If a piece of smart home equipment doesn’t fit your needs, that doesn’t imply someone else won’t want it, and it’s quite reasonable to try to sell it on eBay or Craigslist. You may also save money and keep a piece of smart home equipment out of the garbage by buying it used on an online marketplace.
A quick search for “Amazon Echo” on eBay revealed almost 1,200 secondhand Echo units for sale. Similarly, a search for “Google Nest Thermostat” yielded over 250 listings for used Nest thermostats. It appears to be a perfect fit. Buying and selling old smart home equipment, however, is not without danger.
Here are Few of the Consequences of Purchasing Used Smart Home Devices
The Dangers of Purchasing Used Smart Home Technology
It seems like every week there are new headlines about bad actors breaking into a business through the internet to install ransomware, steal passwords, steal confidential patient medical information, and more. The focus on attacking businesses is obvious. Even though it can take an extensive amount of time and effort to break into a company through their internet connection, a single hack can generate millions of dollars in revenue for the individuals perpetrating the attack. An attack on the average home isn’t likely to generate nearly the same amount of money. However, as business defenses to hacking get more and more sophisticated, it won’t be long before the average homeowner becomes a target.
Attacking a house via the homeowner’s broadband internet connection is generally not a good investment for criminal actors unless they know the homeowner has a lot of money. As a result, a new technique in which several individuals may be hacked at the same time would make a lot more sense.
According to Mike Dow, senior product manager of IoT Security at Silicon Labs, “Every IoT device has vulnerabilities. With physical access to a device, enough time, and the right skill set, these vulnerabilities can be uncovered and exploited to install malicious software on the device.” Once a bad actor has figured out how to hack a given device, they can easily repeat that attack on as many of those devices as they want.
“Every IoT device has vulnerabilities,” says Mike Dow, senior product manager of IoT Security at Silicon Labs. These vulnerabilities may be found and exploited to install malicious software on a device with physical access to the device, enough time, and the proper skill set.” Once a bad actor has found out how to hack one device, they can easily replicate the assault on as many more devices as they want.
It’s not difficult to imagine unscrupulous actors purchasing secondhand smart home equipment, infecting it with malicious software, then reselling it to naïve users. They may simply repeat this procedure hundreds or even thousands of times, quickly recouping their initial investment in learning how to hack an IoT device.
Homeowners may not even know that the IoT device they have installed in their homes has been hacked. For example, it could just be that crypto mining software was installed on the device. In this case, the homeowner’s electric bill may go up a few cents, the bandwidth of their internet connection may go down a little, and they may be able to stream a little less video before hitting their ISP’s data cap. So, for the most part, the infection is pretty benign.
The homeowner isn’t the only ones at risk. According to Mike Dow, “A bad actor that perfects this kind of attack could blackmail the IoT device’s manufacturer to keep the hack from being used on homeowners or released on the dark web for other bad actors to use.” Either of these scenarios could give the manufacturer a bad reputation in the eyes of the public, potentially costing them millions of dollars in lost sales.
Selling a secondhand IoT gadget comes with its own set of dangers. “The main issue with selling a used IoT device is that in many cases the device will still contain sensitive information from the original owner, such as the Wi-Fi SSID and network credentials that can be used by an attacker to gain access to the original owner’s data,” says Brent Wilson, director of applications engineering at Silicon Labs.
What can manufacturers do to help?
Again, according to Wilson, the best way to keep a product from becoming infected with malware is for makers to develop a safe boot procedure that only executes software that has been signed by the manufacturer. If malware is installed on the device, it will become “bricked.”
Another option is for manufacturers to make it extremely difficult for a bad actor to infect a device with malware and then pass it on to someone else without them realizing the device has been tampered with. For example, if the casing of an IoT device was built in such a manner that it had to be physically damaged in order to reach the circuitry within the device, it couldn’t be resold once the circuitry had been accessed.
A third alternative, according to Dow, would be “for manufacturers to include anti-tamper circuitry in the device as is done with point-of-sale terminals to keep thieves from stealing financial information. If the enclosure of the point-of-sale terminal is breached, then an anti-tamper circuit is activated, and it destroys the circuitry of the terminal, making it useless for thieves.
Unfortunately, some of the above options would go against the idea that people have a “right to repair” their electronic devices. So, there is a tradeoff between the security and repairability of an IoT device.
What Steps Should Homeowners Take?
If you plan to sell a used IoT device, you should learn how to factory reset the device and follow the manufacturer’s instructions to ensure that all of your personal data is erased. If this information is not provided in the instruction manual, you will need to contact technical support for advice on how to proceed.
You should also check with technical support to be sure that a factory reset would remove all of your personal data from the device’s memory. If the manufacturer’s technical support staff cannot give instructions on how to factory reset the device and guarantee that all of your personal data will be erased during the process, it is not worth the risk of selling the device to an untrustworthy third party.
Homeowners also need to be aware of the risks of buying used IoT devices. Saving a few dollars by purchasing a used IoT device may end up costing much more than the device’s full retail price.
Residential-grade security appliances can help identify infected IoT devices in a home. For example, the Firewalla security appliance will send a notification to a homeowner whenever it detects an abnormal data upload by an IoT device on a homeowner’s network. While it may be totally normal for a security camera to upload the video to a cloud service so it can be viewed in an app on a smartphone, and upload to an eastern European country by a used smart thermostat may be a warning of a significant issue.
Both homeowners and manufacturers are in danger when purchasing old smart home equipment. While used IoT devices aren’t currently being exploited by bad actors to enter homes’ networks, it’s only a matter of time until they are.