CAPEC-675: Retrieve Data from Decommissioned Devices
An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.
Last updated
Overview
CAPEC-675 (Retrieve Data from Decommissioned Devices) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content.
Skills required
- High skill: An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.
- Medium skill: An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content.
Consequences
What a successful CAPEC-675 attack can achieve.
Bypass Protection Mechanism
Affects: Accountability
How to mitigate it
Defenses that reduce the risk of CAPEC-675.
- Backup device data before erasure to retain intellectual property and inside knowledge.
- Overwrite data on device rather than deleting. Deleted data can still be recovered, even if the device trash can is emptied. Rewriting data removes any trace of the old data. Performing multiple overwrites followed by a zeroing of the device (overwriting with all zeros) is good practice.
- Use a secure erase software.
- Physically destroy the device if it is not intended to be reused. Using a specialized service to disintegrate, burn, melt or pulverize the device can be effective, but if those services are inaccessible, drilling nails or holes, or smashing the device with a hammer can be effective. Do not burn, microwave, or pour acid on a hard drive.
- Physically destroy memory and SIM cards for mobile devices not intended to be reused.
- Ensure that the user account has been terminated or switched to a new device before destroying.
Examples
A company is contracted by an organization to provide data destruction services for solid state and hard disk drives being discarded. Prior to destruction, an adversary within the contracted company copies data from select devices, violating the data confidentiality requirements of the submitting organization.
Terminology & mappings
Mapped taxonomies
- ATTACK: Exfiltration Over Physical Medium (1052)
Frequently asked questions
Common questions about CAPEC-675.
- What is CAPEC-675?
- An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.
- How do you prevent CAPEC-675?
- Backup device data before erasure to retain intellectual property and inside knowledge.
- What weaknesses does CAPEC-675 target?
- CAPEC-675 exploits 1 CWE weakness, including CWE-1266 (Improper Scrubbing of Sensitive Data from Decommissioned Device).
- How severe is CAPEC-675?
- MITRE rates CAPEC-675 as Medium severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-675
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.