Let’s Talk about Recycling
The US military did it. Idaho Power did it. Companies upgrading their network infrastructure do it sometimes too. In 2019, Blancco and Ontrack found that 42% of their study sample did it. What’s the “it” in this case? Failing to properly remove data from decommissioned or unwanted devices before selling them.
While this might seem like an odd topic for a Practical Protection column, you probably have devices (whether servers, laptops, or mobile devices) in your organization that you decommission—and they may have sensitive data on them that you need to protect.
Let’s start with something that might not even be within your responsibilities: network devices like routers and switches. Especially if you have a complicated network topology that includes site-to-site VPNs, these devices all need to be sanitized according to the manufacturer’s instructions, which of course, vary by brand. This is true for wireless access points and extenders too.
The same goes for network-attached storage devices. When you get ready to recycle one of these, you need to ensure that the individual disks (whether HDD or SDD) and the devices themselves are wiped before they go off to eBay. Again, the specific NAS manufacturer will have a procedure for you to follow. As with routers, in general you can’t go wrong by just erasing the whole device back to factory settings using whatever procedure the manufacturer recommends.
Desktops, Laptops, and Servers
The simplest solution? Remove the hard drive and physically destroy it. This isn’t especially environmentally friendly, but it can be fun to get all “HULK SMASH.” Of course, you may not be able to do this. In that case, what you do next depends on whether the volumes are protected with BitLocker.
If BitLocker drive encryption is enabled and the computer has a hardware TPM, you don’t have to do anything. The disk encryption and TPM are secure enough that the device’s new owner won’t be able to recover any data from it.
If BitLocker wasn’t protecting the boot volume with a TPM, you should completely erase the drive; it’s not enough just to remove the users from it. As long as Windows is bootable, there is a non-zero chance that some amount of data might be forensically recoverable from it. The easiest way to do this is by either using a bootable Windows installation on a USB stick or making your own bootable GPartEd stick and using it to erase the disk.
With laptops, it’s probably not as convenient to remove and destroy the drive. With servers, you’ll probably have multiple drives to deal with. Depending on the kind of device and what you’re selling, you may want to reinstall Windows using the OEM device key; in general, the easiest solution is to wipe everything out and let the buyer be in charge of getting a Windows license and installing whatever version they want to run.
Both Android and iOS have on-device tools to completely erase the device, except for the installed OS. This should be an obvious step when recycling or reselling devices, but a surprising number of devices make it into the market with data on them (as evidenced here).
What about Intune-Managed Devices?
Intune includes two features that can be useful for recycling devices, depending on what you want to do with the device later:
- The “retire” action removes managed app data and profiles assigned by Intune. It doesn’t affect the OS, and it doesn’t affect any unmanaged data on the device. When the device checks in to the Intune service, it will be removed from Intune management and will thus disappear from the Intune managed-device list. You’d typically only use this option if you were going to give the device to another user in the same organization.
- The “wipe” action disables BitLocker (if enabled) and then deletes all user files on the device. However, if you choose the “Wipe device, but keep enrollment state and associated user account” option for a Windows 10/11 device, user profiles remain on the device, as do any user accounts that are present. Perhaps most importantly, if the device has an autologin user configured, that remains intact also.
The Job’s Not Done Until You Clean Up
The individual risk of any one particular device making it to the market with some of your organization’s data on it may be low, and the impact of an attacker recovering that data may also be low. The problem is that you can’t guarantee those things to be true unless you know exactly what data was on the device to begin with, which you probably won’t. As we’ve seen in past columns, an attacker who can compromise a single account can leverage that access to escalate their access and wreak havoc in your enterprise, so the best and safest course of action is for you to sanitize any device that you retire or resell, even if it seems unnecessary. That will keep your network safer and, as a bonus, keep you out of the press.