I recently bought a refurbished router, the same model I’ve used elsewhere in my house with no problems. With THIS one, however, I found myself unable to allow SSH traffic to pass the switch, even with the router in bridge mode. It’s very weird, and probably nothing, but it made me wonder: wouldn’t a great cyber implant strategy be to buy router equipment, replace one or more of the chips with a compromised version that does some nefarious thing (e.g. opens ports to the outside, acts as a node in a DDoS attack, etc.) and then return it to the store for a refund? The store then takes it back, cleans it up and resets it (but doesn’t, of course, notice the new chip soldered in as they don’t have the process to check for that) and resells it as refurbished. If I were a state actor looking to get stuff behind people’s firewalls, refurbished items would be a great attack vector.
Given that pretty much every company that sells routers sources their chips from Asia, wouldn’t it be easier for a state actor to just put the implants in the chips themselves? Well, I don’t think so. That would be too risky and traceable, and eventually production spot checks would likely find something. The process for refurbished products, however, is much less rigorous, and anything found would be impossible to trace back since the product was out of the supply chain for so long.