Used routers are often full of your secrets. Corporate ones in particular may hide backdoors in the company's network.
Most people know that before sell or give away your mobile phone or the laptop you should first completely delete all your data. The same applies to the companies that are used to changing hardware every five years and filling the stores with refurbished computers and accessories.
But it seems that users do not show the same fervor for routers, which is especially dangerous for your security. At next week's RSA security conference in San Francisco, researchers from security firm ESET will present findings that show that more than half of the used corporate routers they bought for testing were completely intact from their previous owners. And of course they were full of network information, credentials and confidential data about the corporate networks they worked on.
Οι ερευνητές αγόρασαν 18 μεταχειρισμένα router, σε διαφορετικά μοντέλα που κατασκευάστηκαν από τρεις κύριους προμηθευτές: Cisco, Fortinet και Juniper Networks. Από αυτά, τα εννέα ήταν ακριβώς όπως τα είχαν αφήσει οι ιδιοκτήτες τους και ήταν πλήρως προσβάσιμα, ενώ μόνο πέντε είχαν διαγραφεί σωστά.
All nine of the unprotected devices contained credentials for the VPN of the organization, credentials for another secure network communication service, or hashed passwords of the root administrator. And all included enough identifying data to identify who the previous owner or operator of the router was.
Eight of the nine unprotected devices included router authentication keys and information about how the router was connected to specific applications used by the previous owner. Four devices exposed credentials to connect to other organizations' networks, such as trusted partners, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two contained customer data.
As you can see these routers are highly valued on dark web markets and criminal forums. Attackers can sell information for use in identity theft and other fraud. But they can also hack you if they know even a little about the company or you and correlate the missing data.
And since used equipment is discounted, it would potentially be feasible for cybercriminals to invest in the used device market in order to find information. Especially in corporate equipment.
ESET researchers say they debated whether to make their findings public because they didn't want to give cybercriminals new ideas, but concluded that raising awareness of the issue is more imperative.
The eighteen routers are a small sample of the millions of enterprise networking devices available worldwide in the aftermarket.