Share this article on:
A pair of security researchers recently lucked onto an alarming statistic — it would appear that perhaps half of the discarded routers currently on the second-hand market are unwiped and feature a dangerous amount of corporate network information.
The researchers, from security company ESET, were setting up a test environment using used rack-mounted routers. In the process, they discovered that the previous network configurations were still on the hardware, along with data that could be easily used by threat actors to identify who had been using the router.
The next step was obvious — buy more routers to see if the incident was a unique one.
It was, alarmingly, not.
The researchers bought another 18 routers, only to discover pre-existing configuration details and data on over half of them.
“In the wrong hands, the data gleaned from the devices — including customer data, router-to-router authentication keys, application lists, and much more — is enough to launch a cyber attack. A bad actor could have gained the initial access required to start researching where the company’s digital assets are located and what might be valuable,” the researchers said in a blog post.
“We are all likely aware what comes next in this scenario.”
Beyond the threat of direct action, the fact that network data is out there and easily affordable — the rack-mounted routers go for just a few hundred dollars on the second-hand market. With the going rate for such data being about US$2,800 on the dark web, a criminal could make a surprising amount of money by just on-selling what they find on old routers without even engaging in hacking activities themselves.
What the researchers found even more concerning was the reaction of the companies whose old routers they had found. When contacted, some understood the risk they were running, while others admitted that they had handed over their hardware for wiping by a third party — which clearly had not done the job they promised.
However, some simply ignored the researchers. Some companies just didn’t seem to care about hardware that was, apparently, no longer their responsibility.
“The lessons that should be taken from this research are that any device leaving your company needs to have been cleansed and that the process of cleansing needs to be certified and regularly audited to ensure your company’s crown jewels are not being openly sold in public second-hand hardware markets,” the researchers said.
You can read the full report here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.