Think Twice About Buying Internet-connected Devices Off Ebay

If you're thinking about buying gadgets from auction sites such as Ebay, you will want to consider the potential risks. From a report: When you're buying from a third-party seller, it's a lot more difficult to tell where products have come from, whether you're getting exactly what you think you're getting, and if anything has been done to the product since it was manufactured. "It is possible for internet-connected devices to be tampered with and resold on the web," Leigh-Anne Galloway, lead cybersecurity resilience analyst at the cybersecurity firm Positive Technologies, told Quartz. "It's similar to buying a secondhand cellphone without it being restored to factory settings." In fact, buying a second hand gadget can potentially expose the user to some pretty extreme scenarios. "Cameras and IoT devices can contain spyware and malware, which can cause a plethora of problems for the user," Galloway added. "These devices could possibly listen to you, watch your every step, communicate with and attack other devices connected to the same local network, such as PCs, laptops, and TVs." Galloway said devices could also be used to perform botnet attacks -- where an unsecured internet-connected device is accessed by another computer and used along with other breached devices to take down websites or internet services, as what happened with the Mirai botnet attack in 2016.

I would argue it's not just Ebay

[acoustix]

It's all devices. Hell, most of them are designed to spy on the users. Do you trust anything coming from China?

The sad fact is you've already agreed to be spied on when you agree to use almost any Internet connected device. There's really nothing that changes with this article.

Re:I would argue it's not just Ebay

[Baron_Yam]

>Do you trust anything coming from China?

Yes. The Chinese have no interest in spying on the average consumer in the West. If I held a security-sensitive position in government, I'd be more concerned, but I don't so I'm not.

And ultimately if I buy a domestic product I have to be concerned about domestic spying, which is more likely to directly affect me.

Re: I would argue it's not just Ebay

The Chinese have an interest in spying on everybody, all of the time.

Re: I would argue it's not just Ebay

[Opportunist]

Every corporation has an interest in spying on everyone, all the time. Data is money.

Re:I would argue it's not just Ebay

[SethJohnson]

The Chinese have no interest in spying on the average consumer in the West.

Let's ignore the traditional image of foreign agents conducting espionage and think more about what could be gained by operating a beachhead device inside a random US home.

1. Botnet participant can be used for DDOS attacks on government and corporate entities.

2. Automated network snooping can exploit vulnerabilities to compromise network routers

3. With network router compromised, MITM attacks can inject malware and gather remote credentials to other services. This can grow the botnet population and compromise additional devices on remote networks. MITM attack enables automated identity theft to erode American economic stability.

The identity theft part highlights the probability that these trojan devices can very well be controlled by criminal elements rather than state actors. Cryptoviruses and blackmail can be implemented thanks to such compromised IOT devices.

Re:I would argue it's not just Ebay

[Rei]

Wonder if you could pull off TEMPEST in a consumer electronics-sized device. That would lead to some seriously concerning possibilities.

Re:I would argue it's not just Ebay

[Baron_Yam]

However, these risks (from my perspective, not the state's) remain the same regardless of where the device is manufactured.

Do I care whether it's USA or China that has the original back door on my device? If I trusted one more than the other not to compromise my device at the factory, I'd preferentially buy from them. I trust neither.

Re: I would argue it's not just Ebay

[mccrew]

yeah? why is that?

Because you don't always know ahead of time what will turn out to be valuable. So the standard operating procedure these days is to collect everything. Over time, historical data becomes valuable as well.

Re:I would argue it's not just Ebay

[Moof123]

I'd argue that in >95% of cases there is no point to making most widgets internet connected or "smart" in the first place. I'm still in awe that anyone ever wasted money on a web connected fridge. WTF?

Sadly, many of these widhets have been designed to be badly hobbled or non-functional if they are NOT connected to servers via the internet. I see orphaning of products as a real scourge on the world. Widgets that used to last a decade or more are now "smart", but useless after a year or three when the company loses interest or dies and shuts down its servers, or when some giant security exploit comes out after the support life has ended.

Re:I would argue it's not just Ebay

[stooo]

>> Then, please, by all means do explain the sheer number of stories we've seen about Chinese products

Bad Press.
Also called propaganda.

Re:I would argue it's not just Ebay

[wyHunter]

Indeed. My statement would be "Do not buy internet connected devices." meaning, of course, thermostats etc. as computers with internet connections are by design and are typically shut off when not in use.

As Nietzsche once said

[Clueless+Nick]

When you gaze long into an abyss, the abyss also gazes into you.

So, when you buy that spycam, be informed that it might also be spying on you.

Ha, haa, I am safe.

[140Mandak262Jamuna]

I always buy in Alibaba, some Russian named seller in a Bulgarian store fulfills my Alibaba order that gets shipped straight from China.

Any trust in eBay for last 10 years?

[thebes]

Has anyone really trusted eBay in the last 10 years, electronic device or not?

Shouldn't it be four?

[Hognoxious]

You should think twice before buying any internet connected device, and twice again before buying anything of Alleybobo. By my reckoning that's four times - at least.

So what, are we new or something?

[drinkypoo]

Show of hands, who here doesn't immediately reflash everything with updatable firmware? Usually there's an update anyway, by the time you get it in your hot little hands.

Re:So what, are we new or something?

