Summary:
Over half (56%) of corporate network devices sold second-hand still contain sensitive company data, according to a new study from ESET. The security vendor bought 16 recycled devices routers and found that nine of them contained one or more IPsec or VPN credentials, or hashed root passwords, as well as enough information to identify the previous owner. This information could theoretically allow threat actors who got hold of the devices to gain network access to the organization that recycled the router, ESET claimed.

ESET also says using the recycled devices allowed them to work out which ports and hosts were used. Threat actors could theoretically probe these details for known vulnerabilities. In some cases, they were able to map out network topology including the location of remote offices and operators.

All in all, the failure to properly decommission devices poses risks to companies, their customers, and their partners.

Analyst comments:
The routers examined by ESET were originally owned by mid-sized and global organizations operating across multiple verticals and sectors including, datacenter providers, law firms, technology vendors, manufacturers, creative firms, and software developers. ESET said some of the contacted organizations treated the issue as a serious data breach, while others never responded to their attempts to notify.

Research lead, Cameron Camp, said the findings should serve as a wake-up call, whether firms dispose of devices themselves or contract an e-waste company to do so. “We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite,” he added.

Of the nine networks that had complete configuration data available:

• 22% contained customer data
• 33% exposed data allowing third-party connections to the network
• 44% had credentials for connecting to other networks as a trusted party
• 89% itemized connection details for specific applications
• 89% contained router-to-router authentication keys
• 100% contained one or more of IPsec or VPN credentials, or hashed root passwords
• 100% had sufficient data to reliably identify the former owner/operator

Organizations often recycle aging tech through third-party companies that are charged with verifying the secure destruction or recycling of digital equipment and the disposal of the data contained therein. Whether an error by an e-waste company or the company’s own disposal processes, a range of data was found on the routers, including:



Third-party data: As we have seen in real-world cyberattacks, a breach of one company’s network can proliferate to their customers, partners, and other businesses with whom they may have connections.

Trusted parties: Trusted parties (which could be impersonated as a secondary attack vector) would accept certificates and cryptographic tokens found on these devices, allowing a very convincing adversary in the middle (AitM) attack with trusted credentials, capable of syphoning off corporate secrets, with victims unaware for extended periods.

Customer data: In some cases, core routers point to internal and/or external information stores with specific information about their owners’ customers, sometimes stored on premises, which can open customers up to potential security issues if an adversary is able to gain specific information about them.

Specific applications: Complete maps of major application platforms used by specific organizations, both locally hosted and in the cloud, were scattered liberally throughout the configurations of these devices. These applications range from corporate email to trusted client tunnels for customers, physical building security such as specific vendors and topologies for proximity access cards and specific surveillance camera networks, and vendors, sales and customer platforms, to mention a few. Additionally, ESET researchers were able to determine over which ports and from which hosts those applications communicate, which ones they trust, and which ones they do not. Due to the granularity of the applications and the specific versions used in some cases, known vulnerabilities could be exploited across the network topology that an attacker would already have mapped.

Extensive core routing information: From core network routes to BGP peering, OSPF, RIP and others, ESET found complete layouts of various organizations’ inner workings, which would provide extensive network topology information for subsequent exploitation, were the devices to fall into the hands of an adversary. Recovered configurations also contained nearby and international locations of many remote offices and operators, including their relationship to the corporate office – more data that would be highly valuable to potential adversaries. IPsec tunneling can be used to connect trusted routers to each other, which can be a component of WAN router peering arrangements and the like.

Trusted operators: The devices were loaded with potentially crackable or directly reusable corporate credentials – including administrator logins, VPN details, and cryptographic keys – that would allow bad actors to seamlessly become trusted entities and thus to gain access across the network.

Mitigation:
“Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors and customers” (ESET, 2023).

Have a Plan
Similar to a disaster recovery plan, organizations should invest resources into creating a detailed plan for removing, wiping, and recycling decommissioned IT products. The plan should include, backing up mission critical business information, identifying and logging hardware assets, disabling user access, securely wiping hardware, and destroying or recycling hardware products. Having poor decommissioning policies can lead to data leakage and increase overall cybersecurity risks.

Create and Maintain a Detailed Log to Track Decommissioning Process
Create a digital logbook to manage data related to retired IT equipment. This logbook should contain detailed information about each decommissioned asset, including its disposal date, equipment type, hardware serial number, and asset destruction location. It should also have a checklist that staff can follow to ensure the secure disposal of each asset, in line with company policies. If using an external IT asset disposition partner, it is recommended to ensure they are fully accountable and transparent and use advanced information systems for auditing and reporting purposes.

Backup Mission-Critical Business Information
Incorrectly backing up data during asset disposal can result in the deletion of sensitive business information. To avoid data loss incidents, it is recommended to take a cloud backup of the information stored on old hardware. This backup can also serve as proof of the type of data that has been deleted during decommissioning.

Verify Asset Identity Before Disposal
Before sending any IT asset for on-site or off-site destruction, it is crucial to confirm its identity. This can be accomplished by cross-validating the asset's serial number with the logbook of decommissioned IT assets to ensure that the correct equipment is being handled. Additionally, examining the logbook can provide insight into the employees who previously used the equipment, shedding light on the type and criticality of data stored on the hardware. Employing IT asset management software can expedite the identity verification process and streamline the overall decommissioning process.

Disable User Access to Obsolete IT Assets
Effective management of user permissions and robust controls to prevent unauthorized network access are paramount to bolstering your organization's security posture. When decommissioning technology hardware, scrutinize the user access privileges granted to retired IT assets. Outdated user IDs or accounts with elevated access can serve as a backdoor for ex-employees and cybercriminals to infiltrate your network and pilfer sensitive information. To fortify your network security, ensure that all obsolete user IDs are deleted during the asset decommissioning process.

Securely Wipe Data From Your IT Hardware
Neglecting to track down and wipe confidential information stored on decommissioned IT assets can exponentially elevate the likelihood of data exposure. Thus, it is advisable to partner with an expert who offers top-notch data sanitization services. A certified vendor can help you securely erase data from your outdated hardware while maintaining compliance with the data privacy laws governing your industry. Moreover, it is crucial to ensure that your data security partner conforms to the rigorous NIST and DoD standards and furnishes certificates of data destruction to validate the effectiveness of their services.

Destroy Obsolete IT Assets in An Eco-Friendly Manner
To prevent unauthorized data access, the physical destruction of damaged IT assets is generally the optimal solution for companies. However, it is crucial to ascertain that the assets being destroyed have no potential for reuse. Partnering with a certified IT asset disposition company is recommended for shredding or disposing of unwanted equipment. These experts can provide valuable guidance on whether to refurbish or recycle old assets by analyzing various factors, such as equipment age, functionality, and overall condition. Moreover, an R2-certified ITAD expert can help recycle damaged equipment in an environmentally sustainable and socially responsible manner, ensuring that it doesn't end up in a landfill.

Source:
https://www.eset.com/int/about/news...secrets-and-data-on-recycled-company-routers/
https://www.infosecurity-magazine.com/news/recycled-network-exposing/