Used routers are often full of your secrets. Corporate ones in particular may hide backdoors in the company's network.
Most people know that before sell or give away your mobile phone or the laptop you should first completely delete all your data. The same applies to the companies that are used to changing hardware every five years and filling the stores with refurbished computers and accessories.
But it seems that users do not show the same fervor for routers, which is especially dangerous for your security. At next week's RSA security conference in San Francisco, researchers from security firm ESET will present findings that show that more than half of the used corporate routers they bought for testing were completely intact from their previous owners. And of course they were full of network information, credentials and confidential data about the corporate networks they worked on.
The researchers purchased 18 used routers, in different models manufactured by three main vendors: Cisco, Fortinet και Juniper Networks. Of these, nine were exactly as their owners had left them and were fully accessible, while only five had been properly deleted.
All nine of the unprotected devices contained credentials for the VPN of the organization, credentials for other safe service network communication or hashed root administrator passwords. And all of them included quite a bit of data recognitions to determine who the previous owner or operator of the router was.
Eight of the nine unprotected devices included control keys ID cardof the router and information about how the router was connected to specific applications used by the previous owner. Four devices exposed credentials to connect to other organizations' networks, such as trusted partners, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two contained customer data.
As you can see these routers are highly valued on dark web markets and criminal forums. Attackers can sell information for use in identity theft and other fraud. But they can also hack you if they know even a little about the company or you and correlate the missing data.
And since used equipment is discounted, it would potentially be feasible for cybercriminals to invest in the used device market in order to find information. Especially in corporate equipment.
ESET researchers say they debated whether to make their findings public because they didn't want to give cybercriminals new ideas, but concluded that raising awareness of the issue is more imperative.
The eighteen routers are a small sample of the millions of enterprise networking devices available worldwide in the aftermarket.
