Cyber Risks of Improperly Disposed IT Assets

Image Source: NIST
According to NIST’s IT Asset Management , the typical asset lifecycle goes through the enrollment, operation, and end-of-life phases. IT assets include magnetic and optical media (hard drives, DVDs, USB flash drives, and SD cards) and components found in internet-connected devices. Examples include mobile devices (smartphones, tablets, and PDAs), laptops, desktops, servers, networking devices (routers and switches), scanners, copiers, printers, fax machines, and Internet of Things (IoT) devices (surveillance cameras and smart door locks). As the requirement to retire and upgrade IT assets increases, organizations and individuals may not know of how to properly “dispose” IT assets and data during the end-of-life phase. Once an IT asset reaches the disposal phase, it is prepared for both data removal and physical removal.
Decommissioning is the process of removing or retiring an old or obsolete IT asset from service and sanitizing the data from the media. When decommissioning IT assets, it is critical to properly sanitize, or wipe, all data securely from the media to help protect personally identifiable information (PII), sensitive data, and corporate information from unauthorized access. The sanitization method to be used depends on the type of storage media, the classification and sensitivity of the data which it stores, and the purpose of the media after it is sanitized.
The sanitization process removes information from the media, such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, and physical destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal (such as recycling, reselling, donating, or discarding in the trash). Several key factors for improper disposition include disorder, lack of organization, and maintaining a chain of custody often required by industry regulations. IT asset disposition (ITAD) services or reputable electronic waste (e-waste) vendors are frequently used by organizations and individuals to certify their data has not been compromised in the disposition of their IT assets.
Routers and printers with limited storage can hold sensitive information, such as ownership data, IP topology maps, pointers to external data stores, vendor network connection data, VPN details, trusted credentials, “crackable” or reusable administrator login credentials, cryptographic keys, and application-specific data. For example, the ESET cybersecurity firm discovered discarded Cisco, Fortinet, and Jupiter Networks’ enterprise routers that were not properly sanitized and contained configuration data. The routers also contained sensitive corporate information, such as IPsec or VPN credentials, hashed root passwords, customer information, data allowing third-party connections to the network, credentials for connecting to other networks, router-to-router authentication keys, and connection details for specific applications. Also, Canon warned users of home, office, and large format inkjet printers that their Wi-Fi connection settings in memory storage were not wiped as anticipated during the initialization process. Typical settings for these devices include network SSID, password, network type, assigned IP address, MAC address, and network profile. A threat actor could use this information to gain unauthorized access to the network that the printer was connected to, access shared resources, steal data, and perform other cyberattacks.
Additionally, Rapid7 security researchers discovered discarded medical infusion pumps sold on secondary markets, such as eBay, that exposed sensitive information, including access credentials and wireless authentication data from their previous owners. The information can then be used to gain internal access to the original owner’s network, exploit other vulnerable devices on the network, distribute malware or ransomware, or access and exfiltrate personal health information (PHI).
Failure to sanitize data and properly dispose of IT assets creates security vulnerabilities, privacy and industry regulatory violations, financial impacts, reputational damage, or environmental implications and could undermine cybersecurity controls and efforts in place. Furthermore, mission-critical or regulated data found on improperly disposed IT assets could be used for malicious purposes and have devastating consequences. The exposed information can provide insight into the overall security defenses of the device’s original owner, providing threat actors the means to target specific “crown jewel” assets, impersonate users, infiltrate networks or internal hosts, sell the information on the dark web marketplace, and more.