Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security IT

Think Twice About Buying Internet-connected Devices Off Ebay (qz.com) 77

If you're thinking about buying gadgets from auction sites such as Ebay, you will want to consider the potential risks. From a report: When you're buying from a third-party seller, it's a lot more difficult to tell where products have come from, whether you're getting exactly what you think you're getting, and if anything has been done to the product since it was manufactured. "It is possible for internet-connected devices to be tampered with and resold on the web," Leigh-Anne Galloway, lead cybersecurity resilience analyst at the cybersecurity firm Positive Technologies, told Quartz. "It's similar to buying a secondhand cellphone without it being restored to factory settings." In fact, buying a second hand gadget can potentially expose the user to some pretty extreme scenarios. "Cameras and IoT devices can contain spyware and malware, which can cause a plethora of problems for the user," Galloway added. "These devices could possibly listen to you, watch your every step, communicate with and attack other devices connected to the same local network, such as PCs, laptops, and TVs." Galloway said devices could also be used to perform botnet attacks -- where an unsecured internet-connected device is accessed by another computer and used along with other breached devices to take down websites or internet services, as what happened with the Mirai botnet attack in 2016.
This discussion has been archived. No new comments can be posted.

Think Twice About Buying Internet-connected Devices Off Ebay

Comments Filter:
  • by acoustix ( 123925 ) on Tuesday December 19, 2017 @10:02AM (#55767987)

    It's all devices. Hell, most of them are designed to spy on the users. Do you trust anything coming from China?

    The sad fact is you've already agreed to be spied on when you agree to use almost any Internet connected device. There's really nothing that changes with this article.

    • by Baron_Yam ( 643147 ) on Tuesday December 19, 2017 @10:09AM (#55768021)

      >Do you trust anything coming from China?

      Yes. The Chinese have no interest in spying on the average consumer in the West. If I held a security-sensitive position in government, I'd be more concerned, but I don't so I'm not.

      And ultimately if I buy a domestic product I have to be concerned about domestic spying, which is more likely to directly affect me.

      • by Anonymous Coward on Tuesday December 19, 2017 @10:18AM (#55768073)

        The Chinese have an interest in spying on everybody, all of the time.

      • by SethJohnson ( 112166 ) on Tuesday December 19, 2017 @11:15AM (#55768461) Homepage Journal

        The Chinese have no interest in spying on the average consumer in the West.

        Let's ignore the traditional image of foreign agents conducting espionage and think more about what could be gained by operating a beachhead device inside a random US home.

        1. Botnet participant can be used for DDOS attacks on government and corporate entities.

        2. Automated network snooping can exploit vulnerabilities to compromise network routers

        3. With network router compromised, MITM attacks can inject malware and gather remote credentials to other services. This can grow the botnet population and compromise additional devices on remote networks. MITM attack enables automated identity theft to erode American economic stability.

        The identity theft part highlights the probability that these trojan devices can very well be controlled by criminal elements rather than state actors. Cryptoviruses and blackmail can be implemented thanks to such compromised IOT devices.

        • by Rei ( 128717 )

          Wonder if you could pull off TEMPEST in a consumer electronics-sized device. That would lead to some seriously concerning possibilities.

        • However, these risks (from my perspective, not the state's) remain the same regardless of where the device is manufactured.

          Do I care whether it's USA or China that has the original back door on my device? If I trusted one more than the other not to compromise my device at the factory, I'd preferentially buy from them. I trust neither.

    • by stooo ( 2202012 )

      >Do you trust anything coming from USA ?
      Hell No.

    • I'd argue that in >95% of cases there is no point to making most widgets internet connected or "smart" in the first place. I'm still in awe that anyone ever wasted money on a web connected fridge. WTF?

      Sadly, many of these widhets have been designed to be badly hobbled or non-functional if they are NOT connected to servers via the internet. I see orphaning of products as a real scourge on the world. Widgets that used to last a decade or more are now "smart", but useless after a year or three when the

    • Indeed. My statement would be "Do not buy internet connected devices." meaning, of course, thermostats etc. as computers with internet connections are by design and are typically shut off when not in use.
  • by Clueless Nick ( 883532 ) on Tuesday December 19, 2017 @10:09AM (#55768019) Journal

    When you gaze long into an abyss, the abyss also gazes into you.

    So, when you buy that spycam, be informed that it might also be spying on you.

