Security researchers have publicly disclosed findings in a study that showed that more than half of enterprise routers sold to online resellers, such as eBay, were not factory reset and had their data wiped. This means that the devices still contained sensitive company information from their previous owners when they were resold.
Researchers at security firm ESET plan to showcase their study RSA Security Conference in San Francisco next week, but told wired that they were able to expose enterprise organizations’ data from secondhand routers, including “network information, credentials and other confidential data” without much effort.
Specifically, the researchers purchased 18 used routers from well-known brands including Cisco, Fortinet, and Juniper Networks. They eventually discovered that nine devices were sold, and they offered easy access to all of the router’s information. Meanwhile, five routers were completely factory reset and all data was erased. Wired noted that two routers were encrypted, one was dead, and another was a mirrored copy of the device.
ESET researchers were able to collect information from nine unsecured routers, including “credentials for the organization’s VPN, credentials for another secure network communications service, and hashed root administrator passwords.”
Eight of the vulnerable routers contained “router-to-router authentication keys,” which contain “information on how the router connected to specific applications used by the previous owner.” The four routers include certificates “to connect to the networks of other organizations such as trusted partners, affiliates, or other third parties.” According to the study, three of the devices carried details on how someone could “connect to the previous owner’s network as a third party”, while two contained customer data.
ESET also noted that all nine vulnerable routers contained enough data for researchers to determine which organization they previously belonged to.
The researchers noted how much of a security risk these routers are due to the proliferation of cybercriminals and state-backed hackers being so easily accessible. Routers can only be bought at a discount online because they are second hand, and bad actors can potentially scan devices for valuable corporate information that they can sell on the dark web and then resell the routers . The researchers said they were hesitant to release their findings, but ultimately decided that awareness was the better option.
The ESET team tells Wired that they’ve done their due diligence to contact and warn former owners of the nature of their routers, something grateful for the update. Meanwhile, others appeared to ignore the warnings or not cooperate.