ESET Germany GmbH
Jena (ots)
Anyone who sorts out or resells company routers should definitely delete all stored data in accordance with standards. Many SMBs don’t seem to follow this simple rule, ESET experts found out. In a study of 16 routers bought second-hand, they found that sensitive information could still be called up on more than half of the devices. Shockingly, waste disposal service providers have also done a poor job here and have not destroyed hardware or its contents, but resold them. The ESET researchers published the analysis white paper on the security blog WeLiveSecurity:
“The potential ramifications of our findings are extremely concerning and should serve as a wake-up call,” said Cameron Camp, ESET security researcher. “We expected medium to large enterprises to have strong safeguards in place for decommissioning devices – this was obviously not the case. The majority of the devices examined contained a digital blueprint of the enterprise in question, such as core network information, application data, corporate credentials and information about partners, vendors and Customers.”
Of the nine network devices for which full configuration data was available, included
- 22 percent customer data
- 33 percent connections that allowed third parties to access the network
- 44 percent used credentials to connect to other networks as a trusted party
- 89 percent connection details for some applications
- 89 percent router-to-router authentication key
- 100 percent one or more IPsec or VPN credentials or hashed root passwords
- 100 percent enough data to reliably identify the former owner/operator.
The routers in this research come from organizations of all sizes and industries (data centers, law firms, third-party technology providers, manufacturing and technology companies, creative firms, and software developers). ESET shared the results with the affected companies, which included well-known names.
A lack of control plays into the hands of criminals
“There are well-documented processes for properly decommissioning hardware, and this research shows that many companies do not follow these strictly when preparing devices for the aftermarket,” said Tony Anscombe, Chief Security Evangelist at ESET. “Exploiting a vulnerability or spearphishing credential credentials is potentially hard work. Our research shows that there is a much easier way to get this data. We recommend companies involved in device disposal, data destruction, and resale of devices to closely review their processes and ensure they are in compliance with the latest NIST standards.”
Disposal only in a controlled and professional manner
Businesses should only use trusted, competent third parties to dispose of equipment, or take all necessary precautions when undertaking the decommissioning themselves. This applies not only to routers and hard drives, but to all devices that are part of the network. ESET experts advise following manufacturer guidelines to securely wipe all data from a device before it leaves the company – a simple step that many IT staff can perform.
You can find more information and the white paper on the analysis at
Press contact:
ESET Germany GmbH
Christian Lueg
Head of Communication & PR DACH
+49 (0)3641 3114-269
[email protected]
Michael Klatte
PR Manager DACH
+49 (0)3641 3114-257
[email protected]
Follow ESET:
http://www.ESET.de
ESET Deutschland GmbH, Spitzweidenweg 32, 07743 Jena, Germany
Original content from: ESET Deutschland GmbH, transmitted by news aktuell
