More than half of second-hand network devices hold sensitive data
A study conducted by ESET reveals that 56% of second-hand corporate network devices still contain sensitive company data.
The security vendor purchased 16 recycled devices routers and found that nine of them contained IPsec or VPN credentials, hashed root passwords, and other critical information to identify the previous owner. This information theoretically allows cyber attackers who got hold of the devices to gain network access to the organization that recycled the router.
The routers, which included models by Cisco, Fortinet and Juniper Networks, contained confidential data, network information, and credentials that could easily be used to determine the previous owner. Among the data, were hashed root administrator passwords, VPN and secure network communication credentials, and router-to-router authentication keys. Moreover, eight of the routers contained data about connecting to other organizations’ networks, and two contained customer data.
The study further disclosed that some of the routers analyzed contained sensitive data such as customer data, credentials for connecting to other networks as a trusted party, connection details for specific applications, and router-to-router authentication keys. ESET researchers found complete maps of major local and cloud-based application platforms previously used by organizations that owned the routers. These included corporate email, physical building security, and business applications.
ESET researchers were also able to map the network topology, including the location of remote offices and operators, which could be used for subsequent exploitation efforts. This failure to properly decommission the routers exposed many of these companies, their customers, and partners to elevated cyber risk.
The routers analyzed were originally owned by mid-sized and global organizations operating across various sectors, including data center providers, law firms, tech vendors, manufacturers, creative firms, and software developers. Although some of the organizations handled the event as a serious data breach, others failed to reply to ESET’s repeated attempts to notify.
The sources for this piece include an article in InfoSecurity.