Is Selling Old Cisco Routers a Security Issue?

security router cisco

If you have console access to a Cisco Router you can use Cisco Password Recovery techniques to get in, then dump the cleartext config file via TFTP - you then have access to cleartext passwords, or passwords that are trivial to decrypt.

So you do need to factory reset. If you haven't got the login details for the routers (in which case you can probably get in via SSH over a network connection), then you will need to use the above techniques to get in, then issue the write erase command to drop the existing configs.


Password recovery methods for the majority of Cisco devices includes the ability to access the stored configuration. While enabling service-password-encryption hashes the stored passwords, it's not bullet proof.

Further, the configuration will contain sensitive information about the architecture and addressing of your network.

To answer your question directly:

Yes, selling used Cisco routers without wiping them of your data poses a security risk.


You really need to wipe them completely as stated by various others.

Getting a Cisco console cable is easy.

Nearly any new Cisco device I have ever seen comes with on in the box. It's either a blue one with a D-sub 9-pin connector on 1 end and a RJ45 on the other. Or it is a flat black cable (not UTP) with a RJ45 on both ends with a seperate 9pin or 25-pin D-sub connector that has a socket for a RJ45 plug that goes with it.

You probably have some of them lingering around somewhere in the server-room or on a storage-shelf. (First place to look is the patch-cabinet: Many admins keep one handy in each patch-cabinet as a matter of principle.)

You can make one yourself as well from an old serial cable and a RJ45 crimp connector. Just follow the instructions here: http://www.cisco.com/en/US/products/hw/routers/ps214/products_tech_note09186a00801f5d85.shtml

Serial settings are 9600 baud, 8 bits of data, 1 stop, no parity. No flow-control.


Save yourself from any future trouble and erase the configuration, like @mcmeel said this is sensitive information we are talking about. Keep the routers until you have access to a console cable and try again. The entire process shouldn't take long to complete on all five devices.

We all have limitations in our knowledge, if you don't feel confident enough then please find someone with a Cisco background who can do it.

Related

Unable to remove limit on memory usage for PHP script
Windows 2008 Server SP2 64bit - TCP Connections never releasing after TIME_WAIT
Should I be using LVM snapshots along with rsnapshot?
Processing Conflict: mysql55w-libs-5.5.36-3.w6.x86_64 conflicts mysql-libs < 5.5
Puppet configuration using augeas fails if combined with notify
Granting Domain Admin privileges to a cross-forest user account?
400 Error with nginx-ingress to Kubernetes Dashboard
Can bonding 2 interfaces double the speed?
How can I backup a SQL Server 2008 R2 DB without taking it offline?
Installing multiple mongoDB versions on the same server
moving to a larger drive in linux
Why there shouldn't be too many files in one directory that serves just static web requests?