Used IoT may be a bargain not worth the risk

Media reports typically refer to supply-chain attacks as a sophisticated threat vector that skilled adversaries use to compromise a high-value target. Things are not always so advanced though, and certain consumers and small businesses can also fall victim to this sort of attack when they buy used connected electronics.

At the DefCamp security conference in Bucharest earlier this month, security researcher Arun Mane showed how hardware implants can be installed on DVR/NVR (digital/network video recorder) devices. He mentioned multiple variants of hardware attacks and technical details for planting cheap components that enable a backdoor on the system.

For his prototype, Mane used a Raspberry Pi mini-computer, a GSM/GPRS module, and a SIM card – all small enough to fit in a DVR/NVR system and be installed inconspicuously. These components are readily available for about €30, though there are solutions for a cheaper setup.

Of course, pulling off such an attack requires technical knowledge of hardware hacking, but it is nowhere near the advanced level users may think. Even more, the internet provides plenty of information and tutorials on the topic to help overcome any hurdles.

With his version of hardware implant, Mane was able to send commands to the surveillance system through the Raspberry Pi and get root access, which means he had the same permissions as the administrator. The setup also enabled pinpointing the exact physical location of the compromised device.

Cybercriminals could use this avenue of attack against anyone interested in buying a surveillance system at a lower price. They could sell the compromised connected device on consumer-to-consumer sales websites, often used by smaller businesses to buy electronics.

If you’re thinking that some smart devices are too small for hardware implants, know that the same level of compromise is attainable via software modifications. A vulnerability in the software of one unit is present in all other devices running the same firmware version. So an exploit that works on one, works on many.

Two years ago, for instance, researchers found that the iKettle would not delete the WiFi password after a factory reset. This enabled anyone buying a used unit to find the wireless code of the previous owner and, since shipping includes the sender’s address, one can learn where the seller lives.

Unless you have a specialized security tool on guard, or you have the skills to test the products before hooking them up to the internet, your local network may get visits from unauthorized individuals.

If you get your electronics cheap off an online marketplace, you risk ending up with a tainted product that has a backdoor or communicates sensitive information to a remote attacker. Considering that smart gadgets are as popular as they are vulnerable, the range of IoT gadgets that could be hacked and passed on this way is huge.