top of page

Many company secrets in second-hand routers

  • More than 56% of network routers purchased by ESET from second-hand hardware vendors contained a treasure trove of sensitive data, including credentials, VPN configurations, cryptographic keys, and more.

  • In the wrong hands, this data is enough to start a cyberattack that can lead to a data security breach, endangering the company, its partners and its customers.

  • This study shows that companies do not follow sufficient security protocols when disposing of their equipment.

  • A number of affected organizations did not react to ESET's communications.


ESET, Europe's leading security vendor, today unveiled a new study on retired and second-hand enterprise network devices. After reviewing the configuration data of 16 separate devices, ESET found that more than 56% of them, or 9 routers, contained sensitive corporate data.


Of the 9 networks for which full configuration data was accessible:


  • 22% contained customer data

  • 33% exposed data allowing third parties to connect to the network

  • 44% had credentials to connect to other networks as a trusted third party

  • 89% contained login details for specific apps

  • 89% contained router-to-router authentication keys

  • 100% contained one or more VPN or IPsec IDs, or root password hashes

  • 100% had sufficient data to identify the previous owner/operator with certainty


Discovered data about devices falls into these categories:


Trusted Third Party Information.

Customer data.

Specific application data.

Complete central routing information.

Spoof data from trusted operators.


"The potential impact of our findings is extremely concerning and should be a wake-up call," said Cameron Camp, the ESET researcher who led the project. “We expected midsize and large enterprises to have a set of strict security protocols for decommissioning devices, but we found the opposite. Organizations need to be much more aware of what's left on the devices they retire, given that a majority of the pre-owned devices we obtained contained a detailed digital diagram of the affected company, including information essential network, application data, company identifiers, and partner, supplier, and customer information. »

3 views0 comments

Comments


bottom of page