Data on Secondhand Corporate Routers Can be Used by Hackers to Breach Networks

Data on Secondhand Corporate Routers Can be Used by Hackers to Breach Networks

Enterprise-level network hardware available on the secondary market conceals important information that hackers may exploit to infiltrate corporate networks or steal consumer data. Researchers examined several used corporate-grade routers and discovered that the majority of them had been incorrectly decommissioned and subsequently sold online.

Eighteen secondhand core routers were acquired by researchers at cybersecurity company ESET, who discovered that on more than half of those that operated as intended, it was still possible to obtain the complete configuration data. As they link all other network components, core routers serve as the foundation of a sizable network. They are built to forward IP packets faster and accommodate numerous data communication interfaces.

When the ESET research team first purchased a few secondhand routers to create a test environment, they discovered that they had not been thoroughly cleaned and still included network configuration data as well as information that might be used to identify the former owners. The bought equipment included 11 Juniper Networks devices (SRX Series Services Gateway), three Fortinet (Fortigate series) devices, and four Cisco (ASA 5500) devices.

Cameron Camp and Tony Anscombe claim in a recent report that two devices were mirror images of one other and were treated as one in the assessment findings. In contrast, one device was dead on arrival and excluded from the testing. Only two of the 16 remaining devices had been toughened, making some data more challenging to retrieve. Only five of the remaining 16 devices had been properly deleted.

However, most of them allowed access to the whole configuration data, which contains a wealth of information about the owner, how they configured the network, and the relationships between various systems. The administrator must perform a few instructions to safely delete the settings and reset corporate network devices. Without it, the routers may be started in recovery mode, which enables examining the configuration.

According to the researchers, some routers stored client information, information allowing other parties to join the network, and even “credentials for connecting to other networks as a trusted party.” Eight of the nine routers that revealed the whole configuration data also included authentication keys and hashes for router-to-router communication. The complete maps of private software programs housed locally or on the cloud were included in the list of business secrets. Microsoft Exchange, Salesforce, SharePoint, Spiceworks, VMware Horizon, and SQL are a few examples.

According to the study, “highly credentialed personnel” like network administrators and their supervisors are often the only ones with access to such detailed insider information. With access to this information, an adversary might easily devise a strategy for an assault vector to lead them covertly deep within the network. Several of them had been in managed IT provider settings, which run the networks of big businesses, as per information found in the routers.

Even one device belonged to a managed security services firm (MSSP) that looked after the networks for hundreds of clients across all industries (e.g., education, finance, healthcare, manufacturing). The researchers then emphasize the need to thoroughly clean network devices before getting rid of them in light of their findings. Businesses must have policies in place to secure their digital equipment disposal. 

The researchers also caution against constantly employing a third-party service for this activity. After informing the router’s owner of their discoveries, they discovered that the business had used such a service. Clearly, things didn’t turn out as expected. Here, it is advised to reset the device to its factory default settings and wipe off any potentially sensitive data by adhering to the manufacturer’s instructions.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.