Investigation on device sanitization
Can we trust vendor sanitization methods of sensitive data on embedded network devices? And if confirmed unsafe, what can be done to improve the sanitization completeness? These questions are answered in the Electrical Engineering thesis work of Magnus Larsson (founder of Stril Networks) performed in the lab of Stril Networks in spring of 2015.
Abstract:
Embedded devices such as routers, switches, and firewalls commonly have sensitive information stored on them such as passwords, cryptographic keys, and information about the network around them and services that these device(s) provide. When disposing of or reselling this equipment in the secondary market it is crucial to erase this sensitive information. However, there is an important question that must be asked: Do the erase commands and routines offered by the device manufacturers actually erase the sensitive data? This thesis investigates methods and tools to determine the completeness of this erasure in some common network devices. These methods are used on a sample of networking equipment found to still contain sensitive information after being erased according to vendor recommendations. A computer program was developed to show how this information can be removed. The information in this document is useful for equipment owners, brokers and others looking to remarket their current equipment; all of whom want to minimize the risk of leaking sensitive data to other parties.
Full document