Used routers may contain information or company secrets

Researchers from security firm ESET have found that more than half of second-hand business routers purchased for testing had not been properly cleaned by their previous owners and were storing numerous credentials and confidential data on the institutions to which they had belonged.

The researchers purchased 18 used routers from major vendors Cisco, Fortinet, and Juniper Networks, and found that nine of them were fully accessible and had not been cleaned, while only five had been properly cleaned.

Rich in sensitive data

Unprotected devices contained credentials for the organization’s private VPN network, credentials for other secure network communication services, administrator passwords, router-to-router authentication keys and information on how the router connected to specific applications used by the previous owner. Some devices have also revealed credentials to connect to other organizations’ networks, and even customer data.

Gold routers for cybercriminals

Researchers warn of the wealth of information contained in these second-hand routers, which might prove valuable to cybercriminals and state-backed hackers. Indeed, corporate application login credentials, network credentials, encryption keys, and details regarding the operation of a corporate network are extremely valuable in the dark web and criminal forums.

This information can be used for various malicious purposes, such as launching ransomware attacks, spying campaigns or identity theft scams. Researchers also found information regarding the physical security of former owners’ offices on some routers, which highlights the risks associated with improper cleaning of network equipment.

Undeniable neglect of companies for their obsolete equipment

The researchers point out that organizations must take responsibility for properly wiping their network equipment before reselling or disposing of it. They warn that third-party device management companies, e-waste disposal companies, or device sanitization services don’t always properly erase data from these devices as they claim. The researchers also note that consumer routers often offer encryption and other security features that organizations can take advantage of to mitigate the risk of data exposure if devices end up in the wrong hands.

Routers that need to be reset

The researchers attempted to contact the former owners of the second-hand routers they purchased to warn them of the data exposure, but found that some companies were unresponsive or did not have mechanisms to report the findings. matters of security.

The researchers urge organizations to be more vigilant regarding properly erasing their network equipment and take the necessary steps to prevent sensitive data from falling into the wrong hands.