Risks in Disposing of IoT Embedded Technology

For years now, we have been told that when disposing of desktops, laptops, servers, and printers, we need to watch out for hard drives, as they contain critical information that could put your business or personal identity at risk. The solution to this problem has been to remove those hard drives and physically destroy them, or overwrite every bit of data with zeros at least three or more times.

This has been sound advice and has helped us to greatly reduce the risk to our organizations and protect our personal information. However, times are changing, and we need to take this a step further. One area that’s often overlooked is embedded technology. Most embedded devices do not have hard drives, but they still have memory storage.

As an example, I was recently looking at some old industrial Wi-Fi access points. These devices had no hard drives installed, but they did have NAND flash chips, which are used to store the device’s firmware code along with all of its configuration data.

In this example, the device’s configuration data was extracted from the NAND flash memory chip. This data included some of the following configuration settings, just to name a few:

• nt_name =
• nt_passwd =
• snmp_community =
• ssid =
• wpa_psk =
• wpa_radius_server_ip =
• wpa_radius_port =
• wpa_radius_key =

So, how does this affect an organization? For example, let’s say you have decided to upgrade your current industrial wireless network equipment and need to dispose of this old gear. When you replaced all the equipment, did you change the settings in your new network environment? If not, it’s likely the SSID, PSKs, various passwords, IP address ranges, and other identifying data used on the new equipment is, for the most part, the same as the old equipment.

So, your next step is deciding what to do with your old equipment. Do you send it out on a pallet and sell it off based on weight? Do you unload it on eBay? Do you send it off to a landfill? Or, do you send it to a disposal company and feet it into a giant metal shredder?

I think you know where I’m going with this. The correct answer is to physically destroy the equipment. Why? Removing the data from the flash memory is difficult. Factory reset is the typical method here, but you can’t be 100% sure the data has been removed. Sadly, I have encountered many situations where the factory reset didn’t quite work as well as expected, leaving the configuration data stored on the flash memory chip.

I have also found embedded memory being used that didn’t do wear leveling. One of the side benefits of wear leveling is the removal of deleted data by overwriting that area of flash memory when data is deleted or altered. This was originally designed to extend the life of the memory, but it also prevents the forensic recovery of deleted data. This means if wear leveling isn’t used, it may be possible to do a forensic recovery of the configuration data after it was deleted.

Therefore, whether you’re doing a full update or a series of embedded technologies on your network or replacing a single device, do not toss it in the trash. This applies to all embedded technology that has been installed and integrated into your corporate environment. They all have the potential to contain critical information that malicious actors would love to get their hands on. So, unless you can be 100% sure those small flash memory chips contain no critical information or that the data cannot be forensically recovered, please conduct proper disposal of the technology.

This also applies to consumer-grade IoT technology. Whether you are upgrading or replacing a failed device, you will need to find a way to dispose of the technology safely. I recommend not selling your used equipment on eBay, unless you are certain your data has been completely removed. For personal safety reasons, I also recommend against the average person trying to physically destroy the technology themselves (plus, unless the actual flash memory chip is destroyed, someone with the right patience and tools could still recover the data from the chip). So, for physical disposal, I recommend checking with your local and state government on regulations for proper disposal of electronic equipment. Some areas may have disposal services that can shred the devices, then recover the plastic and metal for recycling.