Enterprise-level network equipment available on the black market conceals important information that hackers could use to infiltrate company networks or steal consumer data.
Researchers examined a number of used corporate-grade routers and discovered that the majority of them had been incorrectly decommissioned and then sold online.
Selling core routers
Eighteen secondhand core routers were purchased by researchers at cybersecurity company ESET, who discovered that on more than half of those that operated as intended, it was still possible to obtain the full configuration data.
All other network devices are connected via core routers, which act as the foundation of a big network. They are built to forward IP packets at the greatest rates and handle a variety of data transmission interfaces.
When the ESET research team initially purchased a few secondhand routers to create a test environment, they discovered that they had not been completely wiped and still included network configuration data as well as information that might be used to identify the former owners.
Four Cisco (ASA 5500) devices, three Fortinet (Fortigate series) devices, and eleven Juniper Networks (SRX Series Services Gateway) devices were among the hardware items purchased.
Cameron Camp and Tony Anscombe claim in a report from earlier this week that two devices were mirror images of one other and were treated as one in the evaluation results while one device was dead on arrival and excluded from the tests.
Only two of the 16 remaining devices had been toughened, making some of the data more difficult to access. Only five of the remaining 16 devices had been properly deleted.
The majority of them, however, allowed access to the whole configuration data, which contains a wealth of information about the owner, how they configured the network, and the relationships between various systems.
The administrator of corporate network devices must issue a few commands to safely wipe the settings and reset the device. In the absence of this, routers can be started in recovery mode, which enables configuration verification.
Network loopholes
The researchers claim that a few of the routers stored user data, information allowing other parties to connect to the network, and even "credentials for connecting to other networks as a trusted party."
Additionally, the router-to-router authentication keys and hashes were present on eight out of the nine routers that provided the whole configuration data.
Complete maps of private applications stored locally or online were included in the list of business secrets. Examples include SQL, Spiceworks, Salesforce, SharePoint, VMware Horizon, and Microsoft Exchange.
“With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens” - ESET researchers explained.
According to the study, such in-depth insider knowledge is normally only available to "highly credentialed personnel" like network administrators and their managers.
With this kind of knowledge at hand, an attacker might simply create an undetectable assault vector that would take them far inside the network.
"With this level of detail, impersonating network or internal hosts would be far easier for an attacker, especially given that the devices frequently contain VPN credentials or other easily cracked authentication tokens," the researchers added.
Numerous of them had been in managed IT provider environments, which run the networks of big businesses, according to information found in the routers.
One device even belonged to a managed security services provider (MSSP) that managed networks for hundreds of clients across a variety of industries (such as manufacturing, banking, healthcare, and education).
The researchers then discuss the significance of thoroughly cleaning network devices before getting rid of them in light of their findings. Companies should have policies in place for the secure disposal of their digital equipment.
The researchers also caution against always employing a third-party service for this task. They learned that the business had utilised such a service after informing the owner of a router of their discoveries.
The advice is to wipe the device free of any potentially sensitive data and reset it to factory default settings in accordance with the manufacturer's instructions.