Corporate-grade network equipment that is resold on the secondary market may contain sensitive data that can be exploited by hackers to breach corporate environments or access customer information.

Upon examining numerous pre-owned routers designed for enterprise-level use, researchers discovered that a significant portion of them had not been properly wiped during the decommissioning process before being sold online.

ESET, a renowned digital security company worldwide, has recently disclosed its latest research on corporate network devices that have been discarded and sold on the secondary market.

Their investigation involved analyzing the configuration data from 16 separate network devices, ultimately revealing that more than half of them, specifically nine routers, contained confidential company information.

This equates to over 56% of the total devices investigated.

According to the study, 18 secondhand core routers were procured by ESET, and over half of the functioning devices (56%) were discovered to still have full access to their configuration data.

Core routers serve as the essential foundation for large networks by linking all other network devices, supporting multiple data communication interfaces, and facilitating high-speed forwarding of IP packets.

“We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers.”

Cameron Camp, Security Researcher at ESET

Selling routers without proper cleaning is dangerous as such devices are increasingly targeted by hackers and government agencies due to valuable information they may contain, including corporate logins, network credentials, and encryption keys.

Researchers found that certain routers retained customer information, third-party network connections, and credentials for connecting as a trusted party.

Moreover, eight of the nine routers that had exposed their configuration data also contained authentication keys and hashes for router-to-router communication.

As BleepingComputer pointed out from the ESET report, the confidential information held by these routers extended to complete maps of sensitive applications hosted locally or in the cloud, such as Microsoft Exchange, Salesforce, SharePoint, Spiceworks, VMware Horizon, and SQL.

ESET warns that while the study on 18 routers may not fully represent the cybersecurity status of every company, the problem may be more widespread with millions of devices being sold on the secondary market.

Experts caution that while some information may be stored in simple words, others, like passwords, are hashed, but no password is entirely secure, especially when people still use weak passwords like their pet’s name.

Even with open data, attackers can gather valuable information about the network.