Security News > 2023 > April > Researchers discover sensitive corporate data on decommissioned routers

Researchers discover sensitive corporate data on decommissioned routers
2023-04-19 08:05

"We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers," Camp continued.

Organizations often recycle aging tech through third-party companies that are charged with verifying the secure destruction or recycling of digital equipment and the disposal of the data contained therein.

Trusted parties would accept certificates and cryptographic tokens found on these devices, allowing a very convincing adversary in the middle attack with trusted credentials, capable of syphoning off corporate secrets, with victims unaware for extended periods.

The devices were loaded with potentially crackable or directly reusable corporate credentials - including administrator logins, VPN details, and cryptographic keys - that would allow bad actors to seamlessly become trusted entities and thus to gain access across the network.

"There are well-documented processes for proper decommissioning of hardware, and this research shows that many companies are not following them rigorously when preparing devices for the secondary hardware market," said Tony Anscombe, Chief Security Evangelist at ESET. "Exploiting a vulnerability or spearphishing for credentials is potentially hard work. But our research shows that there is a much easier way to get your hands on this data, and more. We urge organizations involved in device disposal, data destruction, and reselling of devices to take a hard look at their processes and ensure they are in compliance with the latest NIST standards for media sanitization," Anscombe added.

With this in mind, it's recommended that organizations follow the manufacturer's guidelines for removing all data from a device before it physically leaves their premises, which is a simple step that many IT staff can handle.


News URL

https://www.helpnetsecurity.com/2023/04/19/decommissioned-routers-sensitive-corporate-data/