Discarded Routers Expose Corporate Secrets

How Improperly Discarded Routers Leave Businesses Vulnerable to Cyberattacks

Companies are unwittingly exposing sensitive corporate data due to the improper disposal of old routers, according to a research report published by ESET, a global cybersecurity firm. The study, titled “Discarded, not destroyed: Old routers reveal corporate secrets,” warns that the lack of proper data sanitization protocols when decommissioning routers can lead to grave security consequences.

ESET researchers conducted a study by purchasing used routers to set up a test environment. To their astonishment, they discovered that many of the routers contained previously used configurations that had not been erased. Moreover, the data on these devices could be exploited to identify prior owners and their network configurations.

The study was expanded to include a total of 18 acquired routers, with one being inoperable upon arrival and two being a mirrored pair counted as a single unit. After accounting for these adjustments, the researchers found configuration details and data on over 56% of the routers.

The data obtained from these devices included customer information, router-to-router authentication keys, application lists, and more. Such data could provide cybercriminals with the initial access required to launch a cyberattack, allowing them to research a company’s digital assets and identify valuable targets.

Recent years have witnessed cybercriminals adopting advanced persistent threat (APT) attack styles to gain entry into networks and establish a foothold. These bad actors use sophisticated methods to extract data, bypass security measures, and ultimately cripple businesses with ransomware attacks or other malicious activities.

ESET researchers emphasized that unauthorized access to a company network is a valuable asset, with research by KELA Cybercrime Prevention estimating the average price for access credentials to corporate networks at around $2,800. As a result, a used router purchased for a few hundred dollars could provide a significant return on investment for cybercriminals.

Concerningly, ESET’s attempts to alert companies about their data being accessible in the public domain were met with varied responses. While some companies were receptive to the warnings, others ignored the repeated contact attempts, and some confirmed that the devices had been sent for secure destruction or wiping—a process that had evidently failed.

ESET’s research highlights the importance of proper data sanitization when decommissioning routers. Companies must ensure that devices are thoroughly cleansed, and that the sanitization process is certified and audited regularly. This will prevent sensitive corporate data from being sold in public secondhand hardware markets.

ESET has published a white paper detailing their findings and providing guidance on data sanitization processes, including references to NIST special publication 800.88r1, Guidelines for Media Sanitization. The firm strongly recommends that organizations review the details and use the findings as a catalyst to verify their own data sanitization protocols, ensuring that no data is unintentionally disclosed