Remote hardware that isn’t wiped clean can present threats to users, former owners

Could you start a car across the country with a refurbished remote starter? Or open a stranger’s garage with your used door opener?

It’s possible. Today’s hardware is cloud connected, meaning that, under the right circumstances, using a device in one place could send an actionable command across the airwaves to a different location.

Deral Heiland, IoT principal security researcher at Rapid7, told IT Brew that one of the concerns is dual registration—getting a refurbished device and registering it without ensuring prior data was wiped clean. While most companies have solved this problem, some off-brand firms have not, meaning that a small percentage of devices can be dual-registered—and used by bad actors.

Heiland buys a lot of secondhand devices for work.“Usually, it’s not linked back to the cloud services; probably about 50% of those devices, when I buy them, still are registered and still have the person’s personal wi-fi account information on them, the pre-share keys,” he said. “I’ve even pulled passwords off devices.”

It happened to him. For Ensar Seker, VP of research and CISO at SOCRadar Cyber Intelligence, the reality of that risk was made clear recently when he bought a new garage door opener that was set up for another existing account. In his case, the device wasn’t even used, at least as far as he knows.

“When I was trying to set it up, I saw an error saying the device was registered for some other account, and the camera was already on,” Seker said, adding that “it wasn’t even refurbished. It was a brand-new garage door opener.”

It’s not the only example of strange device activity Seker has noticed. He has opened his garage door and witnessed his neighbor’s open at the same time because they’re on the same frequency. It underscores how this hardware is seldom as secure as it should be.

Driven value. When it comes to cars, Heiland said, the problem is pronounced. Because modern automobiles are integrated with smart technology, you need to do a full factory reset between owners; even when you’re told things have been wiped, features such as remote start can still impact their previous owners.

“You get a car, and I’ve seen some horror stories where the person goes…‘I had this application for remote start, and it still worked. And I was able to remote start the car, and it gave me all the indications that the car remote started halfway across the country,’” Heiland said.

Long view. The cybersecurity consequences of dual registration are real. It’s not a glitch, Seker told IT Brew, but rather a core problem of the “CIA triad: confidentiality, integrity and availability, or the fundamentals of cybersecurity.” If orphaned credentials can sit for a period of time in a device and still be activated, that presents the potential for abuse. The problem is more or less invisible, Seker said, until it’s exploited.

“If a malicious actor ends up with the device that still has functional links to a past target, it essentially becomes a remote entry point,” Seker said, adding, “while on the surface it looks like a quirky hardware issue, underneath it’s a breakdown in device life cycle governance and access control, and ultimately, digital trust.”

For IT pros, that means taking a “don’t trust, verify” attitude. It’s more than a refurbished device problem, it’s an IoT concern. Every connected device on your network should be treated as a persistent access node.

“If it comes into your home or organization pre-owned, assume it’s not clean until proven otherwise,” Seker said. “Go through full reset procedures, check for firmware updates, verify cloud associations and, where possible, isolate devices on the segment that works if it is possible—especially if they control physical assets like locks, cameras or vehicles and more broadly. We need to shift the culture around IoT from plug and play to zero trust by default.”