Used IoT may seem like a good idea, but tread with care

The market for used connected devices is one place to get a smart product at a bargain price, but the pennies you save may not be worth the potential trouble you could expose yourself to. Buying from unauthorized distributors or even users who appear to no longer want the product comes with the potential risk of getting a hacked device.

When you purchase a smart device through an official distribution channel you are the first person to unbox it and the first to customize settings and enter your personal information. Only the original buyer has this privilege.

Any security professional can tell you that an attacker with physical access to an electronic device will find a way to compromise it. Recent research showed how hackers can pluck passwords from hardware memory in less than two minutes. Security experts even managed to bend to their will the functionality of a hardware cryptocurrency wallet.

In a similar way, a crooked vendor could use consumer-to-consumer selling websites to peddle compromised IoT devices that collect information from their owners, scan the local network for vulnerable gadgets, or spy on the household. Such ascenario is particularly worrisome in the case of routers, which typically connect all smart devices in the house.

Hackers have plenty of options to choose from to compromise smart gadgets. A botnet malware discovered by Bitdefender earlier this year now has the capability to infect routers and persist beyond reboots.

Hackers can successfully bug vulnerable devices, repackage them to look like new and sell them at a lower price.

It may seem far-fetched but there are real-world examples where the previous owner continued to be able tocontrol a smart device even after they sold or passed them to a new owner. Last year, one person who had recently moved to a new home kept trying to use the app on his phone to turn the heat up, to no avail. He later discovered that the mobile app controlled the heat in his former home.

 Some car owners may continue to have access to a smart vehicle they traded in or sold because the dealer failed to disable their account. In one instance, a researcher could see the location of his previous car, control the climate and navigation, and even unlock it, two years after he traded it in.

To reduce the risk of ending up with a tampered device when buying it used, always make sure that its settings can return to factory defaults, so you can start configuring it from scratch.

Image credit: geralt