Think Twice About Buying Internet-connected Devices Off Ebay

If you're thinking about buying gadgets from auction sites such as Ebay, you will want to consider the potential risks. From a report: When you're buying from a third-party seller, it's a lot more difficult to tell where products have come from, whether you're getting exactly what you think you're getting, and if anything has been done to the product since it was manufactured. "It is possible for internet-connected devices to be tampered with and resold on the web," Leigh-Anne Galloway, lead cybersecurity resilience analyst at the cybersecurity firm Positive Technologies, told Quartz. "It's similar to buying a secondhand cellphone without it being restored to factory settings." In fact, buying a second hand gadget can potentially expose the user to some pretty extreme scenarios. "Cameras and IoT devices can contain spyware and malware, which can cause a plethora of problems for the user," Galloway added. "These devices could possibly listen to you, watch your every step, communicate with and attack other devices connected to the same local network, such as PCs, laptops, and TVs." Galloway said devices could also be used to perform botnet attacks -- where an unsecured internet-connected device is accessed by another computer and used along with other breached devices to take down websites or internet services, as what happened with the Mirai botnet attack in 2016.

I would argue it's not just Ebay

[acoustix]

It's all devices. Hell, most of them are designed to spy on the users. Do you trust anything coming from China?

The sad fact is you've already agreed to be spied on when you agree to use almost any Internet connected device. There's really nothing that changes with this article.

Re:I would argue it's not just Ebay

[Baron_Yam]

>Do you trust anything coming from China?

Yes. The Chinese have no interest in spying on the average consumer in the West. If I held a security-sensitive position in government, I'd be more concerned, but I don't so I'm not.

And ultimately if I buy a domestic product I have to be concerned about domestic spying, which is more likely to directly affect me.

Re: I would argue it's not just Ebay

The Chinese have an interest in spying on everybody, all of the time.

Re: I would argue it's not just Ebay

[Opportunist]

Every corporation has an interest in spying on everyone, all the time. Data is money.

Re:I would argue it's not just Ebay

[SethJohnson]

The Chinese have no interest in spying on the average consumer in the West.

Let's ignore the traditional image of foreign agents conducting espionage and think more about what could be gained by operating a beachhead device inside a random US home.

1. Botnet participant can be used for DDOS attacks on government and corporate entities.

2. Automated network snooping can exploit vulnerabilities to compromise network routers

3. With network router compromised, MITM attacks can inject malware and gather remote credentials to other services. This can grow the botnet population and compromise additional devices on remote networks. MITM attack enables automated identity theft to erode American economic stability.

The identity theft part highlights the probability that these trojan devices can very well be controlled by criminal elements rather than state actors. Cryptoviruses and blackmail can be implemented thanks to such compromised IOT devices.

Re:I would argue it's not just Ebay

[Rei]

Wonder if you could pull off TEMPEST in a consumer electronics-sized device. That would lead to some seriously concerning possibilities.

Re: I would argue it's not just Ebay

[mccrew]

yeah? why is that?

Because you don't always know ahead of time what will turn out to be valuable. So the standard operating procedure these days is to collect everything. Over time, historical data becomes valuable as well.

As Nietzsche once said

[Clueless+Nick]

When you gaze long into an abyss, the abyss also gazes into you.

So, when you buy that spycam, be informed that it might also be spying on you.

Ha, haa, I am safe.

[140Mandak262Jamuna]

I always buy in Alibaba, some Russian named seller in a Bulgarian store fulfills my Alibaba order that gets shipped straight from China.

So what, are we new or something?

[drinkypoo]

Show of hands, who here doesn't immediately reflash everything with updatable firmware? Usually there's an update anyway, by the time you get it in your hot little hands.

Think twice about buying internet-connected device

[edtice1559]

Fixed the summary for you. Even if you can get an internet-connected device that doesn't tout spying as a feature, the supply chain is full of counterfeits and tampered items.

Good Advice but No DATA !!!

[martiniturbide]

The warning and the advice is good, but Leigh-Anne Galloway (and the article author) provides no data if that is happening or not. It would be interesting to know that from 10 devices bought X came with modified firmware with spyware. But no data is provided.

Or newegg?

[RobinH]

I was looking at a cheap Mini PC, labeled an "industrial PC" on newegg, from a Chinese seller, obviously, and the one review said the version of windows pre-installed was pirated, and there was software installed that simulated the license authentication, but as soon as you installed anti-virus it would detect that software and quarantine it, and then your windows copy realizes it's a pirated copy. Caveat emptor.

Let me fix that headline for you:

[Rick+Schumann]

"Think twice about buying ANY Internet-connected devices, from ANYWHERE"

USA

[stooo]

>Do you trust anything coming from USA ?
Hell No.