Refurbished Routers Contain Sensitive Corporate DataEset Finds Customer Info, VPN Credentials & Authentication Keys on Used Routers
Sanitize IT gear before decommissioning is well-trod cybersecurity advice given to corporations everywhere and yet many persist in disposing of equipment still laden with sensitive data.
Cybersecurity firm Eset said it wasn't looking to add to the copious literature of researchers discovering hidden secrets on secondhand equipment. But an unrelated lab experiment involving more than a dozen used routers nonetheless revealed a wealth of useful information for a cyberattack, company researchers wrote in a report.
More than half of the examined secondhand routers contained previously used configurations with data on the devices that could possibly enable threat actors to access the prior owners' network configurations.
Eset analyzed 16 distinct network devices from medium-sized businesses and found nine devices still held sensitive data.
"Over 56% of the core routers Eset purchased from secondary market vendors contained sensitive data, including corporate credentials, VPN details, cryptographic keys and more," researchers said.
A breakdown of the nine routers containing previous configurations shows:
- 22% contained customer data.
- 33% exposed data allowing third-party connections to the network.
- 44% had credentials for connecting to other networks as a trusted party.
- 89% itemized connection details for specific applications.
- 89% contained router-to-router authentication keys.
- 100% contained one or more of IPsec or VPN credentials, or hashed root passwords.
- 100% had sufficient data to reliably identify the former owner/operator.
Cameron Camp, the Eset security researcher who led the project, told Information Security Media Group the research came about after the team began a test scenario analyzing Microsoft Exchange and RDP attacks. They noticed that a router bought for the scenario still had data on it.
"We soon realized this was both unintended and potentially very compromising for the original owner, possibly with legal ramifications for them. The consequences of a company's router on the open market still containing secrets in it that radically shorten the time to attack and allow access to one of the most rich sets of data - opening up the numerous ways to get access for a bad actor," Camp said.
A majority of devices analyzed by the researchers obtained from the secondary market had a "digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors and customers."
Eset disclosed the findings to each identified organization. Some didn't respond, "while others showed proficiency, handling the event as a full-blown security breach," Camp said.
Tony Anscombe, chief security evangelist at Eset, who led the research along with Camp, said the findings show that many companies clearly don't following decommissioning protocols.
"Exploiting a vulnerability or spear-phishing for credentials is potentially hard work. But our research shows that there is a much easier way to get your hands on this data and more," Anscombe said.