Refurbished Routers Contain Sensitive Corporate Data

Sanitize IT gear before decommissioning is well-trod cybersecurity advice made to corporations everywhere and yet many persist in disposing of equipment still laden with sensitive data.

See Also: Ceasefire! Agility and Security Find Partnership Working “Better Together” in Cloud Security

Cybersecurity firm Eset says it wasn’t looking to add to copious literature of researchers discovering hidden secrets on secondhand equipment. But an unrelated lab experiment involving more than a dozen used routers nonetheless revealed a wealth of useful information for a cyberattack, company researchers write in a report.

More than half of the examined secondhand routers contained previously used configurations with data on the devices possibly enabling threat actors access the prior owners’ network configurations.

Eset analyzed 16 distinct network devices from medium-sized businesses and found nine devices still held sensitive data.

“Over 56% of the core routers Eset purchased from secondary market vendors contained sensitive data, including corporate credentials, VPN details, cryptographic keys and more,” researchers say.

A breakdown of the nine routers containing previous configurations show:

• 22% contained customer data;
• 33% exposed data allowing third-party connections to the network;
• 44% had credentials for connecting to other networks as a trusted party;
• 89% itemized connection details for specific applications;
• 89% contained router-to-router authentication keys;
• 100% contained one or more of IPsec or VPN credentials, or hashed root passwords;
• 100% had sufficient data to reliably identify the former owner/operator.

Cameron Camp, the Eset security researcher who led the project, told Information Security Media Group the research came about after the team began a test scenario analyzing Microsoft Exchange and RDP attacks. They noticed the a router bought for the scenario still had data on it.

“We soon realized this was both unintended and potentially very compromising for the original owner, possibly with legal ramifications for them. The consequences of a company’s router on the open market still containing secrets in that it radically shortens the time to attack, and allows access to one of the most-rich sets of data – opening up the numerous ways to get access for a bad actor,” Camp said.

A majority of devices analyzed by the researchers obtained from the secondary market had a “digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors and customers.”

Eset disclosed the findings to each identified organization. Some didn’t respond iscovery, “while others showed proficiency, handling the event as a full-blown security breach.”

Tony Anscombe, chief security evangelist at Eset, who also led the research along with Camp, said the findings show that many companies clearly don’t following decommissioning protocols.

“Exploiting a vulnerability or spearphishing for credentials is potentially hard work. But our research shows that there is a much easier way to get your hands on this data and more,” Anscombe said.