More than half of the used business routers that researchers bought didn't have their data erased. This meant that private information like login credentials and customer data were still there.
You know that before you sell your phone or laptop or give it to your cousin, you should wipe it clean. After all, there's a lot of important personal information on there that should stay under your control. Businesses and other institutions need to do the same thing and delete their information from PCs, computers, and network equipment so it doesn't get into the wrong hands. Next week, though, researchers from the security company ESET will show at the RSA security conference in San Francisco that more than half of the used business routers they bought to test had been left untouched by their previous owners. And the devices were full of knowledge about networks, passwords, and private information about the institutions they had belonged to.
The researchers bought 18 used routers made by Cisco, Fortinet, and Juniper Networks. Each router was a different model. Nine of them were exactly as their owners had left them and could be used, but only five had been cleaned properly. Two of the devices were encrypted, one was broken, and one was a copy of another.
All nine of the unprotected devices had credentials for the organization's VPN, credentials for another secure network communication service, or hashed root user passwords. All of them had enough information to figure out who the previous owner or person in charge of the router was. 
Eight of the nine unprotected devices had router-to-router authentication keys and information about how the router connected to specific apps used by the previous owner. Four devices revealed credentials for connecting to the networks of other organizations, such as trusted partners, collaborators, or other third parties. Three of them had information on how a third party could join to the network of the previous owner. And two of them directly held customer information.
"A core router touches everything in the organization, so I know everything about the applications and the way the organization works. This makes it very, very easy to pretend to be the organization," says Cameron Camp, the ESET security expert who led the project. "In one case, this large group had special information about one of the largest accounting firms and a direct peering relationship with that company. And that's when it starts to scare me, because we're experts and we're here to help, but where are the rest of those routers?"
The biggest risk is that thieves or even government-backed hackers could use the wealth of information on the devices to their advantage. On dark web markets and criminal sites, logins to corporate apps and networks and encryption keys are very valuable. Attackers can also sell information about people that can be used to steal their identities or for other scams.
Information about how a corporate network works and how an organization is set up digitally is also very useful, whether you're doing reconnaissance to start a ransomware attack or planning an espionage campaign. For example, routers could show that an organization is using old versions of apps or operating systems that have exploitable flaws. This would be like giving hackers a map of how they could attack the organization. The researchers even found information about the physical protection of the previous owners' offices on some of the routers.
Since used equipment is cheaper, it might be possible for hackers to buy used devices, mine them for information and network access, and then use or sell the information they find. The ESET researchers say that they debated whether or not to share their results because they didn't want to give cybercriminals new ideas. However, they decided that it was more important to raise awareness about the issue.
Camp says, "One of my biggest worries is that if someone bad isn't doing this, it's almost hacker malpractice, since it would be so easy and clear."
Even though 18 routers are a small sample of the millions of corporate networking devices that are for sale on the resale market around the world, other researchers say they've seen the same problems over and over again in their own work.
Wyatt Ford, engineering manager at Red Balloon Security, an internet-of-things security company, says, "We've bought all kinds of embedded devices online from eBay and other secondhand sellers, and we've seen a lot that haven't been digitally wiped." "These devices can have a lot of information on them that bad people can use to plan and carry out attacks."
Ford says that, like ESET, hackers from Red Balloon have found passwords and other credentials and information that could be used to find out who someone is. Some information, like usernames and configuration files, is usually saved in plaintext and is easy to access. Passwords and configuration files, on the other hand, are often kept safe by being stored as scrambled cryptographic hashes. But Ford says that even data that has been hashed could still be at risk.
"We found password hashes on a device and cracked them offline. You'd be surprised by how many people still use their cats as passwords," he says. "And even things that seem harmless, like source code, commit history, network configurations, routing rules, etc., can be used to learn more about an organization, its people, and its network topology."
The ESET researchers say that companies may think they are being responsible when they hire an outside company to handle their devices. companies that get rid of e-waste or even device-sanitization services that claim to wipe large amounts of business devices so they can be sold again. But it's possible that these third parties don't do what they say they do. Camp also says that more groups could use encryption and other security features that most routers already have to reduce the damage that could be done if devices that haven't been wiped get out into the world.
Camp and his coworkers tried to get in touch with the old owners of the used routers they bought to let them know that their devices were now out in the wild sending their data. Some were thankful for the information, but others didn't seem to care about the warnings or didn't have a way for experts to report security issues.
"We used trusted ways to get in touch with some companies, but we found that a lot of other companies are much harder to reach," says Camp. "That's very scary.
** Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of USA GAG nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.
