When decommissioning their old hardware, many companies ‘throw the baby out with the bathwater’
Taking a defunct router out of an equipment rack and sliding in a shiny new replacement is probably an everyday occurrence in many business networking environments. However, the fate of the router being discarded should be as important, if not more so, as the smooth transition and implementation of the new kit in the rack. Unfortunately, this appears often not to be the case.
When the ESET research team purchased a few used routers to set up a test environment, there was shock among team members when they found that, in many cases, previously used configurations had not been wiped…and worse, the data on the devices could be used to identify the prior owners along with the details of their network configurations.
This led us to conduct a more extensive test, purchasing more used devices and adopting a simple methodology to see if data still existed on the devices. A total of 18 routers were acquired, one was dead on arrival, two were a mirrored pair so we counted them as a single unit; after these adjustments, we discovered configuration details and data on over 56% of the devices.
In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack. A bad actor could have gained the initial access required to start researching where the company’s digital assets are located and what might be valuable. We are all likely aware what comes next in this scenario.
The change in recent years to the methods used by bad actors to conduct cyberattacks on businesses for the purposes of monetization is well documented. Switching to a more advanced persistent threat style of attack has seen cybercriminals establishing an entry point and a foothold into networks. They then spend time and resources conducting sophisticated extraction of data, exploring methods to circumvent security measures, and then ultimately bringing a business to its knees by inflicting a damaging ransomware attack or other cyber-nastiness.
The initial unauthorized incursion into a company network has a value: the current average price for access credentials to corporate networks, according to research by KELA Cybercrime Prevention, is around $2,800. This means that a used router purchased for a few hundred dollars, which without too much effort provides network access, could provide a cybercriminal with a significant return on investment. That’s assuming they just strip the access data and sell it on a dark web market, as opposed to launching a cyberattack themselves.
A concerning element of this research was the lack of engagement from companies when we attempted to alert them to the issue(s) of their data being accessible in the public domain. Some were receptive to the contact, a few confirmed the devices had been passed to companies for secure destruction or wiping – a process that had clearly not taken place – and others just ignored the repeated contact attempts.
The lessons that should be taken from this research are that any device leaving your company needs to have been cleansed, and that the process of cleansing needs to be certified and regularly audited to ensure your company’s crown jewels are not being openly sold in public secondhand hardware markets.
We have published the details – well, all but the companies’ names and data that would make them identifiable – in a white paper. The white paper also contains some guidance on the process that should be followed, including references to NIST special publication 800.88r1, Guidelines for Media Sanitization. We strongly recommend reading the details and using our findings as a nudge to check the process in your own organization, to ensure no data is unintentionally disclosed.