Researchers at security company ESET found that more than half of the used business routers purchased for testing were improperly cleaned by their previous owners and stored numerous credentials and confidential data about the institutions they belonged to.
The researchers purchased 18 used routers from major vendors Cisco, Fortinet and Juniper Networks and found that nine of them were fully accessible and uncleaned, while only five had been properly cleaned.
Rich in sensitive data
Unprotected devices contained credentials for the company’s private VPN network, credentials for other secure network communication services, administrator passwords, router-to-router authentication keys, and information about how the router connected to specific applications used by the previous owner. Some devices have also disclosed credentials for connecting to other organizations’ networks and even customer data.
Golden routers for cybercriminals
Researchers warn of the wealth of information contained in these used routers that could prove valuable to cybercriminals and government-backed hackers. Indeed, corporate application credentials, network credentials, encryption keys, and details about the operation of a corporate network are extremely valuable in dark web markets and criminal forums.
This information can be used for various malicious purposes, e.g. B. to launch ransomware attacks, spy campaigns or identity theft scams. Researchers also found information about the physical security of former owners’ offices on some routers, highlighting the risks associated with improper cleaning of network equipment.
Undeniable neglect by companies for their legacy devices
The researchers note that companies must take responsibility for properly wiping their network equipment before reselling or disposing of it. They warn that third-party device management, e-waste disposal, or device cleaning services do not always properly erase data from these devices, as they claim. The researchers also note that consumer routers often offer encryption and other security features that businesses can use to mitigate the risk of data disclosure if devices fall into the wrong hands.
Routers that need to be reset
The researchers tried to contact the former owners of the used routers they purchased to warn them about the data disclosure, but found that some companies didn’t respond or didn’t have mechanisms to report the findings.
The researchers urge companies to be more vigilant when it comes to properly wiping their network devices and take the necessary steps to prevent sensitive data from falling into the wrong hands.