Your decommissioned routers could be a security disaster

Here’s bad news: It’s easy to buy used enterprise routers that haven’t been decommissioned properly and that still contain data about the organizations they were once connected to, including IPsec credentials, application lists, and cryptographic keys.

“This leaves critical and sensitive configuration data from the original owner or operator
accessible to the purchaser and open to abuse,” according to a white paper by Cameron Camp, security researcher, and Tony Anscombe, chief security evangelist, for security firm Eset (See: Discarded, not destroyed: Old routers reveal corporate secrets).

The pair bought 18 used routers and from them gleaned administrator passwords, maps of specific applications, data that would allow third-party access to other companies’ networks, and enough information to identify the enterprises that once used them.

Often, they included network locations and some revealed cloud applications hosted in specific remote data centers, “complete with which ports or controlled-access mechanisms were used to access them, and from which source networks.” Additionally, they found firewall rules used to block or allow certain access from certain networks. Often specifics about the times of day they could be accessed were available as well.

“With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens,” according to the white paper.

The routers—four Cisco ASA 5500 Series, three Fortinet Fortigate Series, and 11 Juniper Networks SRX Series Service Gateways—were all bought legally through used-equipment vendors, according to the paper. “No procedures or tools of a primarily forensic or data-recovery nature were ever employed, nor were any techniques that required opening the routers’ cases,” yet the researchers said they were able to recover data that would be “a treasure trove for a potential adversary—for both technical and social-engineering attacks.”

Of the 18 routers, one of them was dead—only the fan worked—so it was dropped from the testing, and two were paired for failover, so one of them was also dropped. Two others were hardened, so yielded only internal and external IP addresses. Five had apparently been cleaned of configuration data in accordance with device-specific wiping procedures, so any data they might have contained wasn’t “trivially extractable,” the researchers wrote.

That left nine with complete configuration data available that “allowed us to
ascertain with very high confidence the previous owners of those routers,” Camp and Anscombe wrote. The white paper doesn’t reveal the organizations’ names but describes them as “a data-center/cloud computing business (specifically, a router provisioning a university’s virtualized assets), a nationwide US law firm, manufacturing and tech companies, a creative firm, and a major Silicon Valley-based software developer.”

More than one router had been installed in a corporate network by managed IT providers then removed and resold with the data still on them, “so, often the affected organizations would have no idea that they may now be vulnerable to attacks due to data leaks by some third party.”

The one-time owners of the devices who were contacted by the researchers were unhappy about this. “Some were further surprised to learn that their former device was still in existence, having paid to have it shredded,” they wrote.

A medium-sized manufacturing business that used a disposal service was shocked by the data still on their retired router, the researchers wrote: “This data revealed company specifics like where their data centers are (complete with IPs) and what kinds of processes happened at those locations. From this information an adversary could get a critical view into proprietary processes that could be invaluable to the company—their secret sauce—which could be quite damaging. In an era where potential competitors digitally steal technical research, product designs, and other intellectual property to shortcut engineering R&D processes, this could have had a real financial impact.”

The problem isn’t the fault of the router vendors. “Some devices had better default security settings that made some data harder to access, but all devices had settable options to guard against the proliferation of ‘residual data’, even if they weren’t implemented,” the white paper said, “settings that would have been free and fairly simple to implement had the previous owners or operators known—or cared—to enable them.”

Based on the level of security implemented on the devices, Camp and Anscombe made inferences about the general security posture of each enterprise. “By noting how detailed or vague their security defenses were on these devices, we could make a reasonable approximation about the security levels in the rest of their environment,” the researchers wrote.

They noted that the size and sophistication of the organizations didn’t indicate their security expertise. “We would expect to see a large, multinational organization have a very structured, standards-driven, and complete set of security initiatives reflected in their devices’ configurations, but that just wasn’t always the case,” they wrote.

IoT networks are at risk

The problem of improper decommissioning is broader. “It’s not just routers,” they wrote, “all kinds of hard drives and removable media in the secondary market have already been investigated and found to be positively oozing the previous owners’ most sensitive data, and there promises to be a proliferation of stored data on IoT devices throughout the corporate environment. If miscreants manage to exploit one of a family of IoT devices, it seems likely that they would be able to gather corporate secrets on the secondary market for a whole class of devices, and then sell that data to the highest bidder or do the exploiting themselves.”

Camp and Anscombe originally set out to create a lab to test networks against real-world attacks and bought used gear for $50 to $100 to approximate current production environments. As the equipment arrived, they realized the devices, particularly core routers, contained sensitive information. “To determine if this initial finding was a one-off, we began procuring more device variations, as used in different market segments,” they wrote.

How to dispose of routers more safely

The researchers pointed out areas where enterprises should exercise caution to avoid having used routers leak data to whoever buys them.

First off, they recommend cleaning the devices using wiping instructions created by the vendors. “The irony is that these devices are typically fairly simple to wipe, often with just a command or two,” Camp and Anscombe wrote. “Some units, however, store historic configurations that may still be accessible, so you should carefully verify that there really is none of your information left on any of these devices.”

That might be accomplished on some devices by removing internal hard drives, CompactFlash, or other removable media and analyzing them with forensic tools to reveal whether sensitive data remained accessible.

Then beware when third parties may be in the security chain. An enterprise might hire a trusted managed service provider with a good reputation, but that provider might hire other vendors of unknown reliability to install and maintain devices and, importantly, retire them. “The lesson here might be that even if you’re doing your best work, relying on third parties to perform as expected is a process that is far from perfect” the research said.

“On many levels, this research is about human error compounding to create a potential breach and the mitigation steps companies can take to reduce or avoid such pitfalls moving forward.”

Next read this: