0

I saw a refurbished router on sale on Amazon for a good price and wanted to buy it.

How likely is it that someone could buy these routers, install a custom firmware with spyware? I know spyware has gotten advanced enough that it can mimic the router's auto updater, over ride the factory reset button with a fake dialog and mimic the "Load firmware from disk" in order to keep the original, spyware version on. Because of this I'm worried there would be no way for me to do a proper factory reset or load a clean firmware from the manufacturer' (netgear) website.

Am I being paranoid? Do these advanced spywares exist for firmware on routers that can mimic/disable/spoof the auto-updater/factory reset/load from disk features?

Edit: For those who linking Buying a "Used" Router I read that question before asking mine. That question's answer simply say to do a factory reset but they don't touch on how more advanced spyware can over ride the factory reset flow thus giving the user the belief a factory reset was performed when in reality the router still has the infected spyware. I've seen spyware that mimics the Windows Update flow and other OS's update/factory reset flows so I was wondering if it could happen with firmware on a router.

Meyer Denney
  • 101
  • 3
  • I'm pretty certain they do exist, I just don't think they are easily accessible for non-state sponsored attackers. See https://security.stackexchange.com/a/203863/ – nobody Sep 20 '20 at 16:58
  • @nobody - thanks, reading that post you linked is actually what brought me to this forum. Since that question was about used routers I figured it was a tiny bit different. My concern is a group of hackers could buy tons of routers of Amazon, install the spyware and return them all. A couple months later after the manufacturer deems them to be functional, they get resold that now the hackers have access to the router. – Meyer Denney Sep 20 '20 at 17:02
  • @ThoriumBR - thanks, user "nobody" linked that question as well.That question's answer just say "do a factory reset" but spyware has become so advanced that it can mimic/over ride/disable factory reset and update buttons. My concern is a group could buy a tons of routers from Amazon, install spyware, return them and those routers get re-sold as refurbished items. If the spyware mimic'd the factory reset flow without actually resetting to factory defaults, the router would still be infected. – Meyer Denney Sep 20 '20 at 17:49
  • 1
    As my answer says, that envolves buying A LOT of routers at full price, install very expensive exploits/backdoors on all of them, and sell them all half price hoping someone interesting buys them. The *return over investment* is abysmal... There are cheaper and more efficient ways to hack someone. – ThoriumBR Sep 20 '20 at 18:24
  • @ThoriumBR - that is why I posted this question. The question you linked was about buying used routers this is about buying refurbished routers. The reason I included the word "refurbished" in the title of my question is because I already read the other question about "used" routers, including your answer there but this is a different scenario. Amazon's return policy allows someone to buy a bunch of routers and return them for a full refund, thus the cost factor you mentioned doesn't apply here. – Meyer Denney Sep 20 '20 at 20:38
  • The scenario is not that different (the linked answer is mine tool). Imagine buying 100 thousand routers, backdooring each one, returning all of them, have the factory refurbish them, and expecting your intended target to have issues with his current router, go to any site (physical or virtual), and buy one of the routers you tainted. How probably this is? Now imagine knowing your target, and hacking his current router. Easier or harder? You may buy millions of dollars in routers and your target may not even buy a router in a decade. Used or refurbished changes nothing. – ThoriumBR Sep 20 '20 at 21:56
  • To be safe you could go ahead and flash the newest firmware on it from the manufacturer anyway. It may also fix security issues which would be more likely than the supply chain attack you've mentioned. If you want to be extremely paranoid, perhaps you could find a picture of the board and compare it to yours. – Saustin Sep 20 '20 at 22:37

1 Answers1

2

How likely is it that someone could buy these routers, install a custom firmware with spyware?

I think no exact answer can be given but there are several factors which might be relevant to decide if one can trust such offer or not.

Given that the potentially untrustworthy seller knows who the recipient of the router is, it is possible that they will install a custom firmware on it to attack this specific recipient. It is less likely that this will be some generic attack which gets installed on many systems, because such attack is much more likely to get publicly known (and thus made unusable for future attacks) since somebody will eventually stumble over suspicious traffic.

Given that creating a custom image specific to a single target is costly the target needs to be worth it. If you are worth it as the victim of a targeted attack you probably know best.

Other factors which might hinder the installation of custom firmware can be the use of signed firmware by the original vendor. If this is done depends on the vendor. And it might not necessarily make it impossible, only significantly harder and thus more costly.

Apart from that it might be easier for a attacker to use a security issue or backdoor in the original firmware of the vendor as a way into your network. It is unfortunately not uncommon that devices are sold with such vulnerabilities - see routersecurity.org for more details.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424