Used Routers Often Come Loaded With Corporate Secrets

An anonymous reader shares a report: You know that you're supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there's a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn't fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to. The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.

All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been. Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations -- like trusted partners, collaborators, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two directly contained customer data.

First thing to do is data recovery

[Goatbot]

Make a few images files and play with the raw data.

Re:

[Z00L00K]

I bought a Cisco network switch on eBay a while ago and it was partially wiped, the config was gone but the VLAN table was there still.
This was from a broker of used equipment.
Not all brokers are doing a half-baked job of it though.

All Companies

[Inglix the Mad]

be their small mom & pop operations or a large corporation need an equipment destruction policy.

Some things are just too risky to resell. That laptop? Take the hard drive / SSD out. For small companies: That router? Crush it. Switches are a bit more variable... unmanaged switches are pretty safe to reset and resell.

Larger companies conducting lifecycle on their routing / switching gear? Unless you have a secure erase policy and procedures, it's probably best to crush it. Check your contracts... you might have to crush it anyway. Oh and you might need to get a document of secure destruction. Watch out for PCI and HIPAA compliance items.

"Right before the last turn-off..."

[Anonymous Coward]

"... disconnect all the wires except power, hit the rest button, continue with next box. Once it's done resetting, disconnect power and then unrack."

Funny how you have to have a policy for everything or the drones will just do as they're told: Take the kit out of the rack and put in the skip. If they don't come back after hours to fish the kit out of the skip to put on ebay, someone else will.

Even if you have a policy of "destroy", good chance it'll end up on ebay unwiped anyway. Better to explicitly wipe

Re:

[t0qer]

I worked for the DoD. Our policy was to degauss and crush. It wasn't actually a crusher, more like a hard drive splitter.

The idea is to take zero chances that mission sensitive data can be recovered. I've heard of some really crazy techniques, like the CIA using extremely fine black sand (iron particles) sprinkled on disks to read the sector state manually with a microscope. Which is why we degauss (which will fry some of the electronics on the board like an EMP).

After the crush, we'd keep the rare eart

Re:

[Alain Williams]

All very laudable - protect your organisation's security. The trouble is that crushing dents our planet's security as more raw materials are needed to make brand new kit; whereas properly wiping means that devices can be sold/reused elsewhere.

Yes: a conflict of interests. It really means that the OEM should sell devices that have a well document "secure reset/wipe" function. However: this will not happen as such a function will not make something more attractive to the original purchaser. The only way that

Re:

[tlhIngan]

All very laudable - protect your organisation's security. The trouble is that crushing dents our planet's security as more raw materials are needed to make brand new kit; whereas properly wiping means that devices can be sold/reused elsewhere.

Yes: a conflict of interests. It really means that the OEM should sell devices that have a well document "secure reset/wipe" function. However: this will not happen as such a function will not make something more attractive to the original purchaser. The only way that

Re:"Right before the last turn-off..."

[Aryeh Goretsky]

Hello,

One of the researchers who worked on the investigation here.

In the recommendations section of our research paper, one of the ones for device manufacturers was that they both switch to storing configuration data on removable media, and that the removable media in question be something that could easily be connected to a computer like a CompactFlash card, an SDXC card, a 2.5" or 3.5" drive, or even an M.2 drive so that part could be easily removed from the device. That way the device owner could perform a secure wipe of it, and verify it no longer contained any data.

Or they could then destroy it.

That wasn't something I favored, but I would rather have devices re-enter the secondary market missing a common and easily-replaceable storage device than be destroyed in their entirety because the device owner could wipe its on-board FLASH RAM.

Regards,

Aryeh Goretsky

Re:

[Aryeh Goretsky]

Hello,

One of the researchers who worked on this.

As part of our research, we came up with a list of recommendations for both device owners and device manufacturers that are in the research paper, which you can get to by going TFA, going to our blog, and then downloading the PDF file from there (direct link, no need to give an email address or anything like that).

One of the recommendations we had was for device manufacturers to have the information about how to securely wipe their devices publicly available (

Re:

[Anonymous Coward]

That's the DoD, with the CIA to keep them sharp. The molten metal story is from the nuclear guys.

The point is that this "zero chances whatsoever" approach doesn't work for the corporate environment, where the taxes to fund the DoD have to be earned. Better get something reasonable that will likely work, than the super-duper bestest evar that people will skirt for the money, the nuisance, the make-work, stick it to the manager, what-have-you.

