Every company needs to dispose of old hardware from time to time; however, not many understand the security risks associated with it. A recent study conducted by ESET researchers found that out of 18 used routers purchased, only five had been properly wiped. The rest contained sensitive information such as corporate application logins, network credentials and encryption keys.
Why is this a big deal?
This wealth of information could be valuable to cybercriminals and even state-backed hackers. Attackers can sell information about individuals for use in various types of scams. Details about how a corporate network operates and the digital structure of an organization are also possible stepping stones for plotting an espionage campaign or reconnaissance to launch a ransomware attack. In some cases, routers may reveal outdated versions of applications or operating systems that contain exploitable vulnerabilities, essentially giving hackers a roadmap of possible attack strategies.
Since secondhand equipment is discounted, cybercriminals can invest in purchasing used devices to mine them for information and network access, which they can use themselves or resell. The issue is not limited to routers, as researchers at Red Balloon Security have seen the same issues with other embedded devices, such as GPS systems, TVs and digital phones.
Raising awareness about proper device wiping is one of the essential steps to better digital security, which is why ESET regularly analyzes the landscape in its research. After all, there are many ways to protect your company. One solution is for businesses to ensure that they properly wipe all devices before disposal. This can be done by using specialized software that overwrites the device's data several times over with new data, rendering it unreadable.
Another preventive step is to have all the data encrypted. Encryption ensures that even if the data is stolen, it cannot be read without the encryption key. Some mainstream routers already offer encryption and other security features that organizations can take advantage of. This can at least mitigate the fallout if devices that haven't been wiped end up loose in the world.
Leave it to the professionals
One of the possibilities is to consider working with reputable device-management firms or e-waste disposal companies that specialize in wiping enterprise devices for resale. However as ESET research revealed, even this isn’t a 100% guarantee that your data won’t end up in the wrong hands.
This is illustrated by the case of a manufacturing business that used such a service, but as ESET researchers discovered, their data (including sensitive company specifics like the location of their data centers and the processes that occurred there) had not been securely disposed of. Such information could provide adversaries with valuable insights into the company's proprietary processes, which could be financially damaging. This highlights the importance of thoroughly vetting third-party service providers and having a robust data disposal policy in place to safeguard sensitive information.
How to deal with routers you want to dispose of
In general, there are three situations you can get into when discarding routers, and specific steps to take:
- If the device is still at the company and working, the first step is to check the manufacturer's website for specific instructions on how to securely wipe the data. It's important to carefully verify that there's no sensitive information left on the device after wiping. It's also recommended to save copies of all relevant information, such as manuals, firmware, software, documents and support tickets, in a secure location on the company's network, regardless of whether that information is available in a public forum. Additionally, for devices with support subscriptions, creating alerts in your calendar as a reminder can help ensure that the support contract is renewed and that procedures for securely wiping the device and verifying that company-sensitive information is no longer present are tested.
- If the device is dead, it's essential to ensure that the configuration data is wiped from the device before disposing of it. One option is to physically shred the device and ensure it goes into the e-waste stream. Alternatively, if you're sure that the only place where sensitive data is recorded is on a removable storage medium such as an internal hard drive or external removable storage media, then physically separating the storage media from the router and taking appropriate data wiping and disposal steps for that media is sufficient.
- If the device was not wiped properly and is already out of the company, it's important to assess the level of risk involved. If there's a chance that the device could contain sensitive information, it's recommended to take appropriate steps to mitigate that risk, such as changing passwords or rotating cryptographic keys. Implementing Zero Trust can also help mitigate the risk by limiting access to sensitive information to only authorized users and devices.
In a broader sense, businesses should have a comprehensive data management policy that includes procedures for the secure disposal of old devices. This includes sharing those procedures with the employees directly involved with the disposal of old company devices and training them to ensure the policy is followed correctly.
Read the full whitepaper How I (could) have stolen your corporate secrets for $100 for more details, including instructions on how to correctly dispose of old hardware.
It is also essential to keep all firmware up to date, as outdated firmware may contain vulnerabilities that hackers can exploit. Manufacturers release regular updates to enhance the security of their devices, and downloading these updates is highly recommended.
With the constant evolution of technology, it's not always easy for companies to monitor all potential threats. It’s crucial to be aware of the risks associated with poorly secured routers and take the necessary steps to protect themselves. By following the above-mentioned steps, you can increase the chance your company data stays safe.