Let this be a lesson in wiping your hardware before sending it out to a refurbisher: Researchers from the security firm ESET have found that less then half of secondhand enterprise routers in their sample were wiped of internal data, which poses a risk both for the companies that sold these routers and their customers.
According to a report from Wired, out of the 18 corporate routers that the researcher team purchased secondhand, only five had been wiped. Nine of the routers had been left as is, two were encrypted, one was dead, and one was a copy of another device. The nine devices that hadn’t been wiped had enough information stored on them to identify the previous owners, and also login information for the organizations’ VPN, credentials for a communication service, and hashed root administrator passwords. More distressingly, two contained customer data. The ESET researchers will present their findings at the RSA security conference in San Francisco next week.
“A core router touches everything in the organization, so I know all about the applications and the character of the organization—it makes it very, very easy to impersonate the organization,” said Cameron Camp, an ESET security researcher and project lead, to Wired. “In one case, this large group had privileged information about one of the very large accounting firms and a direct peering relationship with them. And that’s where to me it starts to get really scary, because we’re researchers, we’re here to help, but where are the rest of those routers?”
Eight of the nine unwiped routers contained network keys and data on how the router connected to applications used by its last owner. Four had logins for the networks of collaborators the previous owners worked with, and three had data on how to connect to the previous owner’s network as a third party. While 18 routers is a relatively small sample size, Wired says that the team has seen similar patterns in their research elsewhere.
It’s easy to think of routers like they’re monitors or speakers, but they actually come equipped with motherboards that are, in many cases, strong enough to play PS2 games. They’re essentially mini-computers, and as such, pose a data risk if sold unwiped. How to factory reset a router will depend on its brand, but is often as simple as using a paperclip to push in a button on the back of the device.
Properly wiping your hardware before pawning it off to a refurbisher is paramount in the quest to protect your data and digital privacy. Failing to do so isn’t just a disservice to you as a consumer, but also hurts the secondhand market as a whole. Earlier this year, refurbisher John Bumstead revealed on Twitter that Apple’s T2 security chip was keeping MacBooks locked unless the previous user wiped their data using the Erase Assistant. This security feature has forced the secondhand market to sell these laptops, which can be worth thousands of dollars, for scrap parts.