It's also a nice poster child of how the "cyber security" guys li

Re:

[laughingskeptic]

We had to have a person spend days removing platters from drives from a small cloud. These were then taken to a facility and melted into slag. Despite being repeatedly debunked, the government still is convinced that Peter Gutmann's 1996 paper “Secure Deletion of Data from Magnetic and Solid-State Memory” is factual.

Re:

[whoever57]

The drill stand in my garage is the policy enforcement for the small company that employs me.

It's possible the NSA could get some data off a hard drive that has a hole in the platters, but I am not worried about the NSA. It would take some real effort and I don't think we have data that is interesting enough to justify this level of effort to recover some data.

Re:

[UnknowingFool]

So my fan fiction portrayal of The Romance of Jar-Jar Binks would be safe? Allegedly if I were to write one.

Re:

[gweihir]

Indeed. If you cannot assure you erased it, do not sell it. Simple as that. But some people are just dumb, meaning they do not apply whatever intelligence they may have to the problem at all.

Re:

[Aryeh Goretsky]

Hello,

One of the researchers who worked on this investigation here.

The problem isn't so much that the devices are too risky to sell, it's that the devices were not decommissioned properly. In some cases, the organizations claimed to have followed procedures and even had been given certificates of data destruction, which it turns out were not so valid after all. And in one case, an organization claimed the router had been stolen.

The Ars Technica article links to our blog, which in turn links to our report

Re:

[coofercat]

Whilst everyone should have a destruction policy, I disagree with your implementation. Hire a secure destruction company to do it for you. It won't even cost much, because they sell the useful stuff and take the proceeds off the bill. Even the more secure environments should do the same - although you'll maybe need a slightly more specialist company to do it.

They've already wiped a hundred of that obscure router you've got, so they know that you have to open it up and whip out the flash chips. They know the

Every one in my experience

[The-Ixian]

Every switch, router and firewall that I have ever purchased off of ebay has had a config on it.

Sometimes they even have the labels with IP addresses and login information.

Re:

[omnichad]

I helped someone buy an open box iMac recently from Best Buy. Looked pristine, but when I turned it on it asked for a password for Christine. Thankfully it was at least not activation locked and I was able to get it wiped.

Re:

[know-nothing cunt]

an open box iMac recently from Best Buy. Looked pristine
but when I turned it on it asked for a password for Christine

You've got the seed of a hit song right there.

Re:

[kellin]

8675309?

Re: Every one in my experience

[Anonymouse Cowtard]

That's Jenny's number, not Christine's.

Re:

[dranga]

I thought Christine's number was CQB 241

Same thing happened to photocopiers

[p51d007]

There was some IT security guy who owned a security business, bought a bunch of used MFP copiers, and was able to pull personal data which had been stored on the copier hard drives. He went on 60 minutes and after that aired, the entire copier industry went nuts upgrading everything with security. Auto wipe drives, encryption and on and on. Guess the router/switch industry will be doing the same thing. This video was from over 12 years ago. https://www.youtube.com/watch?... [youtube.com]

Re:

[gweihir]

Yep. I habe been involved into designing decommissioning procedures for copiers and printers. Went so far as to require a secure erase and overwrite for the disk drives contained in these machines. (SCSI at that time.) The company that provided them (they were rented) was not happy, but by their contract it was either that or they would not have gotten the disks back at all. It helps when the legal and contract people think ahead. Of course, this was a large bank, which makes things a lot easier.

Shoddy practices

[gweihir]

Seriously. It is known how to handle that case. Well-known. In fact, unless you are sure you can erase these things reliably, you either change all corporate secrets on them before selling them or you physically destroy them and do not sell them. Anybody that makes mistakes like that is just incompetent. And worse, any company that does not have procedures for selling such equipment is grossly negligent. There have been enough reference cases. There is no excuse anymore.

Another reason not to sack us geeks

[Bruce66423]

The newbies they import tend to forget such things. What a shame... ;)

Re:

[gweihir]

Indeed. Cheap people tend to get pretty expensive in some cases.

VPN details still in them

[pcjunky]

I have bought many Cisco routers on Ebay over the years. It's shocking how many still had VPN configurations complete with IP addresses and encryption keys still in the flash memory. This is a serious blind spot for companies getting rid of old tech.