ESET, a leading digital security company, has conducted research on disposed corporate network devices sold on the secondary market and has discovered alarming results. After analyzing the configuration data of 16 unique network devices, ESET found that more than 56% (nine routers) contained sensitive data of the respective companies. Of the nine networks with complete configuration data, 22% contained customer data, 33% exposed data allowing third-party connections to the network, 44% had credentials for connecting to other networks as a trusted party, and 89% itemized connection details for specific applications.
ESET security researcher, Cameron Camp, who led the project, warns that companies should be more aware of what remains on the devices they dispose of as a majority of the routers obtained from the secondary market contained valuable information, including core networking data, corporate credentials, application data, and information about partners, vendors, and customers.
The devices were loaded with sensitive data, including third-party data, trusted parties, customer data, specific applications, extensive core routing information, and trusted operators. ESET’s researchers were able to determine which ports and hosts the applications communicated with, as well as which ones they trusted and which they did not. This information could be used to exploit known vulnerabilities and attack the network topology that the attacker has already mapped.
Tony Anscombe, Chief Security Evangelist at ESET, emphasizes that many companies are not following documented processes for proper decommissioning of hardware, leading to data leaks. He urges companies to ensure compliance with the latest NIST standards for media sanitization and to use trusted and competent third parties for disposing of devices or to take all necessary precautions if handling decommissioning themselves.
The routers in the research were from a variety of industries, ranging from medium-sized businesses to global enterprises, including data centers, law firms, third-party tech providers, manufacturing and tech companies, creative firms, and software developers. ESET has reached out to each identified organization, where possible, to disclose the findings and collaborate to ensure they were aware of the details potentially compromised by others in the chain of custody of the devices.
