I am a big proponent of repurposing, reusing, and recycling electronics. Way too much electronic waste ends up in landfills where it poses environmental risks from the hazardous chemicals in the electronics ending up in the water supply.
If a piece of smart home gear doesn’t meet your needs, it doesn’t mean someone else might not want it, and it makes perfect sense to try and sell it on marketplaces like eBay and Craigslist. In addition, you can save money and keep a piece of smart home gear out of a landfill, by purchasing it used through an online marketplace.
A quick search on eBay for “Amazon Echo” showed almost 1,200 used Echo devices for sale. Similarly, a search for “Google Nest Thermostat” showed more than 250 used Nest thermostats for sale. It sounds like a match made in heaven. Unfortunately, buying and selling used smart home gear is not without risks.
The Risks of Buying Used Smart Home Gear
It seems like every week there are new headlines about bad actors breaking into a business through the internet to install ransomware, steal passwords, steal confidential patient medical information, and more. The focus on attacking businesses is obvious. Even though it can take an extensive amount of time and effort to break into a company through their internet connection, a single hack can generate millions of dollars in revenue for the individuals perpetrating the attack. An attack on the average home isn’t likely to generate nearly the same amount of money. However, as business defenses to hacking get more and more sophisticated, it won’t be long before the average homeowner becomes a target.
Taking the time to attack a home through the homeowner’s broadband internet connection is probably not a great investment for bad actors unless they know that individual has a great deal of money. So, a different approach where numerous people can be hacked at once, would make much more sense.
According to Mike Dow, senior product manager of IoT Security at Silicon Labs, “Every IoT device has vulnerabilities. With physical access to a device, enough time, and the right skill set, these vulnerabilities can be uncovered and exploited to install malicious software on the device.” Once a bad actor has figured out how to hack a given device, they can easily repeat that attack on as many of those devices as they want.
Again, according to Mike Dow, “Manufacturers of IoT devices go to great lengths to make sure that their devices can’t be infected with malicious software as they make it through the supply chain from manufacturing to the consumer.” However, there is no protection when it comes to buying a used IoT device.
It is not much of a stretch of anyone’s imagination to see bad actors buying up used smart home gear, infecting it with malicious software, and reselling it to unsuspecting consumers. They can easily repeat this process hundreds or even thousands of times, and suddenly the investment in figuring out how to hack an IoT device is paid back many times over.
Homeowner’s may not even know that the IoT device they have installed in their home has been hacked. For example, it could just be that crypto mining software was installed on the device. In this case, the homeowner’s electric bill may go up a few cents, the bandwidth of their internet connection may go down a little, and they may be able to stream a little less video before hitting their ISP’s data cap. So, for the most part, the infection is pretty benign.
On the other hand, the infected device may provide remote access into the homeowner’s network so that the bad actor can search for financial information saved on network attached storage (NAS) devices with the goal of emptying the homeowner’s 401K.
The homeowner isn’t the only one at risk. According to Mike Dow, “A bad actor that perfects this kind of attack could blackmail the IoT device’s manufacturer to keep the hack from being used on homeowners or released on the dark web for other bad actors to use.” Either of these scenarios could give the manufacturer a bad reputation in the eyes of the public, potentially costing them millions of dollars in lost sales.
Selling a used IoT device is also not without its risks. According to Brent Wilson, director of applications engineering at Silicon Labs, “The main issue with selling a used IoT device is that in many cases the device will still contain sensitive information from the original owner, like the Wi-Fi SSID and network credentials, that can be used by an attacker to gain access to the original owner’s home network.”
What Can be Done by Manufacturers?
Again, according to Wilson, the best solution to prevent a product from being infected by malware is for manufacturers to create a secure boot process for the product so that it will only execute the firmware that has been signed by the manufacturer. If malware is loaded onto the product it will “brick” the product.
Another solution is for manufacturers to make it very difficult for a bad actor to infect a device with malware and pass it along to anyone without that person being aware that the device had been modified. For example, if an IoT device’s case was constructed in a way that it had to be physically destroyed to access the circuitry inside the device, then it couldn’t be resold after the internal circuitry was accessed.
A third alternative, according to Dow, would be “for manufacturers to include anti-tamper circuitry in the device as is done with point-of-sale terminals to keep thieves from stealing financial information. If the enclosure of the point-of-sale terminal is breached, then an anti-tamper circuit is activated, and it destroys the circuitry of the terminal, making it useless for the thieves.
Unfortunately, some of the above options would go against the idea that people have a “right to repair” their electronic devices. So, there is a tradeoff between security and repair-ability of an IoT device.
What Steps Should Homeowners Take?
If you are going to sell a used IoT device, then you need to research and follow the manufacturer’s instruction on how to factory reset the product, so all of your personal information is deleted. This information may not be included in the instruction manual in which case you will have to contact technical support for instructions on how to accomplish this.
You should also validate with technical support that performing a factory reset will erase all of your personal information from the device’s memory. If the manufacturer’s technical support people cannot provide information on how to factory reset the device and assurance that all your personal information will be removed during that process, then it is not worth the risk to sell the device to an unknown third party.
Homeowners also need to be aware of the risks of buying used IoT devices. Saving a few dollars by purchasing a used IoT device may end up costing much more than device’s full retail price.
Residential-grade security appliances can help identify infected IoT devices in a home. For example, the Firewalla security appliance will send a notification to a homeowner whenever it detects an abnormal data upload by an IoT device on a homeowner’s network. While it may be totally normal for a security camera to upload video to a cloud service so it can be viewed in an app on a smart phone, an upload to an eastern European country by a used smart thermostat may be a warning of a significant issue.
Buying used smart home gear poses a security risk for both homeowners and manufacturers. While, to the best of my knowledge, used IoT devices aren’t currently being used as a way for bad actors to penetrate homeowners’ networks, it is probably only a matter of time before this happens. Manufacturers need to take steps to better secure their devices from hacking and homeowners need to be aware of the risks and take steps to mitigate them.