Why Your Second-Hand IoT Router Is Probably Backdoored

TLDR: This research proves that commercial IoT devices often lack integrity checks during the refurbishment process, allowing attackers to inject persistent firmware backdoors. By modifying device firmware and returning it to retailers, researchers successfully re-acquired the devices and confirmed that their custom C2 callbacks remained active. This highlights a critical supply-chain vulnerability in the secondary market that pentesters should consider when assessing hardware security.

Hardware security often feels like a black box, but the reality is that the secondary market for IoT devices is a massive, unmonitored attack surface. When you buy a "pre-owned" or "refurbished" router, you are trusting that the retailer wiped the device and restored it to a factory-clean state. This research from DEF CON 2025 demonstrates that this trust is misplaced. Attackers can easily modify firmware, return the hardware, and wait for an unsuspecting user to purchase the compromised device, effectively turning the supply chain against the end consumer.

The Mechanics of Firmware Persistence

The core of this attack relies on the fact that many commercial IoT devices, specifically budget-friendly routers, do not implement cryptographic verification for firmware updates. If a device lacks a secure boot chain, it will execute whatever code is placed in its flash memory. The researchers focused on TP-Link routers, which are common targets due to their widespread use and relatively simple architecture.

To achieve persistence, the process is straightforward. First, you extract the existing firmware using binwalk, which is the industry standard for analyzing embedded filesystem images. Once the filesystem is extracted, you can modify the configuration files or inject a custom service. The researchers injected a simple script designed to beacon out to a C2 server every ten minutes.

After modifying the files, you must repack the filesystem. This is where many researchers trip up. You need to ensure the compression method matches the original firmware. If the original used XZ compression, you must use the same, or the bootloader will fail to mount the filesystem. You can use makesquashfs to rebuild the image:

# Example of rebuilding a squashfs image with specific compression
mksquashfs ./extracted_fs ./modified_firmware.bin -comp xz -noappend

Once the binary is rebuilt, you flash it back to the device. If the web interface allows for manual firmware uploads, you can push the malicious binary directly. If not, you may need to use SPI flash programming to write the image directly to the chip. The beauty of this technique is that a standard factory reset, which typically only clears user configuration data, does not touch the underlying firmware partition. Your backdoor survives the reset, waiting for the next owner to connect the device to the internet.

Real-World Pentesters and the Supply Chain

For a penetration tester, this research changes how you view hardware in a corporate environment. If you are performing a physical security assessment or a red team engagement, you should no longer assume that hardware sourced from secondary markets is clean. If an attacker can gain physical access to a device, they can ensure that even if the IT department "wipes" it, the device remains a persistent foothold in the network.

This falls squarely under OWASP A06:2021 – Vulnerable and Outdated Components, but with a hardware-level twist. The impact is significant. A compromised router acts as a transparent proxy for all traffic, allowing an attacker to intercept credentials, inject malicious payloads into unencrypted HTTP traffic, or map the internal network. Because the backdoor is embedded in the firmware, it is invisible to standard endpoint detection and response tools that only monitor the OS layer.

Defending Against Hardware Persistence

Defending against this is difficult because the responsibility lies primarily with the manufacturer. If a device does not support secure boot, there is no way for the user to verify the integrity of the firmware. However, organizations can mitigate this risk by enforcing strict hardware procurement policies. Never deploy refurbished or second-hand networking equipment in sensitive environments. If you must use such hardware, you should perform a full firmware dump and compare the hashes against the manufacturer's official releases.

For those interested in the technical weeds, the Router Post-Exploitation Framework (RPEF) is a great starting point for understanding how these devices can be manipulated. While the project is older, the underlying principles of how to interact with router firmware remain relevant.

Ultimately, this research serves as a reminder that the supply chain is not just about software dependencies. It is about the physical integrity of the devices we plug into our networks. If you are a researcher, start looking at the firmware update mechanisms of the devices in your lab. If you find one that accepts unsigned binaries, you have found a potential persistence vector that will survive almost any standard remediation effort. The next time you see a "refurbished" deal on a router, ask yourself if the discount is worth the risk of a persistent, invisible backdoor.