As pointed out on a few Twitter feeds, including:
Computer Weekly has an article titled “Avoiding security issues when recycling hardware” by Peter Ray Allison:
“Each year companies have to deal with an increasing amount of obsolete hardware. This is equipment that is under-powered or out of warranty, but nonetheless working and still functionally useful. The bulk of this equipment is typically desktop PCs and laptops, but the same also applies to peripherals, such as monitors, USB hard-drives and projectors.” […]
Full article:
http://www.computerweekly.com/feature/Avoiding-security-issues-when-recycling-hardware
Beyond the above article, for more information, read NIST SP 80-147 for firmware security guidance for the Disposition phase of hardware.
http://csrc.nist.gov/publications/PubsSPs.html
None of the above covers what PII is stored in your firmware. Most firmware have some kind of password. UEFI has the concept of ‘logging in’ to your firmware, unsure where this is stored. I used to only be concerned about hard drives when I recycled systems. But post-BIOS, I am concerned about any NVRAM chip on the system where firmware may store data (main image, video, network cards, etc.). Do any vendors have UEFI firmware wipe utilities? Lenovo has a TPM reset CD, which is nice. If you know the places in the UEFI spec and/or EDK2 sources where UEFI stores PII, or where any vendor implementations store this data, please email me or leave a Comment to this post. If you are a large enterprise, you should have your vendor explain how to deal with firmware PII during the Disposition phase before you purchase the hardware, i.e., this data should be in pre-sales information for products…
Firmware Security 