Mobile

6/28/2018
02:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

65% of Resold Memory Cards Still Pack Personal Data

Analyzed cards, mainly from smartphones and tablets, contained private personal information, business documentation, audio, video, and photos.

Wipe your device, then check it twice: A new study has found most secondhand memory cards contain personal information belonging to previous owners who either failed to properly remove their data or didn't attempt to delete it at all.

"We make such a big deal out of Facebook giving away our details, but many of us just leave this stuff out there on our local memory," says Comparitech privacy advocate Paul Bischoff.

In a study conducted by the University of Hertfordshire and commissioned by Comparitech, researchers bought and analyzed 100 used SD and micro SD memory cards from eBay, secondhand shops, auctions, and other sources over a four-month period. They created a forensic image of each card and used freely available software to recover data.

Most of the cards came from smartphones and tablets, Bischoff says, but some also came from satellite navigation systems, cameras, and drones. Sixty-five of the 100 cards analyzed still contained troves of personal materials: contact lists, browsing histories, intimate photos, passport copies, resumes, identification numbers, and business documentation, among them.

"It's really easy when people get a new device to just throw out the old one and get rid of it completely," Bishop notes. "If this information gets out there into the wrong hands, it could do a lot of damage … identity theft, extortion, blackmail."

Only twenty-five cards had been properly wiped so that no information could be recovered. Thirty-six were not wiped at all; neither their owners nor sellers took any steps to try and erase the data, either. Twenty-nine appeared to have been formatted, meaning their owners attempted to try and erase their information, but data still could be revered "with minimal effort," researchers explain. Four were broken, four were blank, and two had had their data deleted, but it was easily recoverable.

If a card is tossed without the proper precautions, Bischoff says, it's fairly easy for any third party to access the data inside. "It really doesn't take much know-how," he explains, noting that the researchers used free forensics software they found online to recover information.

Their findings indicate how device owners, businesses, and resellers are responsible for wiping information before it falls into someone else's hands. Users need to be more careful about deleting their data, of course, but resellers also need to properly wipe devices sold to them. Card manufacturers also play a role in making the process of erasing and disposing of cards both easier and more apparent for users, Bischoff adds.

"If it's corporate-owned, it really depends on what the business structure is for dealing with this sort of thing," he continues. In the case of BYOB devices, IT teams might not be able to remotely control or access an employee's smartphone or tablet. Bischoff says the cards containing business data in this study were likely personal and that the owners downloaded sensitive files.

Phones containing sensitive data should have all files backed up in a secure cloud or have user access controls to block users from saving important devices local on the device.

Researchers anticipate problems related to improperly erased data will continue as local storage gets less expensive and people store more types of information on memory cards. However, Bischoff argues, the expansion of cloud storage will cause people to shift.

"Obviously storage demands are increasing, but the rise of the cloud will minimize the effects to some degree," he says. "I think people will store in the cloud and skip local storage altogether."

How to Properly Delete Data
If you plan on reselling your smartphone, laptop, camera, or other device equipped with an SD or micro SD card, you need to properly delete the data. Many people try to wipe their SD cards but fail to get rid of all the information. Simply deleting a file from the device doesn't actually delete the ones and zeroes that make up the file; those stay on the device until overwritten.

You need to perform the "full format," not "quick format," Bischoff says. The process varies depending on your operating system, but both Windows and Mac devices have built-in formatting to erase all information from an external storage device.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/2/2018 | 8:34:28 AM
Not just memory cards
Ages ago I purchased an Ebay Lexmark priner for a medical office I supported - it was identical to other systems so installation would be smooth, same drivers.  it arrived, worked great and when I hooked it up, a ton of saved print jobs from WHEREVER IT CAME FROM before starting winding out.  About 50 of them.  So not just cards but any memory device can have data. 
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10886
PUBLISHED: 2018-07-16
ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant.
CVE-2018-10859
PUBLISHED: 2018-07-16
git-annex is vulnerable to an Information Exposure when decrypting files. A malicious server for a special remote could trick git-annex into decrypting a file that was encrypted to the user's gpg key. This attack could be used to expose encrypted data that was never stored in git-annex
CVE-2018-14324
PUBLISHED: 2018-07-16
The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a &q...
CVE-2018-14325
PUBLISHED: 2018-07-16
In MP4v2 2.0.0, there is an integer underflow (with resultant memory corruption) when parsing MP4Atom in mp4atom.cpp.
CVE-2018-14326
PUBLISHED: 2018-07-16
In MP4v2 2.0.0, there is an integer overflow (with resultant memory corruption) when resizing MP4Array for the ftyp atom in mp4array.h.