eBayed VPN kit hands over access to council network
'It's like putting an access hub in the car park'
Updated An item of networking kit bought from eBay for just 99p ($1.79) gave privileged access to an internal network at an English county council.
The security risks posed by unwiped computer discs - which are often offered for sale on auction sites and sometimes even obtainable from council rubbish dumps - are well documented, but the purchase of VPN 3002 remote access kit by Andrew Mason, CTO at security services firm Random Storm, shows the same sort of problems also apply to second-hand networking equipment.
Mason bought the remote access kit for his business, but was surprised when it automatically connected to the internal network of Kirklees Council in Yorkshire as soon as it was switched on and connected to the internet. He'd bought many items of networking kit before and this was the first time he'd come across the issue. Normally the kit would need to be configured before access to anything was possible.
"The issue is similar to the problem of disposing of unwiped discs but even worse in some ways, because in the case of discs you have a snapshot of data while in this case hackers are given access to a network with live data. Once inside the network miscreants would be able to raise their privileges and potentially gain access to more sensitive systems," said Mason, who has worked in penetration testing.
He noted that the TJX hackers had gained access to a database of credit card records after compromising an insecure wireless network to connect to a corporate LAN. "Once you are inside the network there is all sorts of mischief you can do."
He added that the Kirklees breach was akin to providing an access hub that gave internal network access to all and sundry in the council car park.
A spokesman for Kirklees Council described the issue as a concern, but stressed that none of its data was compromised by the breach. Mason said he didn't do anything more than obtain a screenshot, which proved that internal access had been obtained. "It's lucky for them I bought it, rather than a black-hat hacker," he said.
Networking kit no longer needed by Kirklees Council was taken away by a third-party contractor, which sold it for a pittance on eBay. Even after paying £10 postage Mason picked up kit that would normally cost £400 for just £11.
"Kirklees Council needs to have a secure disposal policy. The equipment needs to be decommissioned and user logins revoked. As it was, they hadn't even reset passwords," Mason told El Reg.
The VPN Mason bought connected to an internet address owned by consulting firm Cap Gemini and allocated to Kirklees Council. A spokesman for Cap Gemini said that the consulting firm had run the network for the five years leading up to May 2005, when the council decided to take the job of running its network back in-house, the BBC reports.
In a statement, Kirklees Council acknowledged the issue but downplayed its significance. "The council is deeply concerned with this report but is confident that multiple layers of security have prevented access to systems and data.
"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken."
Cisco told the BBC that it supplied guidelines on how to reset networking equipment to restore factory default settings.
Mason bought the VPN server in August from eBay seller selectronicstore. A BBC investigation tracked this back to Manga-Fu, a firm which specialises in the disposal of electronic, and quoted Manga-Fu managing director Gary Cronnolley in its report.
After running an audit on its records, Manga-Fu is adamant that the VPN router didn't come through them. In a statement issued on 15 October, Manga-Fu said the BBC story was inaccurate and that the kit must have been bought from someone else. Mason bought many items of VPN kit, it said.
The article alleged that a third party purchased a VPN router from us which when plugged in showed data from Kirklees Council.
We have identified the sources of all VPN routers passing through Manga-Fu’s hands within the last 12 months and NONE of them have come from Kirklees Council.
Manga-Fu maintains that it follows the highest standards in the secure disposal and recycling of electronic kit.
Whenever a VPN system is re-sold, we follow Cisco’s guidelines when resetting back to factory default settings. Manga-Fu operates to the highest of standards when it comes to the secure disposal of materials or products which hold or store data. Even where materials or products are sold or re-used, Manga-Fu’s systems and processes ensure that there can be no compromise or disclosure of data of previous users
To ensure the efficacy and integrity of our processes, products such as the VPN router in question are subject to three separate checks. Each check is such that it would reveal any failure to reset the product back to its factory settings and/or to leave data on the product.
Sponsored: The Nuts and Bolts of Ransomware in 2016