Used Routers Provide a Path To Company Secrets

Posted on Saturday, Apr 29, 2023 by Ned Bellavance

Featured in this episode of Chaos Lever

Path. Route. You get it right?! Listen, it’s early and I’m only on my second cup of coffee. But even in this caffeine deprived state, I know enough to wipe out the data on all electronics that I might put up for sale. Sadly, the same cannot be said of most companies.

Security firm ESET decided to see what folks were leaving behind on their network gear. They purchased 18 used routers from eBay and cracked them open. Fully half of the routers had not been wiped or encrypted in any way, with VPN credentials and unhashed root passwords just hanging out in the open for anyone with a console cable to see. Two of the devices were at least encrypted, but not wiped. And five were actually properly wiped.

Also on the unwiped devices were router-to-router authentication keys, network connection credentials for other companies, and customer data. This is a freakin’ gold mine for any cyber-criminal or would-be hacker. You’re literally being handed the keys to the castle and in some cases the keys to partner castles as well.

In one case, the researcher had remote access credentials to a major accounting firm, not because the device was from the firm, but because it was from a partner who connected via a site-to-site VPN. This is just the laziest kind of security lapse, as wiping a device is not exactly a difficult process.

I suspect in many cases, the effort to resell was not spearheaded by the networking or security team, and instead was an effort by someone else in the company to save a few dollars. And it will, until they get sued into oblivion for corporate negligence.