Researchers at ESET found that hardware on resale in the market consisted of highly confidential information such as IPsec or VPN credentials, hashed root passwords, and much more.
Second-Hand sales of computing equipment have been in place ever since the introduction of computers and their hardware parts.
Every company relies on its managed service providers or e-waste contractors for the decommissioning procedures.
Unfortunately, this equipment, like corporate routers or any other network managing devices, did not have great decommissioning and wiping procedures, which led to the disclosure of confidential information.
Researchers also mentioned that this highly classified corporate information equipment was resale for just $100 – $150.
Threat actors who plan to attack the infrastructure can get this information for just $100, which they can use for planning an attack.
Another overwhelming fact is that this equipment was sometimes owned by organizations that include cloud computing businesses or data centers, who must be aware of how to wipe this information during decommissioning of the equipment.
According to the report, the information that was revealed during the analysis included,
- Customer data – 22%
- Data of Third-party connections to the network – 33%
- Credentials for connecting to other networks as a trusted party – 44
- Connection details for specific applications – 89%
- Router-to-router authentication keys – 89%
- IPsec or VPN credentials, or hashed root passwords – 100%
- Data to identify the former owner/operator – 100%
The report also mentioned that it was hard for the researchers to contact the companies whose data had been exposed in the analysis.
Most of this data exposure is due to human error, which could lead to a potential data breach.
“Equally concerning was the difficulty the team experienced during the disclosure process when attempting to contact the companies concerned, to disclose that our researchers were in possession of a device with the company’s sensitive network configuration data.” reads the report published by ESET.
ESET used 18 routers for testing and analytic purposes. The list of routers used for analysis by ESET researchers is given below
In these routers, accessible were several network configuration data were extracted by the ESET research team. The data is given in proportion to the data extracted.
|Network Configuration Data||Number||Percentage|
|Complete Configuration Data available||9||56.25|
|Dead (no recoverable data||1||N/A|
|Second Device in Mirror pair||1||N/A|
Companies that were identified during the analysis and details of their type of business and revenue are listed below.
|Vertical||Reach||Employees||Revenue (US$, M)|
|Light Manufacturing/supplier||Direct data services, as well as managed MSP services for the region||5-50||5-25|
|Legal||Nationwide (US) law firm||50-100||5-25|
|Creative||Products/subassemblies integrated into larger companies’ products||100-500||25-100|
|Services multiple tiers one, household brand companies||Multinational Technology Company||100-500||25-100|
|MSP||Manages fintech companies||100-500||25-100|
|Open-source software||Has over 100 million users, worldwide||100-500||500-1000|
|Events||Operates trade shows and equipment rentals||1000-5000||25-100|
|Multinational Technology company||Global data company||10000+||1000+|
|Telecoms||This was CPE (Customer Premises Equipment) for a transportation company||10000+||1000+|
Every organization needs to decommission any computing equipment and have a clean wiping procedure before making the computing equipment available to the resale market.