  • by 140Mandak262Jamuna ( 970587 ) on Tuesday December 19, 2017 @10:11AM (#55768031) Journal
    I always buy in Alibaba, some Russian named seller in a Bulgarian store fulfills my Alibaba order that gets shipped straight from China.
  • Has anyone really trusted eBay in the last 10 years, electronic device or not?

  • You should think twice before buying any internet connected device, and twice again before buying anything of Alleybobo. By my reckoning that's four times - at least.

  • Show of hands, who here doesn't immediately reflash everything with updatable firmware? Usually there's an update anyway, by the time you get it in your hot little hands.

    • Yeah, pretty much a wasted story here. Could be useful on more mainstream sites, but anyone who's still hanging around here knows this kind of stuff.
  • ANYTHING you buy that connects to the internet should first and foremost go through a thorough audit. You and your habits are marketable data, being able to get that for free AND make you pay for it ... And you don't even get a (fire)wall out of it.

    But seriously. You shouldn't trust ANY device that gets hooked to the internet. Even and especially when it is from a "reputable" hardware manufacturer. All that means is that they're more likely to be longer in business to siphon your data.

  • by Ed Tice ( 3732157 ) on Tuesday December 19, 2017 @10:29AM (#55768157)
    Fixed the summary for you. Even if you can get an internet-connected device that doesn't tout spying as a feature, the supply chain is full of counterfeits and tampered items.
    • Fixed the summary for you. Even if you can get an internet-connected device that doesn't tout spying as a feature, the supply chain is full of counterfeits and tampered items.

      There is one key benefit. With counterfeits and tampered items it is likely they may have broken the spying features.

  • ...IoT devices you buy at Amazon, Walmart and similar places is 100% safe, NSA approved.
  • by martiniturbide ( 1203660 ) on Tuesday December 19, 2017 @10:53AM (#55768305) Homepage Journal
    The warning and the advice is good, but Leigh-Anne Galloway (and the article author) provides no data if that is happening or not. It would be interesting to know that from 10 devices bought X came with modified firmware with spyware. But no data is provided.
  • I find buying used (nontrivial) electronics (and using other people's electronics) icky. It's the cybersecurity equivalent of donning a piece of underwear that was found at the roadside. One could argue "nothing a good round of disinfection won't fix", but that gets a lot more complicated than "wash hot".
  • Think Twice About Buying Anything Off Ebay
  • "It's similar to buying a secondhand cellphone without it being restored to factory settings". Well, if that happens, it's not MY data that is at risk, but the data of the previous owner. I can easily reset it to factory defaults, and maybe flash the firmware.
  • Or newegg? (Score:4, Interesting)

    by RobinH ( 124750 ) on Tuesday December 19, 2017 @12:06PM (#55768769) Homepage
    I was looking at a cheap Mini PC, labeled an "industrial PC" on newegg, from a Chinese seller, obviously, and the one review said the version of windows pre-installed was pirated, and there was software installed that simulated the license authentication, but as soon as you installed anti-virus it would detect that software and quarantine it, and then your windows copy realizes it's a pirated copy. Caveat emptor.
  • So many devices no matter where you buy them have 'security flaws' and be at risk to expose sensitive data or spy etc etc.

    This sounds more like "Oh god, instead of us buying it from China for 10$ then selling it in north america for 110$, people are directly buying it for 10$" Ah noooo what do we do!

    Just sounds like a campaign to try to convince people to pay higher prices.

  • by Rick Schumann ( 4662797 ) on Tuesday December 19, 2017 @01:32PM (#55769365) Journal
    "Think twice about buying ANY Internet-connected devices, from ANYWHERE"
  • There are reputable sellers from US companies like trade in companies and phone insurance companies that refurbish and resell devices on e-bay vs whole sale . An unknown seller might tamper with a device but iPhones harder for spyware. Non authentic parts such as knock off cheaper battery could also be a concern. Apple CPO = Certified PreVious Owned which are supposed to be from certified Apple supply chain partners. Buying from Apple or Carriers while might be more expensive lower risk of unauthorized par
  • When you're buying from a third-party seller, it's a lot more difficult to tell where products have come from, whether you're getting exactly what you think you're getting, and if anything has been done to the product since it was manufactured. "It is possible for internet-connected devices to be tampered with and resold on the web,

    These devices could possibly listen to you, watch your every step, communicate with and attack other devices connected to the same local network, such as PCs, laptops, and TVs."

    T

Things equal to nothing else are equal to each other.

Working...