[demonlapin]

Yeah, pretty much a wasted story here. Could be useful on more mainstream sites, but anyone who's still hanging around here knows this kind of stuff.

Why single out EBay?

[Opportunist]

ANYTHING you buy that connects to the internet should first and foremost go through a thorough audit. You and your habits are marketable data, being able to get that for free AND make you pay for it ... And you don't even get a (fire)wall out of it.

But seriously. You shouldn't trust ANY device that gets hooked to the internet. Even and especially when it is from a "reputable" hardware manufacturer. All that means is that they're more likely to be longer in business to siphon your data.

Think twice about buying internet-connected device

[edtice1559]

Fixed the summary for you. Even if you can get an internet-connected device that doesn't tout spying as a feature, the supply chain is full of counterfeits and tampered items.

On the other side...

[LordHighExecutioner]

...IoT devices you buy at Amazon, Walmart and similar places is 100% safe, NSA approved.

Good Advice but No DATA !!!

[martiniturbide]

The warning and the advice is good, but Leigh-Anne Galloway (and the article author) provides no data if that is happening or not. It would be interesting to know that from 10 devices bought X came with modified firmware with spyware. But no data is provided.

Fixed it for you

[Whatsmynickname]

Think Twice About Buying Anything Off Ebay

Wrong privacy violation

[freeze128]

"It's similar to buying a secondhand cellphone without it being restored to factory settings". Well, if that happens, it's not MY data that is at risk, but the data of the previous owner. I can easily reset it to factory defaults, and maybe flash the firmware.

Re:Wrong privacy violation

[Thor+Ablestar]

It should be not too difficult to use any cellular modem or modem module and a simple microcontroller that issues the AT-commands to the modem. As a bonus, you should be able to obtain some status info in order to detect the stingrays.

You cannot trust even the open OS. You cannot trust ANYTHING that could be changed without a hardware programmer, but the ability to load some commercial programs is the thing that makes a piece of hardware a smartphone. Either you retain this ability or you should rewrite all the ecosystem from scratch.

Or newegg?

[RobinH]

I was looking at a cheap Mini PC, labeled an "industrial PC" on newegg, from a Chinese seller, obviously, and the one review said the version of windows pre-installed was pirated, and there was software installed that simulated the license authentication, but as soon as you installed anti-virus it would detect that software and quarantine it, and then your windows copy realizes it's a pirated copy. Caveat emptor.

All fluff

[TheInternet01]

So many devices no matter where you buy them have 'security flaws' and be at risk to expose sensitive data or spy etc etc.

This sounds more like "Oh god, instead of us buying it from China for 10$ then selling it in north america for 110$, people are directly buying it for 10$" Ah noooo what do we do!

Just sounds like a campaign to try to convince people to pay higher prices.

Let me fix that headline for you:

[Rick+Schumann]

"Think twice about buying ANY Internet-connected devices, from ANYWHERE"

USA

[stooo]

>Do you trust anything coming from USA ?
Hell No.

Re:Clear this up for me.

[Thor+Ablestar]

You should be worried about at least 3 things: 1) Intel Management Engine that could be present in some Intel-based books, 2) Something inside a BIOS, for instance a theft prevention mark that is automatically recognized by Windows (Have forgotten the exact name). I have such a Thinkpad and just don't care since I don't use Windows and have a proof of purchase, 3) BIOS password which in Thinkpads is NOT erased by CMOS battery removal.

HP

[stooo]

>> NSA approved vendors.
Like HP ?

HAHAHAHAHAHAHA
Backdoors included.

Re:Think twice about buying internet-connected dev

[thegarbz]

Fixed the summary for you. Even if you can get an internet-connected device that doesn't tout spying as a feature, the supply chain is full of counterfeits and tampered items.

There is one key benefit. With counterfeits and tampered items it is likely they may have broken the spying features.

Check sources

[spinitch]

There are reputable sellers from US companies like trade in companies and phone insurance companies that refurbish and resell devices on e-bay vs whole sale . An unknown seller might tamper with a device but iPhones harder for spyware. Non authentic parts such as knock off cheaper battery could also be a concern. Apple CPO = Certified PreVious Owned which are supposed to be from certified Apple supply chain partners. Buying from Apple or Carriers while might be more expensive lower risk of unauthorized parts or spyware / malware.

Re:NEVER use an Android phone on WIFI

[Swave+An+deBwoner]

My ROKU remote app would disagree with you but it's too busy watching Netflix.

Re:General public maybe, but...

[drinkypoo]

The problem with finding pr0n on cheap computers is that it's usually old, and thus low-bitrate... I mean, music.

Re:Ebay?

[infolation]

You had me at 'Think'.

-o-

[easyTree]

When you're buying from a third-party seller, it's a lot more difficult to tell where products have come from, whether you're getting exactly what you think you're getting, and if anything has been done to the product since it was manufactured. "It is possible for internet-connected devices to be tampered with and resold on the web,

These devices could possibly listen to you, watch your every step, communicate with and attack other devices connected to the same local network, such as PCs, laptops, and TVs."

Thanks for the warning. It *is* quite concerning that someone other than Google/Facebook/Apple/Amazon/NSA/<otherGiantCorp> might be listening. Quite concerning indeed. One would never know what *those* unscrupulous actors might do with one's data.