More than 56 percent of the core routers ESET purchased from second-hand retailers contained a wealth of sensitive data, including corporate credentials, VPN data, cryptographic keys and more.

After reviewing the configuration data from 16 different routers, ESET determined that nine routers contained sensitive business data. An overview:

• 22% customer data
• 33% of exposed data enabled third-party connections to the network
• 44% Credentials to connect to other networks as a relying party
• 89% of the detailed connection details were available for specific applications
• 89% router-to-router authentication key
• 100% one or more IPsec or VPN credentials or hashed root passwords
• 100% sufficient data to reliably identify the previous owner or operator.

Despite the small sample size, it goes without saying that the potential impact of our findings should be a wake-up call. Cameron Camp, the ESET researcher who led the project. “We would expect medium to large organizations to have a strict set of security processes in place to decommission devices, but we’ve found the opposite.”

Businesses need to be much more aware of what remains on the devices they discard, as most devices we’ve bought on the used market contain a digital blueprint of the company in question, including but not limited to core network information, application data, company references, and Information about partners, suppliers and customers.”

Unclear recycling

Organizations often recycle obsolete technology through third-party companies. These have the task of checking the secure destruction or recycling of digital devices and the deletion of the data they contain. Whether it was an e-waste company’s fault or the company’s own disposal processes, data was found on the routers including:

• Third Party Data: As with real-world cyberattacks, a breach in a company’s network can spread to its customers, partners, and other companies with which it may be connected.
• Trusted parties: Trusted parties (posing as a secondary attack vector) accept certificates and cryptographic tokens found on these devices, allowing for a highly convincing attacker-in-the-middle (AitM) attack with trusted credentials, hijacking trade secrets and victims for extended periods of time cannot hold captive time consciously.
• Specific apps: Complete overviews of the major application platforms used by organizations, both on-premises and in the cloud, have been profusely distributed across the configurations of these appliances. These applications range from corporate email to trusted customer tunnels, physical building security, certain proximity card providers and typologies, and certain surveillance camera networks, as well as merchant, point-of-sale and customer platforms, to name a few. In addition, ESET researchers were able to determine through which ports and from which hosts these apps communicate, which ones they trust and which ones they don’t. Due to the granularity of the apps and the specific versions used in some cases, known vulnerabilities in the network topology that an attacker already has can be exploited.
• Extended core routing information: From core network routes to BGP peering, OSPF, RIP and others, ESET found complete layouts of the inner workings of various organizations that would provide extensive network topology information for later use should the devices fall into the hands of an attacker. Restored configurations also include nearby and international locations of many remote branches and operators, including their relationship to headquarters – further data that can be extremely valuable to potential competitors. IPsec tunneling can be used to connect trusted routers together, which can be part of peering agreements for WAN routers and the like.
• Reliable operators: The devices were loaded with potentially crackable or easily reusable corporate credentials — including administrator logins, VPN credentials, and cryptographic keys — that allowed fraudsters to become trusted entities and easily gain access to the entire network.

The routers for this study ranged from mid-market to global companies across a variety of industries (data centers, law firms, third-party technology providers, manufacturing and technology companies, creative companies, and software developers).