More than 56% of network routers purchased by ESET from second-hand hardware vendors contained a treasure trove of sensitive data, including credentials, VPN configurations, cryptographic keys, and more.
In the wrong hands, this data is enough to start a cyberattack that can lead to a data security breach, endangering the company, its partners and its customers.
This study shows that companies do not follow sufficient security protocols when disposing of their equipment.
A number of affected organizations did not react to ESET's communications.
ESET, Europe's leading security vendor, today unveiled a new study on retired and second-hand enterprise network devices. After reviewing the configuration data of 16 separate devices, ESET found that more than 56% of them, or 9 routers, contained sensitive corporate data.
Of the 9 networks for which full configuration data was accessible:
22% contained customer data
33% exposed data allowing third parties to connect to the network
44% had credentials to connect to other networks as a trusted third party
89% contained login details for specific apps
89% contained router-to-router authentication keys
100% contained one or more VPN or IPsec IDs, or root password hashes
100% had sufficient data to identify the previous owner/operator with certainty
Discovered data about devices falls into these categories:
Trusted Third Party Information.
Customer data.
Specific application data.
Complete central routing information.
Spoof data from trusted operators.
"The potential impact of our findings is extremely concerning and should be a wake-up call," said Cameron Camp, the ESET researcher who led the project. “We expected midsize and large enterprises to have a set of strict security protocols for decommissioning devices, but we found the opposite. Organizations need to be much more aware of what's left on the devices they retire, given that a majority of the pre-owned devices we obtained contained a detailed digital diagram of the affected company, including information essential network, application data, company identifiers, and partner, supplier, and customer information. »
Comments