Since second-hand equipment is discounted, it would potentially be feasible for cybercriminals to invest in buying used devices to extract information and access the network and then use the information themselves or resell it. The ESET researchers say they debated whether to publish their findings, because they didn’t want to give cybercriminals new ideas, but concluded that raising awareness about the issue is more pressing.
“One of the big worries I have is that if someone evil it’s not It’s almost bad hacker practice to do this, because it would be so easy and obvious,” says Camp.
Eighteen routers is a small sample of the millions of enterprise networking devices circulating around the world on the resale market, but other researchers say they have repeatedly seen the same problems in their work, too.
“We’ve bought all kinds of embedded devices online on eBay and other second-hand sellers, and we’ve seen a lot that haven’t been digitally erased,” says Wyatt Ford, engineering manager for Red Balloon Security, an internet of things. security signature. “These devices can contain vast amounts of information that bad actors can use to target and carry out attacks.”
Similar to the ESET findings, Ford says Red Balloon researchers have found passwords and other credentials and personally identifiable information. Some data, such as usernames and configuration files, is often in plain text and easily accessible, while passwords and configuration files are often protected because they are stored encrypted. cryptographic hashes. But Ford notes that even encrypted data is still potentially at risk.
“We take password hashes found on a device and crack them offline; You’d be surprised how many people still base their passwords on their cats,” she says. “And even seemingly innocuous things like source code, commit history, network configurations, routing rules, etc., can be used to learn more about an organization, its people, and its network topology.”
ESET researchers note that organizations may feel they are being held accountable by contracting with third-party device management companies. e-waste disposal companies, or even device sanitization services that claim to clean large batches of enterprise devices for resale. But in practice, these third parties may not be doing what they say. And Camp also notes that more organizations could take advantage of the encryption and other security features conventional routers already offer to mitigate the fallout if devices that haven’t been wiped end up loose in the world.
Camp and his colleagues tried to contact the former owners of the used routers they bought to warn them that their devices were now on the loose spewing their data. Some welcomed the information, but others seemed to ignore the warnings or offer no mechanism through which the researchers could report safety findings.
“We used trusted channels that we had for a few companies, but then we found that many other companies are much harder to reach,” says Camp. “Scarily so.”