I am buying a "new" router from an open-box sale at a company that liquidates eCommerce returns. Plan to use it for a home network at cottage.
I'm a bit nervous that it could have been modified by whoever had it last.
Update: The device model is a TP-Link AC4500 (archer) router.
Short answer: do a factory reset, update the firmware, and you are good to go.
The risk is very low, bordering zero. The previous owner may have installed a custom firmware or changed its configuration, but a firmware upgrade and factory reset is enough to take care of almost every change.
The risk that the previous owner tampered with the router and his changes can survive even a firmware upgrade and factory reset is negligible.
So, don't worry, unless you are a person of special interest: working on top-secret stuff or have privileged financial information on a big enterprise. But as you are buying a used router, I bet you are a common guy and would not be a target for those attacks.
The main risk is that the firmware has been replaced by a malicious version, which could make it possible to intercept all the traffic on your network. Passwords, injecting malware, redirecting you to malicious sites, etc. That's a worst-case scenario but easy for someone to do.
You want to factory reset the device to try to clear out anything that the previous owner may have set up in the factory firmware.
But more importantly, you want to see if the firmware has been changed by looking to see if the case has been opened or tampered with and to see if the operating system of the router has changed. But that might not be enough. It is easy to simulate the OS and website on a router.
Something that you could do is to replace the firmware with one of your own. That should wipe out any malicious firmware on the device. There are open-source after-market firmware you can use.
By far, your main risk in buying an "open box" router is that the router has some subtle damage that the manufacturer didn't detect but that will ultimately reduce the lifespan of the device. That's one reason why they often have reduced warranties.
Security-wise, the risk is negligible if you do a factory reset and re-flash the firmware. That should re-write everything in programmable memory and erase anything malicious that a previous user might have loaded. In fact, this is a best practice even for new routers. I've bought new routers multiple times only to learn that they were still programmed for what was clearly a test network at the factory.
Persistent malware is a real thing, but it's not something to worry too much about. After all, a "brand new" router could have had persistent malware loaded at the factory, so this isn't a risk you can completely mitigate.
In short: If you really care about stuff like that, go into a retail store and buy a new router that's on stock. The risk is small, but you can't easily mitigate it.
I could imagine some creep buying lots of routers, returning them and then spying on the people who bought them just for the kick of it. Or of course some evil organization. This risk is small, sure.
But I'd like to doubt the claims of the other answers about "just" resetting the router. Sure, reflashing the firmware should erase pretty much every bad thing that might be on it. But how would you do that? You can't use the web interface (that would be the first thing someone would disable/fake) and a physical button probably also just sends a signal to the current firmware, that it should reset itself. Serial transfer is also handled by the current firmware I would expect.
Unless you are going to reflash the firmware using a JTAG interface that might or might not be there (or something equivalent) then I'm pretty sure resetting isn't much better than just trusting the device to be basically ok (of course you should reset it anyway to get rid of the settings of previous owners).
And I don't know enough about JTAG to assess its security, the only thing I'm sure about is that it's less trivial to fake than the web interface/button.
What are the main risks in this scenario?
I know this is not the intent of your question, but in my opinion the main risk is not to you, but to the previous owner. Chances are that the credentials of the previous owner are still present on the device. You may gain access to the account of the previous owner this way. Resold devices are often not cleared at all, leaving sensitive information on them.
If an attacker had modified the firmware in a moderately sophisticated way, then the only way to be completely sure of wiping that firmware is to update via jtag or direct flash writing. If you rely on software-based firmware update, then that is under the control of the compromised firmware. There are tutorials online on how to do that if it falls under your threat model. Instead of updating, you could just extract the firmware using jtag/spi or whatever and compare it with the firmware version that is shown as being installed.
Of course, with hardware modification, there could be even more insidious changes in place that would survive that, but you're getting into the realm of TLAs by then.
Be aware some corporate devices are configured to disable password recovery. This is not uncommon for Telco-provided CPE, like Cisco routers. You might be buying a paperweight or a parts donor.
Keep an eye out for stickers that imply its been a Customer-site device provided by big-local-telco, and perhaps avoid those listings.
As I can understand, the model we discuss is kind of non-expensive one. Then, you better have to worry about existing vulnerabilities in the factory-default firmware (hard-coded passwords, open telnet on custom port etc.). So, if possible just update the firmware to something like DD-WRT or any other open-source solution.
Not that this is a common thing, but I'll just add one more answer that I'm surprised to see no one else mentioned properly.
If you see something like this...
...then chances are someone could easily sniff your Ethernet packets with one of these:
Which is not a good thing. This means that all non-secured traffic will be visible to the third party. They could just as easily sniff WiFi packets too.
If you see any weird wiring concealed inside the router package, I suggest avoiding using it. You'll be better off to throw it right away.
I'm not saying this is a common thing to see, but with an easy check like this, you can avoid being spied on. You never know where the router has come from.
