It's a Linksys WRT1900AC. Beyond resetting the firmware is there anything else I should consider as it's been used in a business. I'm thinking about personally identifiable information from a legal point of view. I would have thought not, but I keep getting people on eBay trying to fraudulently buy it, which made me think.
1 Answers
The only thing a router should store persistently is the settings you have changed. This includes the ESSID (network name), the wireless key, the administrator password, and any other credentials necessary for your use of the system (perhaps RADIUS credentials). A factory reset should clear all this information. Note however that low-end routers typically use cheap solid-state storage which can be problematic when it comes to data persistence. See this for example. Especially considering a router will not support TRIM or SED secure erasure, there will always be a risk that modifications to settings may be recovered via software by a moderately sophisticated attacker.
A router should not store anything that goes through it. On some routers, you can configure them to log DNS requests or save their system log to persistent storage, but this is generally only done if configured explicitly, and the storage target is usually external (e.g. a drive over a network or a USB flash drive). Even modern routers have an extremely limited amount of storage (16 MiB is not unheard of, and it's sometimes as low as 4). Unless your router is special or configured in a particularly problematic way, there is no reason to worry about logs storing sensitive information.
Note that this advice comes only from a technical point of view. From a legal point of view, the proper course of action depends on your jurisdiction and many other variables which may or may not be related to information security. I am not a lawyer and I cannot give legal advice. If you need to be in compliance with a particular privacy-related legal regulation, you should consult one.
- 2,235
- 6
- 18
- 30
- 64,616
- 20
- 206
- 257