Over half (56%) of corporate network devices sold second-hand still contain sensitive company data, according to a new study from ESET.
The security vendor bought 16 recycled devices routers and found that nine of them contained one or more IPsec or VPN credentials, or hashed root passwords, as well as enough information to identify the previous owner.
This information could theoretically allow threat actors who got hold of the devices to gain network access to the organization that recycled the router, ESET claimed.
Some of the analyzed routers also contained:
- Customer data
- Credentials for connecting to other networks as a trusted party
- Connection details for specific applications
- Router-to-router authentication keys
More specifically, the researchers found the complete maps of major local and cloud-based application platforms used by organizations that previously owned the routers. These ranged from corporate email to physical building security and business applications.
ESET researchers were able to work out over which ports and from which hosts those apps communicate and theoretically could have probed for known vulnerabilities, the vendor claimed.
In some cases they were also able to map network topology, including the location of remote offices and operators, which could be used in subsequent exploitation efforts.
The end result of this failure to properly decommission was to expose many of these companies, their customers and partners to elevated cyber risk.
The routers were originally owned by mid-sized and global organizations operating across multiple verticals, including datacenter providers, law firms, tech vendors, manufacturers, creative firms and software developers.
Although some handled the event as a serious data breach, others apparently failed to reply to ESET’s repeated attempts to notify.
Research lead, Cameron Camp, said the findings should serve as a wake-up call, whether firms dispose of devices themselves or contract an e-waste company to do so.
“We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite,” he added.
“Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors and customers.”