• About
  • Subscribe
  • Contact
Friday, May 9, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

Over 56% of recycled network devices contain sensitive corporate data

Gigi Onag by Gigi Onag
June 7, 2023
: Photo by Elly Filho on Unsplash

: Photo by Elly Filho on Unsplash

Organisations often recycle aging tech through third-party companies that are charged with verifying the secure destruction or recycling of digital equipment and the disposal of the data contained therein.

However, over 56% of network devices that were disposed of and sold on the secondary market contained sensitive company data, according to recent research conducted by ESET.

The digital security firm revealed its findings after looking at configuration data from 16 distinct network devices – nine of which contain sensitive company data.

  • 22% contained customer data
  • 33% exposed data allowing third-party connections to the network
  • 44% had credentials for connecting to other networks as a trusted party
  • 89% itemised connection details for specific applications
  • 89% contained router-to-router authentication keys
  • 100% contained one or more of IPsec or VPN credentials, or hashed root passwords
  • 100% had sufficient data to reliably identify the former owner/operator

In the wrong hands, this data is enough to jump-start a cyberattack that could lead to a data breach, placing the company, its partners and customers at risk.

Cameron Camp, ESET

“The potential impact of our findings is extremely concerning and should be a wake-up call,” said Cameron Camp, the ESET security researcher who led the project.

“We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organisations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers,” said Camp.

Proper decommissioning of hardware

The research also found that many companies are not following well-documented processes for proper decommissioning of hardware when preparing devices for the secondary market.

Tony Anscombe, ESET

“Exploiting a vulnerability or spear phishing for credentials is potentially hard work. But our research shows that there is a much easier way to get your hands on this data, and more,” said Tony Anscombe, chief security evangelist at ESET.

“We urge organisations involved in device disposal, data destruction, and reselling of devices to take a hard look at their processes and ensure they are in compliance with the latest NIST standards for media sanitisation,” he added.

The routers in this research came from organisations ranging from medium-sized businesses to global enterprises in a variety of industries (data centers, law firms, third-party tech providers, manufacturing and tech companies, creative firms, and software developers).

As part of the discovery process, ESET, where possible, disclosed the findings to each identified organisation – several of them household names – collaborating to ensure they were aware of the details potentially compromised by others in the chain of custody of the devices.

In the wrong hands, this data is enough to jump-start a cyberattack that could lead to a data breach, placing the company, its partners and customers at risk.

Mixed responses

Some of the organisations with compromised information were shockingly unresponsive to ESET’s repeated attempts to connect, while others showed proficiency, handling the event as a full-blown security breach.

Organisations are reminded to verify that they are using a trusted, competent third party to dispose of devices, or that they are taking all the necessary precautions if handling the decommissioning themselves. That should extend past routers and hard drives to any device that’s part of the network.

“Many organisations in this research probably felt that they were contracting with reputable vendors, but their data still leaked. With this in mind, it’s recommended that organisations follow the manufacturer’s guidelines for removing all data from a device before it physically leaves their premises, which is a simple step that many IT staff can handle,” ESET said in a statement.

Organisations are reminded to treat disclosure notifications seriously. Doing otherwise may leave them vulnerable to a costly data breach and significant reputational damage.

Majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved.

Cameron Camp, ESET security researcher

Whether an error by an e-waste company or the company’s own disposal processes, a range of data was found on the routers, including:

  • Third-party data: As we have seen in real-world cyberattacks, a breach of one company’s network can proliferate to their customers, partners, and other businesses with whom they may have connections.
  • Trusted parties: Trusted parties (which could be impersonated as a secondary attack vector) would accept certificates and cryptographic tokens found on these devices, allowing a very convincing adversary in the middle (AitM) attack with trusted credentials, capable of syphoning off corporate secrets, with victims unaware for extended periods.
  • Customer data: In some cases, core routers point to internal and/or external information stores with specific information about their owners’ customers, sometimes stored on premises, which can open customers up to potential security issues if an adversary is able to gain specific information about them.
  • Specific applications: Complete maps of major application platforms used by specific organisations, both locally hosted and in the cloud, were scattered liberally throughout the configurations of these devices. These applications range from corporate email to trusted client tunnels for customers, physical building security such as specific vendors and topologies for proximity access cards and specific surveillance camera networks, and vendors, sales and customer platforms, to mention a few. Additionally, ESET researchers were able to determine over which ports and from which hosts those applications communicate, which ones they trust, and which ones they do not. Due to the granularity of the applications and the specific versions used in some cases, known vulnerabilities could be exploited across the network topology that an attacker would already have mapped.
  • Extensive core routing information: From core network routes to BGP peering, OSPF, RIP and others, ESET found complete layouts of various organisations’ inner workings, which would provide extensive network topology information for subsequent exploitation, were the devices to fall into the hands of an adversary. Recovered configurations also contained nearby and international locations of many remote offices and operators, including their relationship to the corporate office – more data that would be highly valuable to potential adversaries. IPsec tunneling can be used to connect trusted routers to each other, which can be a component of WAN router peering arrangements and the like.
  • Trusted operators: The devices were loaded with potentially crackable or directly reusable corporate credentials – including administrator logins, VPN details, and cryptographic keys – that would allow bad actors to seamlessly become trusted entities and thus to gain access across the network.
Related:  PodChats for FutureCISO: Getting started as a security researcher
Tags: cybersecuritye-wasteelectronics recyclingESET
Gigi Onag

Gigi Onag

Gigi has more than 15 years of experience in technology journalism, covering various aspects of enterprise IT and telecommunications from both business and technology perspective. Before joining CXOCIETY as editor for FutureIoT in July 2019, she was assistant editor of ComputerWorld Hong Kong. Based in Hong Kong, she started with regional IT publications under CMP Asia (now Informa), including Asia Computer Weekly, Intelligent Enterprise Asia and Network Computing Asia and Teledotcom Asia. She had contributed articles to South China Morning Post, TechTarget and PC Market among others.

No Result
View All Result

Recent Posts

  • AI drives cloud market growth in Q1
  • ARTHALAND chooses OutSystems to advance real estate sustainability
  • Experts warn against AI-powered deepfake impersonation scams
  • Dropbox updates universal search and knowledge management product
  • Agentic AI-powered AppSec platform launched for the AI era

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe