Morning Overview

Five of five cheap smart devices the Wall Street Journal tested were hacked out of the box.

Every low-cost smart device purchased by Wall Street Journal reporters for a recent test was already compromised before it was plugged in. Two digital photo frames bought from Amazon and three Android TV streaming boxes from Walmart all initiated suspicious network connections consistent with residential proxy activity the moment they were set up. The FBI has since issued a formal alert warning that such devices can be preloaded with malicious software before they ever reach a consumer, naming the threat BADBOX 2.0.

Cheap smart gadgets arriving pre-infected with proxy malware

The test results are striking not because one or two devices failed a security check, but because every single unit did. Five out of five budget internet-connected products began routing traffic through home networks in ways consistent with residential proxy schemes, which allow cybercriminals to disguise their online activity by funneling it through real household IP addresses. That means a person buying a $30 digital photo frame or a bargain streaming stick could unknowingly turn their home internet connection into a relay for fraud, credential stuffing, or ad manipulation.

The FBI spelled out the mechanism in plain terms. Cybercriminals exploit compromised IoT devices sitting on home networks, and the agency confirmed that devices can be preloaded with malicious software before purchase or infected during the initial setup process. The malware identified in these cases is tracked under the name BADBOX 2.0, a label the FBI itself uses in its public advisory. The infection does not require the buyer to click a bad link or download a suspicious app. It is baked into the firmware from the start.

This distinction matters for anyone shopping for affordable connected gadgets. Traditional cybersecurity advice tells consumers to keep software updated, use strong passwords, and avoid sketchy downloads. None of that helps when the threat ships inside the box. The device works as advertised on the surface, displaying photos or streaming video, while silently operating as a node in a criminal proxy network behind the scenes.

What the WSJ test and FBI alert reveal about BADBOX 2.0

The Wall Street Journal’s reporting provides the most concrete consumer-facing evidence of this supply chain problem. Reporters purchased two digital frames and three TV boxes from major online and big-box retailers, covering two of the largest U.S. channels for budget electronics. All five devices initiated connections consistent with residential proxy activity immediately after purchase, according to the Journal’s findings. The consistency of the results across different product types and different retailers suggests the problem sits deeper in the supply chain than any single storefront.

The FBI’s alert reinforces this picture from the enforcement side. The agency describes a pattern in which low-cost, internet-connected devices arrive at consumers’ doors already carrying BADBOX 2.0 malware or pick it up during the first moments of configuration. Once active, these compromised devices can be conscripted into botnets, used to generate fraudulent ad impressions, or employed as residential proxies that mask the true origin of cyberattacks. The practical effect is that a home network becomes part of a criminal infrastructure without the homeowner ever knowing.

Neither Amazon nor Walmart has publicly confirmed or denied the presence of pre-installed proxy malware on the specific products the Journal tested. The manufacturers of the devices have not been publicly identified by name in either the Journal’s reporting or the FBI’s advisory, leaving a gap in accountability. Without model numbers, firmware version details, or packet capture logs in the public record, independent researchers cannot yet replicate the exact test or trace the infection to a specific factory or chipset supplier.

Unanswered questions about infected device supply chains

Several significant gaps remain in the public evidence. The FBI’s alert does not include case data or victim reports that would quantify how many consumers have encountered BADBOX 2.0 on newly purchased devices. The FBI’s reporting portal exists for the public to submit incidents, but no aggregate figures have been released. Without that data, the scale of the problem is difficult to measure beyond the five-device sample the Journal tested.

The supply chain question is the most pressing unresolved thread. If malware is being embedded at the firmware level before devices ship, the infection point likely sits at or near the factory. Correlating U.S. import records with infection timestamps from a larger sample of identical product SKUs could reveal whether specific overseas manufacturing facilities are responsible. That kind of analysis has not appeared in any public report so far, and it would require cooperation between customs authorities, cybersecurity researchers, and the retailers selling these products.

Retailers face a practical dilemma. Amazon and Walmart list thousands of third-party electronics from suppliers they do not directly manufacture or audit at the firmware level. The current system relies heavily on post-sale reporting to catch compromised products, which means consumers absorb the risk first. A device that works as expected on the surface gives no visible signal that it is also operating as a proxy node.

How consumers can spot and limit BADBOX 2.0 risks

For anyone who has recently purchased a low-cost digital photo frame or Android TV box, the first step is to check whether the device is generating unusual network traffic. Most home routers allow users to view connected devices and their data usage. A device that is idle but consistently uploading or downloading large amounts of data, or one that appears with an unfamiliar name and never goes offline, is a red flag. Some routers also support basic per-device firewalls, which can be used to block outbound connections from a suspicious gadget.

Placing untrusted devices on a separate guest network can substantially reduce the damage if one turns out to be compromised. Isolating smart gadgets from laptops, phones, and work machines limits the chance that BADBOX 2.0 or similar malware could pivot deeper into a home network. Where possible, disabling unnecessary features such as remote access, cloud backup, or automatic content recommendations further shrinks the attack surface.

Consumers who discover unexplained traffic or other suspicious behavior should document what they see before unplugging the device. Screenshots of router logs, timestamps of unusual activity, and purchase records can all be useful if law enforcement or researchers later investigate. The FBI’s alert encourages people to report suspected incidents, and the more detail a report includes, the more likely it is to help identify patterns across multiple victims.

What needs to change upstream

While individual users can take steps to reduce their own exposure, the BADBOX 2.0 cases highlight a structural problem that cannot be solved at the household level alone. As long as retailers can list cheap, white-label electronics with minimal vetting, and as long as manufacturers face little scrutiny of their firmware supply chains, malicious code can slip into consumer homes disguised as a bargain gadget.

More robust pre-sale testing by retailers could catch some compromised products before they ship, especially if combined with random audits of firmware images and network behavior. Importers and brand owners could be required to certify that their devices have passed independent security evaluations, much as they already do for electrical safety. Regulators might also consider mandating clearer labeling for internet-connected devices, disclosing how long firmware will receive updates and whether third-party code libraries are used.

For now, the combination of the Wall Street Journal’s findings and the FBI’s BADBOX 2.0 advisory is an early warning, not a complete map of the threat. The evidence shows that at least some low-cost smart home devices are arriving pre-infected and immediately joining criminal proxy networks. It does not yet show how widespread the practice is, which manufacturers are involved, or how many households have been quietly drafted into these schemes.

Until those questions are answered, buyers of budget connected gadgets should assume that price and brand recognition alone are not reliable indicators of security. Treating every new device as potentially hostile-segmenting networks, watching traffic, and limiting permissions-may feel extreme for a digital photo frame or streaming box. But as BADBOX 2.0 demonstrates, even the simplest smart gadget can carry more than the features listed on its packaging.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.