Used routers often come loaded with company secrets – Ars Technica

You know you’re supposed to Wipe your smartphone Or your laptop before you resell it or give it to your cousin. After all, there is a lot of valuable personal data that needs to be kept under your control. Companies and other organizations need to follow the same approach, deleting their information from computers, servers, and network equipment so that it doesn’t fall into the wrong hands. At the RSA Security Conference in San Francisco next week, though, researchers from security firm ESET will Current results He explains that more than half of the used enterprise routers they bought for testing had been left completely intact by their previous owners. The devices were filled with network information, credentials, and confidential data about the organizations they belonged to.

The researchers purchased 18 used routers in various models from three major vendors: Cisco, Fortinet, and Juniper Networks. Of these, only nine were as left by their owners and fully accessible, while only five were properly erased. Two were encrypted, one died, and the other was an exact copy of another machine.

All nine unprotected devices contained credentials for the organization’s VPN, credentials for another secure network connection service, or hashed root administrator passwords. All contained enough metadata to identify the router’s previous owner or operator.

Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router communicated with specific apps used by the previous owner. Four devices exposed credentials to connect to other organizations’ networks—such as trusted partners, collaborators, or other third parties. Three of them contain information about how a third-party entity connected to the previous owner’s network. And two directly contain customer data.

“The primary router touches everything in the enterprise, so I know everything about the applications and the character of the enterprise — it makes it very easy to impersonate the enterprise,” says Cameron Camp, a security researcher at ESET who led the project. “In one case, this large group had privileged information on a very large accounting firm and a direct peer-to-peer relationship with it. And that’s where for me, it started to get really scary, because we’re researchers, we’re here to help, but where are the rest of these routers? “

The big risk is that the wealth of information on the devices will be valuable to cybercriminals and even state-backed hackers. Corporate application logins, network credentials, and encryption keys are highly valued on dark web markets and forensic forums. Attackers can also sell information about individuals for use in identity theft and other fraud.

Details about how a company’s network works and the organization’s digital structure are also invaluable, whether you’re reconnaissance for a ransomware attack or planning an espionage campaign. For example, routers might detect that a particular organization is running outdated versions of applications or operating systems that contain exploitable vulnerabilities, essentially giving hackers a roadmap to potential attack strategies. The researchers even found details on some routers about the security of the previous owners’ offices’ physical building.

Because used equipment is discounted, cybercriminals are likely to invest in buying used hardware to mine for information and access the network and then use the information themselves or resell it. ESET researchers say they have debated whether to release their findings, as they don’t want to give cybercriminals new ideas, but conclude that raising awareness about the issue is more urgent.

“One of my biggest fears is that if someone is evil no In doing so, it’s almost hacking malpractice, because it would be easy and obvious,” Camp says.

Eighteen routers are a small sample of the millions of enterprise network devices scattered around the world on the resale market, but other researchers say they’ve seen the same problems over and over in their work, too.

says White Ford, engineering director at Red Balloon Security, an Internet of Things security company. “These devices can contain vast amounts of information that bad actors can use to target and carry out attacks.”

As in the ESET findings, Ford says the Red Balloon researchers found passwords, other credentials, and personally identifiable information. Some data such as usernames and configuration files are usually in plain text and easily accessible, while passwords and configuration files are often protected because they are stored as mixed Cryptographic hashes. But Ford points out that even fragmented data is still at risk.

“We removed password hashes that were found on a device and split them offline — you’d be surprised how many people still base their passwords on their cats,” he says. “And even seemingly innocuous things like source code, commit history, network configurations, routing rules, etc. – can be used to learn more about an organization, its employees, and its network topology.”

ESET researchers point out that organizations may believe they are responsible by contracting out devices to third-party companies. Electronic waste disposal companies, or even device sterilization services that claim to scan large batches of enterprise devices for resale. But in practice, these third parties may not do what they claim. Camp also notes that more organizations can take advantage of the encryption and other security features already provided by mainstream routers to mitigate the fallout if unwiped devices end up out in the world.

Camp and his colleagues tried to contact the old owners of the used routers they had purchased to warn them that their devices were now out in the wild spewing their data. Some were grateful for the information, but others seemed to ignore the warnings or provide no mechanism by which the researchers could report the security findings.

“We used the trusted channels we had with some companies, but then found that a lot of other companies were more difficult to get hold of,” Camp says. “very scary.”

This story originally appeared wired.com.