You know that you're supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there's a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn't fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to.
The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.
All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been.
Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations—like trusted partners, collaborators, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two directly contained customer data.
“A core router touches everything in the organization, so I know all about the applications and the character of the organization—it makes it very, very easy to impersonate the organization,” says Cameron Camp, the ESET security researcher who led the project. “In one case, this large group had privileged information about one of the very large accounting firms and a direct peering relationship with them. And that’s where to me it starts to get really scary, because we’re researchers, we’re here to help, but where are the rest of those routers?"
The big danger is that the wealth of information on the devices would be valuable to cybercriminals and even state-backed hackers. Corporate application logins, network credentials, and encryption keys have high value on dark web markets and criminal forums. Attackers can also sell information about individuals for use in identity theft and other scamming.
Details about how a corporate network operates and the digital structure of an organization are also extremely valuable, whether you're doing reconnaissance to launch a ransomware attack or plotting an espionage campaign. For example, routers may reveal that a particular organization is running outdated versions of applications or operating systems that contain exploitable vulnerabilities, essentially giving hackers a road map of possible attack strategies. And the researchers even found details on some routers about the physical building security of the previous owners' offices.
Since secondhand equipment is discounted, it would potentially be feasible for cybercriminals to invest in purchasing used devices to mine them for information and network access and then use the information themselves or resell it. The ESET researchers say that they debated whether to release their findings, because they didn't want to give cybercriminals new ideas, but they concluded that raising awareness about the issue is more pressing.
“One of the big concerns I have is that, if somebody evil isn’t doing this, it's almost hacker malpractice, because it would be so easy and obvious,” Camp says.
Eighteen routers is a tiny sample out of the millions of enterprise networking devices circulating around the world on the resale market, but other researchers say they've repeatedly seen the same issues in their work as well.
“We’ve purchased all sorts of embedded devices online on eBay and other secondhand sellers, and we’ve seen a lot that have not been digitally wiped,” says Wyatt Ford, engineering manager at Red Balloon Security, an internet-of-things security firm. “These devices can contain troves of information that can be used by bad actors in targeting and carrying out attacks.”
As in the ESET findings, Ford says that Red Balloon researchers have found passwords and other credentials and personally identifying information. Some data like usernames and configuration files are usually in plaintext and easily accessible, while passwords and configuration files are often protected because they are stored as scrambled cryptographic hashes. But Ford points out that even hashed data is still potentially at risk.
“We’ve taken password hashes found on a device and cracked them offline—you’d be surprised how many people still base their passwords off their cats,” he says. “And even things that seem innocuous like source code, commit history, network configurations, routing rules, et cetera—they can be used to learn more about an organization, its people, and its network topology.”
The ESET researchers point out that organizations may think they're being responsible by contracting with outside device-management firms. e-waste disposal companies, or even device-sanitization services that claim to wipe big batches of enterprise devices for resale. But in practice, these third parties may not be doing what they claim. And Camp also notes that more organizations could take advantage of encryption and other security features that are already offered by mainstream routers to mitigate the fallout if devices that haven't been wiped end up loose in the world.
Camp and his colleagues tried to contact the old owners of the used routers they bought to warn them that their devices were now out in the wild spewing their data. Some were grateful for the information, but others seemed to ignore the warnings or offered no mechanism through which researchers could report security findings.
“We used trusted channels that we had to some companies, but then we found a lot of other companies are far more difficult to get a hold of,” Camp says. “Frighteningly so.”
