, return every one, and wait for me to buy the compromised router. I don't think is plausible... – ThoriumBR Feb 19 '19 at 21:27
18

Possible, yes, but so improbable that can be dismissed. It's orders of magnitude easier to just exploit a zero-day on the router I currently have... – ThoriumBR Feb 19 '19 at 21:29
3

@[.](//)ThoriumBR You are right. I didn't think through how much work it would be: even if we are generally interesting targets, this doesn't scale. – Luc Feb 19 '19 at 21:29
83

Trust me, you're not that interesting. – hft Feb 19 '19 at 23:16
7

Also consider the noise. If the Evil Org can't control who gets these hacked routers, they'll end up with a huge amount of noise. Best to just kidnap you and hit you with a $5 wrench until you spill the beans, if they even care. – Nelson Feb 20 '19 at 05:22
24

@Nelson you mean https://xkcd.com/538/? – Baldrickk Feb 20 '19 at 09:41
5

You're not that interesting. The Evil Organisation also doesn't care, it just wants access to hack random people in masses, buying new routers and reselling them pretending to a company that liquidates eCommerce returns, then it is plausible – Mehdi Feb 20 '19 at 15:29
2

@Mehdi they don't need to buy routers, and resell later. In some countries The Evil Organization can force the maker to put backdoors on their products and not tell anyone. – ThoriumBR Feb 20 '19 at 17:04
1

*"The Evil Organization would have to predict when I am going to buy a router, predict which make/model I will buy, where I will buy..."* Don't lots of people buy stuff online now? Intercepting a package should be child's play to an evil organization, so it doesn't matter what you buy or from where. And they could probably do something nefarious to make your existing router just *look like* it's broken – Xen2050 Feb 21 '19 at 02:51
5

So long as you initiate the purchase (that is, you're not being solicited; the seller exercises no *selectivity* in the fact that you are the customer), then this is probably no more risky than buying one off the shelf. It's not as though the commodity IT market is some paragon of security to begin with. – Feb 21 '19 at 07:16
@Xen2050 if they can make my router seem broken, it implies they already compromised it... It's like needing the root password to install a keylogger that will be used to steal the root password... – ThoriumBR Feb 21 '19 at 10:23
3

@Xen2050 You'll no doubt be unsurprised to learn that this already happens: https://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden – James_pic Feb 21 '19 at 12:02
I was thinking more along the lines of sabotaging or blocking your internet access upstream from you, or a subtle attack, so a reasonable troubleshooting step would be to try another router, but they haven't actually compromised your old router. – Xen2050 Feb 21 '19 at 12:08
1

@James_pic Interesting, and that was in a 2010 report too. That's almost exactly what the OP is concerned about, except instead of "used router" it's almost "any router from another country" – Xen2050 Feb 21 '19 at 12:14
1

@hft I might not be that interesting myself, but I work for people who _are_ that interesting. – Michael Hampton Feb 23 '19 at 23:51
A lot of people talks about a "evil organization". But the thing is, what if someone wants to just use a router as a bot (DDOS) or use your identity. – DxTx Feb 24 '19 at 05:11
1

@DT in this case, there are countless easier and cheaper ways to use a system as a zombie or steal an identity. Phishing is the easiest way - capable of targeting countless victims, with low effort. Disassembling a router, modifying its hardware, returning as an openbox? How would it scale? – ThoriumBR Feb 24 '19 at 13:39

score 24 · Answer 2 · answered Feb 19 '19 at 17:30

24

The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.

You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.

But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.

Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.

answered Feb 19 '19 at 17:30

schroeder

123,438
55
284
319

1

what about downloading a new firmware from the router's support site (rather than openWRT)? – dandavis Feb 19 '19 at 17:35
4

If there is one available from the router's manufacturer, it should be the preferred one! – CyberDude Feb 19 '19 at 18:04
1

Sure, if available. – schroeder Feb 19 '19 at 18:08
1

Given how common authenticated command injection / code execution (eg via firmware update, or just bad coding) attacks are in routers, I'm not sure if checking for hardware tampering is enough. And if an attacker has tampered with the firmware, they should be able to fake any firmware update, or place a backdoor in any newly installed firmware. For an update via web interface of the router, this should be trivial, for an update via serial interface or firmware reset probably a bit more difficult (though I'm not sure how much more; if you could add more info about this, that would be great). – tim Feb 19 '19 at 20:57
"...you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with..." I'm curious to know what physical signs I'd see in the case to know that the firmware (software) had been changed in any way. I've updated firmware on a couple of routers and even installed DD-WRT - I never opened the router case, and to the best of my knowledge, it left no physical evidence behind. What did I miss? – FreeMan Feb 20 '19 at 14:47
1

@FreeMan that's if you are using the software update feature, which, if compromised, is not the most secure route. If the hardware was directly accessed, there should be signs. – schroeder Feb 20 '19 at 14:51
How can passwords be exposed if they are SSL encrypted at the client? – Jean Jul 19 '20 at 15:57
@Jean if the router is working as a mitm, it can break SSL. – schroeder Jul 19 '20 at 15:59
@Jean please look up mtim ssl interception. There are lots of different ways to do it and lots of protections against it. I am not going to outline it all here. – schroeder Jul 20 '20 at 13:29

score 18 · Answer 3 · answered Feb 19 '19 at 19:55

By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.

Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.

Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.

score 8 · Answer 4 · answered Feb 20 '19 at 10:56

In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.

I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.

But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.

Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).

And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.

"and a physical button probably also just sends a signal to the current firmware" - usually there is reset button to enter in boot loader mode and load new fw then. If after such preinstall the GUI shows new system, you can suppose that it is upgraded. You can then make second re-install. It will be too hard to prepare special firmware which can patch any possible alternative firmware at flash time and make it both running and ready to fix/crack next update. — i486, Feb 21 '19 at 14:13

score 7 · Answer 5 · answered Feb 20 '19 at 09:49

7

What are the main risks in this scenario?

I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.

answered Feb 20 '19 at 09:49

Sjoerd

28,707
12
74
102

1

You mean website logins & passwords? Saved cookies? How & where do routers save those? – Xen2050 Feb 21 '19 at 03:05
1

I mean dyndns, SMTP and ISP accounts that were configured previously in the router web interface. – Sjoerd Feb 21 '19 at 07:09
2

IPSEC VPN secrets, or design knowledge about the site where the device was formerly deployede like IP ranges and gateways and where timeservers or printers are addressed, or what VLANs might be configured on site. – Criggie Feb 22 '19 at 03:41

score 6 · Answer 6 · answered Feb 20 '19 at 13:53

If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.

Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.

score 3 · Answer 7 · answered Feb 22 '19 at 03:39

Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.

Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.

score 2 · Answer 8 · answered Feb 23 '19 at 20:50

2

As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.

answered Feb 23 '19 at 20:50

Yury Schkatula

181
1
2

1

Agreed. Since most routers don't get updates when their CVE's or factory backdoors are discovered, any older router is probably unsafe even if it was kept in a sealed box. – user185953 Sep 06 '19 at 10:32

score 1 · Answer 9 · answered Feb 24 '19 at 05:08

Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.

You need to open the router before using it.

If you see something like this...

...then chances are someone could easily sniff your Ethernet packets with one of these:

Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.

If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.

I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.

It would be pretty easy to compromise a router without a hardware implant. — forest, Feb 24 '19 at 05:56

Buying a "Used" Router

9 Answers9

You need to open the router before using it.

Linked

Related