Every company needs to dispose of old hardware from time to time; however, only a few are fully aware of the associated security risks. A recent study conducted by ESET researchers found that out of 18 used routers purchased, only five had been properly wiped by the previous owners. The rest contained sensitive information such as corporate application logins, network credentials and encryption keys.
Why is this a big deal?
This wealth of information could be valuable for cybercriminals and even state-backed hackers. Attackers can sell data for various types of scams or use details about how a corporate network operates to plot an espionage campaign or reconnaissance to launch a ransomware attack, for example. In some cases, routers may reveal outdated versions of applications or operating systems that contain exploitable vulnerabilities, essentially giving hackers a roadmap of possible attack strategies.
Since secondhand equipment is discounted, cybercriminals can invest in purchasing used devices to mine them for information and network access, which they can use themselves or resell. The issue is not limited to routers, as researchers at Red Balloon Security have seen the same issues with other embedded devices, such as GPS systems, TVs and digital phones.
Raising awareness about proper device wiping is one of the essential steps to better digital security, which is why ESET regularly analyses the landscape in its research. After all, there are many ways to protect your company. One solution is for businesses to wipe all devices before disposal properly. This can be done using specialised software that overwrites the device's data several times over with new data, rendering it unreadable.
Another preventive step is to have all the data encrypted. Encryption ensures that even if the data is stolen, it cannot be read without the encryption key. Some mainstream routers already offer encryption and other security features that organisations can take advantage of. This can at least mitigate the fallout if devices that haven't been wiped end up loose in the world.
Leave it to the professionals
One of the possibilities is to consider working with reputable device-management firms or e-waste disposal companies that specialise in wiping enterprise devices for resale. However, as ESET research revealed, even this isn’t a 100% guarantee that your data won’t end up in the wrong hands.
This is illustrated by the case of a manufacturing business that used such a service. Still, as ESET researchers discovered, their data (including sensitive company specifics like the location of their data centres and the processes that occurred there) had yet to be securely disposed of.
Such information could provide adversaries with valuable insights into the company's proprietary processes, which could be financially damaging. This highlights the importance of thoroughly vetting third-party service providers and having a robust data disposal policy in place to safeguard sensitive information.
How to deal with routers you want to dispose of
In general, there are three situations you can get into when discarding routers and specific steps to take:
- If the device is still at the company and working, the first step is to check the manufacturer's website for specific instructions on securely wiping the data. It's important to carefully verify that there's no sensitive information left on the device after wiping. It's also recommended to save copies of all relevant information, such as manuals, firmware, software, documents and support tickets, in a secure location on the company's network, regardless of whether that information is available in a public forum. Additionally, creating alerts in your calendar as a reminder for devices with support subscriptions can help ensure that the support contract is renewed and that procedures for securely wiping the device and verifying that company-sensitive information is no longer present are tested.
- If the device is dead, it's essential to ensure that the configuration data is wiped from the device before disposing of it. One option is to physically shred the device and ensure it goes into the e-waste stream. Alternatively, suppose you're sure the only place where sensitive data is recorded is on a removable storage medium such as an internal hard drive or external removable storage media. In that case, physically separating the storage media from the router and taking appropriate data wiping and disposal steps for that media is sufficient.
- If the device was not wiped properly and is already out of the company, it's important to assess the level of risk involved. If there's a chance that the device could contain sensitive information, it's recommended to take appropriate steps to mitigate that risk, such as changing passwords or rotating cryptographic keys. Implementing Zero Trust can also help reduce the risk by limiting access to sensitive information to only authorised users and devices.
In a broader sense, businesses should have a comprehensive data management policy that includes procedures for securely disposing of old devices. This includes sharing those procedures with the employees directly involved with the disposal of old company devices and training them to ensure the policy is followed correctly.
Read the full whitepaper How I (could) have stolen your corporate secrets for $100 for more details, including instructions on how to dispose of old hardware correctly.
It is also essential to keep all firmware up to date, as outdated firmware may contain vulnerabilities that hackers can exploit. Manufacturers release regular updates to enhance the security of their devices, and downloading these updates is highly recommended.
With the constant evolution of technology, it can be challenging for companies to monitor all potential threats. It’s crucial to be aware of the risks associated with poorly secured routers and take the necessary steps to protect themselves. By following the steps mentioned above, you can increase the chance that your company data stays safe.