Think Twice About Buying Internet-Connected Devices Off eBay

The holiday season is the perfect time to shell out for the latest and greatest smart-home and internet-connected gadgets, like game consoles, drones, smart lightbulbs and switches.

But if you’re thinking about taking advantage of the deals that can be had buying from second-hand and auction sites like eBay, first consider the potential risks. When you’re buying from a third-party seller, it’s a lot more difficult to tell where products have come from, whether you’re getting exactly what you think you’re getting, and if anything has been done to the product since it was manufactured.

“It is possible for internet-connected devices to be tampered with and resold on the web,” Leigh-Anne Galloway, lead cybersecurity resilience analyst at the cybersecurity firm Positive Technologies, told Quartz. “It’s similar to buying a secondhand cellphone without it being restored to factory settings.”

In fact, buying a second hand gadget can potentially expose the user to some pretty extreme scenarios. “Cameras and IoT devices can contain spyware and malware, which can cause a plethora of problems for the user,” Galloway added. “These devices could possibly listen to you, watch your every step, communicate with and attack other devices connected to the same local network, such as PCs, laptops, and TVs.”

Galloway said devices could also be used to perform botnet attacks—where an unsecured internet-connected device is accessed by another computer and used along with other breached devices to take down websites or internet services, as what happened with the Mirai botnet attack in 2016.

If you’re looking to buy internet-connected switches, voice-assistant devices, or any other devices that need to connect to the web, make sure, as best you can, that the device went straight from the manufacturer to you. The easiest way to do that is to buy from reputable sources, like Amazon, big-box retailers like Best Buy or Target, or local electronics stores in your country.

eBay wasn’t available to explain how it vets products sold on its site for potential security issues.

What to do if you already own one of these devices

If you’ve already bought or been given a device that was purchased from a reseller, there are a number of steps you can take to secure it. One suggestion Galloway makes is to ensure that your devices have the latest firmware, downloaded from the manufacturer’s website or app.

If you’re worried that the devices you’ve purchased have been physically tampered with—which could mean that firmware updates might not catch any listening devices that may have been added—there is another level of security that you can add to your network itself. New wifi router systems like eero or the Wink Hub offer software that can detect all traffic coming in and out of your network, making sure no one is snooping on anything you don’t want them to. There are also specialized devices, like the Bitedefender BOX, that monitor internet traffic to protect against attacks.

Just make sure whatever protective devices you’re buying aren’t also from the shadier corners of the web.