Discarded, not destroyed: Old routers reveal company secrets
When decommissioning their old hardware, many companies ‘throw the baby in the bathwater’
Taking a dead router from the equipment rack and putting in a shiny new replacement is probably a daily occurrence in many business networking environments. However, the fate of discarded routers should be as important, if not more, as the smooth transition and deployment of new kits on shelves. Unfortunately, this often doesn’t seem to be the case.
When the ESET research team purchased several used routers to set up a test environment, there was surprise among team members when they discovered that, in many cases, previously used configurations were not deleted…and even worse, data on the devices could be used to identify the previous owner along with their network configuration details.
This prompted us to do more extensive testing, buy more used devices, and adopt a simpler methodology to see if the data is still on the device. A total of 18 routers were acquired, one was off on arrival, two were mirror pairs so we counted them as one unit; after this adjustment, we found configuration details and data on more than 56% of devices.
In the wrong hands, the data obtained from the device – including customer data, router-to-router authentication keys, application lists, and more – is sufficient to launch a cyber attack. Bad actors can get the early access needed to start researching where a company’s digital assets are and what they might be of value. We are all probably aware of what will happen next in this scenario.
Changes in recent years to the methods used by bad actors to carry out cyberattacks on businesses for monetization purposes are well documented. The shift to a more sophisticated style of persistent threat attack has allowed cybercriminals to establish entry points and footholds into networks. They then spend time and resources performing sophisticated data extraction, exploring methods to circumvent security measures, and ultimately bringing the business to its knees by mounting a destructive ransomware attack or other cybercrime.
Initial unauthorized attacks on corporate networks have value: the current average price for access credentials to corporate networks, according to research by KELA Cybercrime Prevention, is about $2,800. This means that a used router purchased for a few hundred dollars, which provides network access without too much effort, can provide cybercriminals with a significant return on investment. That’s assuming they’re simply deleting access data and selling it on the dark web market, not launching cyber attacks themselves.
A concerning element of this research is the lack of involvement from companies when we try to alert them to the problem of their data being accessible in the public domain. Some accepted the contact, some confirmed the device had been forwarded to the company for secure destruction or deletion – a process which obviously didn’t happen – and others ignored repeated contact attempts.
The lesson to take away from this research is that any device that leaves your company should be cleaned, and that the cleaning process needs to be regularly certified and audited to ensure your company’s crown jewels are not openly sold in used hardware to the public. market.
We’ve published the details – well, all but the names and company data that would make them identifiable – in a white paper. The white paper also contains some guidance on the process to follow, including references to the NIST-specific publication 800.88r1, Media Sanitation Guidelines. We highly recommend reading through the details and using our findings as impetus to examine processes in your own organization, to ensure no data is accidentally disclosed.