Improper Scrubbing of Sensitive Data from Decommissioned Device

Description

This vulnerability occurs when a system lacks a reliable method for administrators to permanently erase sensitive information before taking hardware or software out of service. The data scrubbing feature might be missing, ineffective, or flawed, leaving confidential data behind.

Extended Description

When decommissioning a device or application—such as retiring a server, storage array, or IoT gadget—you must actively destroy any stored sensitive data. This process, often called data scrubbing or sanitization, is critical because simply deleting files or performing a factory reset often doesn't remove the underlying data from physical storage, making it recoverable by anyone with access to the hardware. Failure to properly scrub data exposes credentials, proprietary configurations, user information, and network details. Attackers can easily extract this information from discarded, sold, or repurposed equipment. To prevent this, you need built-in, verified secure erase functions that overwrite storage media according to recognized standards, going beyond basic deletion commands.

Common Consequences 1

Scope: Confidentiality

Impact: Read Memory

Potential Mitigations 3

Phase: Architecture and Design

Functionality to completely scrub data from a product at the conclusion of its lifecycle should be part of the design phase. Trying to add this function on top of an existing architecture could lead to incomplete removal of sensitive information/data.

Phase: Policy

The manufacturer should describe the location(s) where sensitive data is stored and the policies and procedures for its removal. This information may be conveyed, for example, in an Administrators Guide or a Statement of Volatility.

Phase: Implementation

If the capability to wipe sensitive data isn't built-in, the manufacturer may need to provide a utility to scrub sensitive data from storage if that data is located in a place which is non-accessible by the administrator. One example of this could be when sensitive data is stored on an EEPROM for which there is no user/admin interface provided by the system.

References 1

Security Failures in Secure Devices

Christopher Tarnovsky

https://www.blackhat.com/presentations/bh-europe-08/Tarnovsky/Presentation/bh-eu-08-tarnovsky.pdf

ID: REF-1080

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Not Technology-Specific : Undetermined

Modes of Introduction

Architecture and Design

Policy

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Improper Resource Shutdown or Release (CWE-404)

Notes

MaintenanceThis entry is still under development and will continue to see updates and content improvements.