Used routers often come loaded with corporate secrets
You know that you’re supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there’s a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn’t fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to.
The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.
All nine of the unprotected devices contained credentials for the organization’s VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been.
Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations—like trusted partners, collaborators, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner’s network. And two directly contained customer data.
“A core router touches everything in the organization, so I know all about the applications and the character of the organization—it makes it very, very easy to impersonate the organization,” says Cameron Camp, the ESET security researcher who led the project. “In one case, this large group had privileged information about one of the very large accounting firms and a direct peering relationship with them. And that’s where to me it starts to get really scary, because we’re researchers, we’re here to help, but where are the rest of those routers?”