The resale of network devices and other old devices can be an interesting way of recovering value for companies, but at the same time it can also expose them to security risks. All it takes is for the devices to be restarted incorrectly so that sensitive information and interesting settings data for criminals fall into the wrong hands, opening the doors to scams.
Cybersecurity company ESET put this idea to the test in a survey, purchasing 18 second-hand core routers (used as the centerpiece of enterprise networks) from three manufacturers. Of this total, one of the devices was not working, while another was configured as a clone of a third, with both counting for the survey as a single device.
Of the 16 remaining devices, only five had been properly restored, containing no information about their previous owners. In the remaining 11, it was possible to obtain details of the networks that previously operated, identifiers that made it possible to know which company was responsible and even information on employees, customers and access credentials to internal systems.
One of the analyses, considered the most serious by ESET, revealed a router that was used by a service provider for large companies. On the device were details of the internal networks of companies in sectors such as health, education, finance and industry, including details of the customers’ IT infrastructure. In eight cases, it was also possible to obtain hashes and authentication keys between routers that were part of the network, as well as web application secrets.
VPN passwords could be found on all compromised devices, while 44% also carried credentials to access external services on behalf of the original owners. Also, details of external connections were found in 89% of the devices, while 33% brought data that enabled external connections to the corporate network. Finally, customer data was found on 22% of devices.
The idea is that, in possession of such information, it would be easy to carry out a targeted attack. Criminals could obtain details about devices that are unprotected or running old versions of software, with confirmed security flaws, in addition to creating attack plans from such records. When we talk about credentials and secrets, the possible exploits become even broader and more dangerous, with network intrusions and attacks that seek to obtain data or deploy ransomware.
In the analyzed devices, much of the information could be obtained in a relatively simple way, returning the device to a recovery mode that allowed access to previously applied configurations. That’s why experts recommend adopting safe cleaning procedures before moving network and other devices used in sensitive operations forward.
System administrators should use appropriate commands to clear memory and configuration files, following manufacturers’ recommendations for carrying out this process. In addition, experts do not indicate the use of third-party services for this purpose – this was even the case with one of the devices analyzed in the ESET survey.
Source: ESET
