Over 56% of second-hand core routers analyzed by ESET contained sensitive data, including credentials, VPN details, cryptographic keys. Research shows that companies do not follow sufficient security protocols and processes when retiring hardware
ESET, a global European leader in the cybersecurity market, has presented new research on corporate network devices disposed of and sold on the secondary market. After examining configuration data from 16 network devices, ESET found that more than 56 percent – nine routers – contained sensitive corporate data.
Of the nine networks that had complete configuration data available:
– 22% contained customer data
– 33% exposed data that allowed third-party connections to the network
– 44% contained credentials for connecting to other networks as trusted entities
– 89% reported connection details for specific applications
– 89% contained router-to-router authentication keys
– 100% contained one or more IPsec or VPN credentials or hashed root passwords
– 100% contained data useful for identifying the previous owner/operator.
“The potential impact of the findings gleaned through this analysis is extremely concerning and should be a wake-up call,” he said Cameron Camp, the ESET researcher who led the project. "We take it for granted that mid-sized and large companies take a series of strong security initiatives when disposing of devices, but we've found the opposite. Organizations need to be much more aware of what remains on the devices they discard, as the majority of devices we recovered from the secondary market contained a digital footprint of the company involved, including, but not limited to, critical network information, application data, corporate credentials, and partner, vendor, and customer information."
Organizations often recycle obsolete devices through third-party companies who have the task of verifying the destruction or safe recycling of digital equipment and the disposal of the data contained therein. Whether it is an error by those who deal with electronic waste or the company's own disposal processes, a series of data was found on the routers, including:
– Third party data: As we've seen in real-world cyberattacks, a breach of a company's network can spread to customers, partners, and other companies connected to it.
– Trusted partner: Trusted partners (who could be impersonated as a secondary attack vector) would accept the certificates and cryptographic tokens present on these devices, enabling an adversary in the middle (AitM) attack with trusted credentials, capable of stealing company secrets, with victims remaining unaware for long periods.
– Customer data: In some cases, core routers target repositories of specific customer information, sometimes stored on-site, which can expose them to potential security issues if an attacker were to obtain specific information about them.
– Specific applications: Complete maps of the main application platforms used by specific organizations, both locally and in the cloud, were found in the device configurations. These range from corporate email to customer areas to physical building security, just to name a few. Furthermore, ESET researchers were able to determine on which ports and from which hosts the applications communicate, which are trusted and which are not. Due to the granularity of applications, known vulnerabilities could be exploited across the network topology if an attacker had already mapped.
– Basic routing information: From the core network to BGP peering, OSPF, RIP and more, ESET has found layouts of various organizations' internal processes, complete with network topology information that can be exploited if in the hands of an adversary. The configurations also contained the locations of many remote offices and operators, including their relationship to corporate headquarters – other very valuable data for potential adversaries.
– Reliable operators: Devices were provided with potentially decipherable or reusable corporate credentials, including administrator logins, VPN details and cryptographic keys, which would allow attackers to become trusted actors and gain access to the network.
“There are well-documented processes for properly disposing of hardware, but this research shows that many companies do not rigorously follow them,” he said Tony Anscombe, Chief Security Evangelist di ESET. "Exploiting a vulnerability or spearphishing to obtain credentials is not easy. But the investigation results show that there is a very simple way to get to this data. We urge organizations involved in disposing of devices and reselling them to carefully review their processes and ensure that they comply with the latest NIST standards for media remediation."
The routers covered in this research come from organizations ranging from midsize businesses to global enterprises across a variety of industries (data centers, law firms, third-party technology providers, manufacturing and IT companies, creative businesses, and software developers). Throughout the investigation, ESET, where possible, disseminated findings to identified organisations, many of which are world-renowned, working to ensure they were aware of potentially compromised details in the chain of custody of the devices. Some compromised companies did not respond to ESET's repeated contact attempts, while others proved competent, handling the event as a genuine security breach.
Organizations are reminded to check that they are using a trusted and competent third party to dispose of devices, or that all necessary precautions are taken if they handle the decommissioning themselves. This should extend beyond routers and hard drives to all devices that are part of the network. Many organizations that participated in this research likely believed they had contracts with reputable operators, but their data was leaked anyway. For this reason, it is recommended that organizations follow vendor guidelines for removing all data from a device before it physically leaves the premises, a simple operation that IT staff can perform. Organizations are reminded to treat disclosure notifications seriously. Otherwise, they could be vulnerable to a costly data breach and reputational damage.
The research results will be presented by Camp and Anscombe at RSA 2023 during the conference “We (Could Have) Cracked Open the Network for Under $100” on April 24, 2023, at 9:40 am.
The white paper, which includes information on safely disposing of devices, is available at WeLiveSecurity.com.
