Your router could be leaking a whole lot of personal data without you knowing
Make sure to decommission your hardware properly, experts warn
If you’re not careful when decommissioning your old business routers, you could be risking serious sensitive data leaks, new research has warned.
A report from ESET found small and medium-sized organizations, as well as enterprises, often dispose of their old hardware inappropriately. As a result, they leak customer data, credentials, and various other authentication keys.
The company analyzed 16 distinct network devices that were disposed of and sold on the second-hand market and found nine devices - 56% - were still holding sensitive company data.
Passwords on a platter
Of the nine devices that had complete configuration data available, a quarter (22%) contained customer data, a third (33%) exposed data allowing third-party connections to the network, almost half (44%) had credentials for connecting to other networks as a trusted party, almost all (89%) itemized connection details for specific applications and contained router-to-router authentication keys.
Furthermore, all of the devices (100%) contained one or more of IPsec or VPN credentials, or hashed root passwords, and had sufficient data to reliably identify the former owner/operator.
ESET also found that some companies didn’t really care about leaking sensitive data this way. After “repeated attempts to connect” and notify the firms of the potential problem, some companies were “shockingly unresponsive”. Others, however, “showed proficiency” and handled the problem as a “full-blown security breach”.
These findings should serve as a “wake-up call” for organizations to tighten up on their data protection practices, ESET says.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite," noted Cameron Camp, the ESET security researcher who led the project.
"Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers.”
- Check out our list of the best endpoint protection tools around right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.