Security researchers have discovered that second-hand corporate networking equipment might contain data that can either identify previous owners or lead to a network breach. The main cause of this is the fact that the routers were improperly wiped before being put up for sale.
ESET researchers purchased 18 used core routers only to discover that previous configuration data could be found on more than half of them. These included 11 Juniper Networks SRX-series gateway routers, four Cisco ASA 5500 and three Fortinet Fortigate series routers.
Out of these, one router was dead on arrival and two were mirrors of each other that showed up as a single device in evaluation. Of the 16 remaining devices, only five were properly wiped and two had been hardened (making any onboard data harder to access). It was rather easy to access complete configuration data on the remaining nine which included information on the previous owner, how they set up the network and connections between other systems.
Eight of these nine routers also leaked router-to-router authentication keys and hashes. Additionally, complete maps of sensitive programs hosted locally or in the cloud were also found, including popular programs like Microsoft Exchange, Salesforce, Sharepoint, VMware Horizon and SQL among others.
According to the researchers, with this level of detail, impersonating internal hosts or even entire networks would be rather easy for an attacker. Especially considering that these devices contain VPN credentials or other authentication tokens that can be easily cracked.
Several of these devices were deployed in IT provider environments operating networks of large companies. One device belonged to a managed security services provider that handled networks for hundreds of clients across different industries putting all of them at risk.
The researchers have pointed out the importance of following proper wiping procedures when decommissioning devices. Additionally, using a third-party service for the same might also not be a good idea. Instead, companies should place their own processes in place for the safe disposal of devices containing sensitive information.