Discarded enterprise routers are often not wiped properly and store secrets that could be highly useful to malicious hackers, according to an analysis conducted by cybersecurity firm ESET.
The company acquired 18 secondhand enterprise routers made by Cisco, Fortinet and Juniper Networks and found that nine devices, including core routers, contained complete configuration data. Only five devices had been properly wiped.
In the case of the nine routers, ESET was able to determine with high confidence — based on the data still present on the devices — who their previous owner was. The list included a multinational tech company and a telecoms firm, both with more than 10,000 employees and over $1 billion in revenue.
The easily accessible and sensitive corporate information found on these routers also included IPsec or VPN credentials or hashed root passwords, customer information, data allowing third-party connections to the network, credentials for connecting to other networks, router-to-router authentication keys, and connection details for specific applications.
ESET warned that much of the exposed information could be very useful to threat actors planning an attack against the device’s original owner.
The type of network information found on the routers is often only available to a limited number of individuals within an organization. The devices also stored information for accessing cloud applications, as well as firewall rules.
“With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens,” ESET explained.
Another important piece of information exposed by the routers was related to the organization’s security. The security configuration of a device can allow a threat actor to infer the victim’s overall security level.
“We also noted, significantly, that multiple devices were acquired following decommissioning from managed IT providers who operate networks for much larger organizations, so often the affected organizations would have no idea that they may now be vulnerable to attacks due to data leaks by some third party,” ESET said.
“This seemed like a massive security attack surface that was potentially wide open to a whole host of target organizations. Two such IT companies (an MSSP in one case) managed networks for hundreds of clients in a variety of sectors including education, finance, healthcare, manufacturing, and professional services, among others,” it added.
The cybersecurity firm attempted to contact the previous owners of the tested routers to warn them about the potential risk. Three organizations completely ignored ESET.
Interestingly, one of the impacted organization’s representatives said they had contracted a specialized disposal service and they were ‘shocked’ to learn about the findings.
ESET’s full report contains recommendations for securely disposing of routers, pointing out that in most cases it’s easy to wipe a device using functionality provided by the manufacturer.
Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers
Related: InHand Industrial Router Vulnerabilities Expose Internal OT Networks to Attacks
