Your router has more known CVEs than a pen tester's toolkit. And it's still online. Loyal to a fault - yours and the attacker's.

Here's how attackers exploit aging tech:

🔑 Default configs - Factory passwords, open ports, forgotten services. Attackers don't brute-force when "admin/admin" still works.

🔐 Weak crypto and obsolete protocols - SHA-1, old TLS, insecure key storage. Legacy POS systems often store encryption keys in plain text. Intercepting credentials has become a math problem that attackers solved years ago.

🧱 Unpatchable by design - Hardware past its supported lifespan can't run modern updates. Known vulnerabilities stay open forever. Unsupported systems are 4x more likely to be weaponized^[ref].

Blind spots in monitoring - Legacy devices rarely integrate with modern SIEM or fraud platforms. If you can't see it, you can't flag it.

🔄 Perfect pivot points - Compromised old hardware becomes internal infrastructure for proxying fraud traffic, manipulating transactions, or tampering with data before detection.

👻 Decommissioned but not disconnected - Hardware declared retired doesn't always leave the network. Forgotten servers, shelved routers, and acquired infrastructure from mergers can sit quietly online for months or years - still reachable, still exploitable. In 2024, a breach at data aggregator DemandScience exposed 122 million records traced back to a system decommissioned nearly two years prior^[ref].

The numbers are uncomfortable: vulnerability exploitation now accounts for 20% of all breaches - up 34% year-on-year per Verizon's DBIR^[ref]. Only 54% of edge device vulnerabilities were fully remediated, and those took a median of 32 days to patch. That's a month of open doors. Separately, "admin" appeared 53 million times as a password in recent breach data. Some doors were never closed to begin with.

💡What to do about it?

For organizations:

- Treat hardware age as a fraud risk indicator, not just an IT lifecycle issue.

- Inventory what's actually in production, not what's on paper.

- Isolate or segment legacy devices aggressively.

- Compensate with stronger monitoring, behavioral controls, and transaction-level anomaly detection.

- If replacement isn't possible yet, assume compromise and design controls accordingly.

- Retiring a device on paper is not the same as removing it from the network. Validate that decommissioned hardware is physically isolated or destroyed - not just administratively closed.

For everyone else:

- That router your ISP installed years ago and you've never touched? Log in, change the default password, update the firmware. Ten minutes. More doors closed than you'd expect.

Old hardware doesn't fail loudly. It fails quietly. And fraud loves quiet systems.