You’ve been tasked to look for new hardware, and cost is a priority. There’s the potential for buying recycled equipment, but you’re wary—who knows if the previous owner properly wiped the device, or, more worryingly, if it’s still accessible from the outside?
Those concerns are part of the calculation IT teams need to make when looking for replacement hardware. As Rapid7 Principal Security Research of IoT Deral Heiland told IT Brew, it comes down to firmware: how it’s managed on the devices and whether the hardware has been sufficiently cleaned of prior data.
“If you’re buying network infrastructure gear, you can usually come in, purchase it, flush everything, factory reset, put all new firmware on, all new passwords, accounts, everything, and you got a perfectly safe device,” Heiland said. “If there is a cloud or internet component to that, then you need to consider, ‘Can I properly flush that disconnect and ensure the device can’t be registered by somebody else after I’ve purchased it that would give them some level of access?’”
Through the cracks. The possibility that something can slip is enough to bother security professionals who are hyper-aware of the danger. For David Redekop, founder of DNS and security firm ADAMnetworks, the concern isn’t just how the device has been decommissioned and cleaned, it’s whether it can actually do the job.
“You need a little bit more horsepower or maybe a little bit more storage, because the drives weren’t as big back then,” Redekop said. “But what you can do with that now is practically the same thing you can do with the brand new one, and so there’s huge economic value in buying used equipment for those that want to run a sustainable business and would like to go on-prem versus on the cloud. Huge, huge value.”
Replacing the firmware on used devices allows for removing data the purchaser doesn’t want; removing embedded data is a chance to ensure the hardware is safe, no matter where you get it from. You don’t want another user, maybe half the country away, being able to access your “new” device, in other words. But for most branded tech, even when it’s used, that’s not an issue—nonetheless, the risk isn’t zero.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Checking that risk. Doing a risk assessment is what anyone buying used hardware needs to keep in mind. There’s always the possibility that recycled devices could be used by malicious actors to infiltrate the systems of the buyer, but the likelihood of that happening is minimal unless you’re the specific target.
“If you’re really, really paranoid about security, then obviously buying new stuff is the way to go,” Heiland said. “If you’re fine with a little bit of risk, even if it’s very minimal, then buying on the secondary market may have some real value.”
Cost is often a motivating concern, and that gives the chance to compare and contrast new and used devices. While the newer hardware may have a higher upfront cost, used devices often need the aforementioned extensive patching and wiping, making it a wash. But supply chain uncertainty could change the calculation, offering attackers another way in by alteration between the factory and the user.
Whatever works. Redekop called it “buyer dependent, buyer beware.” It comes down to making the right decision for the specific user, much like a used car.
“If you know what you’re doing, buy it used, because you’re going to get tremendous value,” Redekop said. “If you are a buyer that just needs to go through a tremendous amount of checks and validations, new is going to be the way to go. So, it really is going to vary quite broadly on when I would make a recommendation one or the other. There is no simple answer.”