Hackers can use second-hand core routers and other corporate networking equipment to infiltrate an enterprise's internal systems. In practice, these devices are not properly wiped, leaving corporate data, VPN data, encryption keys and other sensitive data available. In the wrong hands, this allows hackers to launch a cyber attack and steal confidential data.
This is according to research by ESET.
Organizations regularly recycle dated network equipment through outside parties. In that case, it is important that confidential data be removed from the devices. But does that happen in practice? ESET took the test.
The cybersecurity firm purchased 16 different used network devices and studied configuration data. Researchers saw that more than half of the devices purchased (56 percent) contained sensitive corporate data. That included customer data, data for third parties to connect to the corporate network, connection data for specific applications, router-to-router authentication keys and hashed root passwords.
The routers in the study range from medium-sized companies to global multinationals from a variety of industries, including data centers, law firms and software developers. ESET approached the affected companies about its findings. Some reacted with shock at the findings. Some organizations did not respond at all, even when ESET tried several times to contact them.
Research director Cameron Camp calls the findings troubling. "We would expect medium to enterprise companies to have a strict set of security initiatives in place to put devices out of commission, but we saw the opposite," he says.
In his view, organizations need to be much more aware of the potential dangers they are exposing themselves to. The data the researchers found represent a kind of "digital blueprint" of a company. Hackers can misuse such data to gain themselves unauthorized access to a company's network systems. And thus to sensitive and confidential customer and company data.
"There are well-documented processes and guidelines for proper hardware decommissioning. This research shows that many companies are not strictly following them when preparing devices for the used hardware market," said Tony Anscombe, Chief Security Evangelist at ESET.
He emphasizes that hackers often have to go to great lengths to exploit a vulnerability or carry out a spearphishing attack. Not removing sensitive data from network devices makes it a lot easier for attackers.
"We urge organizations involved in device disposal, data destruction and device resale to scrutinize their processes and ensure they meet the latest NIST standards for media cleanup," Anscombe explained.
ESET recommends wiping corporate data not just routers and hard drives. Companies and organizations should do so for every device that was ever part of an internal network.
"Many organizations in this study likely thought they had contracted with reputable vendors, yet their data leaked out. With this in mind, it is recommended that organizations follow the manufacturer's guidelines for removing all data from a device before it physically leaves the premises," the security firm writes.
Camp and Anscombe will present the findings of the study in detail today at the RSA Conference 2023, to be held April 24-27 in San Francisco.
