The Data Layer That Standard Wiping Overlooks
When organisations think about data destruction, they typically focus on the obvious storage locations: hard drives, SSDs, and removable media. But modern IT equipment contains another layer of data storage that is frequently overlooked: firmware. Firmware is the low-level software embedded in hardware components that controls how those components operate, and it can store sensitive information that survives standard data wiping procedures.
What Firmware Is and Where It Lives
Firmware is software that is permanently programmed into a hardware device’s read-only memory (ROM), flash memory, or EEPROM (Electrically Erasable Programmable Read-Only Memory). It provides the instructions that the hardware needs to function at the most basic level, before any operating system or application software loads.
Virtually every component in a modern computer has its own firmware. The system BIOS or UEFI controls the initial boot process and hardware configuration. Storage controllers manage how data is read from and written to drives. Network interface cards contain firmware that manages network communication. Graphics cards have firmware that controls display output. Baseboard management controllers (BMCs) provide out-of-band system management. Even peripherals like keyboards, mice, and USB hubs have firmware.
Each of these firmware instances represents a potential location for data that is not addressed by standard drive-wiping procedures.
What Sensitive Data Can Firmware Contain?
The types of data found in firmware vary by component, but several categories are particularly relevant from a security perspective.
Configuration data: BIOS/UEFI settings often include boot order configurations, hardware passwords (BIOS passwords, hard drive passwords), TPM (Trusted Platform Module) configuration, Secure Boot keys and certificates, and network boot (PXE) server addresses that reveal internal network infrastructure.
BMC and management controller data: Server BMCs (such as Dell iDRAC, HP iLO, or Lenovo XCC) store administrator credentials, network configuration including IP addresses and VLAN assignments, LDAP/Active Directory integration settings, SSL certificates, event logs that may contain operational details, and virtual media configurations.
Network equipment firmware: Routers, switches, and firewalls store their entire configuration in firmware or flash memory, including network topology information, access control lists, VPN configurations and keys, SNMP community strings, routing tables, and administrator credentials.
Storage controller firmware: RAID controllers and HBAs may store array configuration data, cache contents (on battery-backed controllers), and encryption keys for self-encrypting drives managed by the controller.
Why Standard Wiping Misses Firmware
Standard data destruction tools focus on the primary storage media: the hard drive or SSD. They overwrite or sanitise the drive’s user-addressable storage space, which is where the operating system, applications, and user files reside. But firmware lives on separate flash chips or EEPROM on individual components, entirely outside the scope of drive-wiping operations.
A server that has had its drives wiped to NIST 800-88 Purge level may still contain administrator passwords in the BIOS, management credentials in the BMC, and network configuration in the NIC firmware. These residual data points can provide an attacker with valuable information about the organisation’s internal infrastructure and security practices.
Firmware Rootkits and Persistent Threats
Beyond configuration data, firmware can also harbour malicious code. Firmware rootkits are a class of malware that installs itself in a device’s firmware, where it persists across operating system reinstallations and even drive replacements. Because firmware executes before the operating system loads, firmware-level malware can evade detection by traditional security tools.
When disposing of IT equipment, the possibility that firmware has been compromised adds another dimension to the destruction decision. Simply wiping the drives does not eliminate firmware-level malware, which could potentially be activated by the next user of the hardware.
Addressing Firmware Data During Disposal
BIOS/UEFI reset: Most systems support a factory reset of the BIOS/UEFI settings, which clears passwords, custom configurations, and stored keys. This can typically be performed through the BIOS setup utility or by removing the CMOS battery (on older systems) or using a motherboard jumper.
BMC factory reset: Server BMCs should be reset to factory defaults before disposal. This clears network configuration, credentials, certificates, and logs. The specific procedure varies by manufacturer, but most BMCs provide a factory reset option through their web interface or command-line tools.
Network equipment reset: Routers, switches, and firewalls should have their configuration erased and be reset to factory defaults. For Cisco equipment, this involves erasing the startup configuration and VLAN database. Other manufacturers have equivalent procedures. Configuration files should be verified as cleared after the reset.
TPM clearing: If the system has a TPM, clear it through the BIOS/UEFI settings or the operating system’s TPM management tools before disposal. This removes stored encryption keys, certificates, and other security-sensitive data.
Physical destruction: For the highest assurance, physical destruction of the entire device eliminates all firmware-level data along with the primary storage. This is the only method that addresses every possible data location on every component simultaneously.
Building Firmware into Your Disposal Checklist
Firmware-level data is the layer that most data destruction processes miss. Including firmware sanitisation in your disposal workflow addresses a real risk that can expose sensitive infrastructure information and credentials long after the primary storage has been wiped.