Mobile

6/28/2018
02:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

65% of Resold Memory Cards Still Pack Personal Data

Analyzed cards, mainly from smartphones and tablets, contained private personal information, business documentation, audio, video, and photos.

Wipe your device, then check it twice: A new study has found most secondhand memory cards contain personal information belonging to previous owners who either failed to properly remove their data or didn't attempt to delete it at all.

"We make such a big deal out of Facebook giving away our details, but many of us just leave this stuff out there on our local memory," says Comparitech privacy advocate Paul Bischoff.

In a study conducted by the University of Hertfordshire and commissioned by Comparitech, researchers bought and analyzed 100 used SD and micro SD memory cards from eBay, secondhand shops, auctions, and other sources over a four-month period. They created a forensic image of each card and used freely available software to recover data.

Most of the cards came from smartphones and tablets, Bischoff says, but some also came from satellite navigation systems, cameras, and drones. Sixty-five of the 100 cards analyzed still contained troves of personal materials: contact lists, browsing histories, intimate photos, passport copies, resumes, identification numbers, and business documentation, among them.

"It's really easy when people get a new device to just throw out the old one and get rid of it completely," Bishop notes. "If this information gets out there into the wrong hands, it could do a lot of damage … identity theft, extortion, blackmail."

Only twenty-five cards had been properly wiped so that no information could be recovered. Thirty-six were not wiped at all; neither their owners nor sellers took any steps to try and erase the data, either. Twenty-nine appeared to have been formatted, meaning their owners attempted to try and erase their information, but data still could be revered "with minimal effort," researchers explain. Four were broken, four were blank, and two had had their data deleted, but it was easily recoverable.

If a card is tossed without the proper precautions, Bischoff says, it's fairly easy for any third party to access the data inside. "It really doesn't take much know-how," he explains, noting that the researchers used free forensics software they found online to recover information.

Their findings indicate how device owners, businesses, and resellers are responsible for wiping information before it falls into someone else's hands. Users need to be more careful about deleting their data, of course, but resellers also need to properly wipe devices sold to them. Card manufacturers also play a role in making the process of erasing and disposing of cards both easier and more apparent for users, Bischoff adds.

"If it's corporate-owned, it really depends on what the business structure is for dealing with this sort of thing," he continues. In the case of BYOB devices, IT teams might not be able to remotely control or access an employee's smartphone or tablet. Bischoff says the cards containing business data in this study were likely personal and that the owners downloaded sensitive files.

Phones containing sensitive data should have all files backed up in a secure cloud or have user access controls to block users from saving important devices local on the device.

Researchers anticipate problems related to improperly erased data will continue as local storage gets less expensive and people store more types of information on memory cards. However, Bischoff argues, the expansion of cloud storage will cause people to shift.

"Obviously storage demands are increasing, but the rise of the cloud will minimize the effects to some degree," he says. "I think people will store in the cloud and skip local storage altogether."

How to Properly Delete Data
If you plan on reselling your smartphone, laptop, camera, or other device equipped with an SD or micro SD card, you need to properly delete the data. Many people try to wipe their SD cards but fail to get rid of all the information. Simply deleting a file from the device doesn't actually delete the ones and zeroes that make up the file; those stay on the device until overwritten.

You need to perform the "full format," not "quick format," Bischoff says. The process varies depending on your operating system, but both Windows and Mac devices have built-in formatting to erase all information from an external storage device.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OliverJ237
50%
50%
OliverJ237,
User Rank: Apprentice
8/3/2018 | 3:13:39 AM
Re: Not just memory cards
Phones containing sensitive data should have all files backed up in a secure cloud or have user access controls to block users from saving important devices local on the device.,electronic components,https://www.allicdata.com
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/2/2018 | 8:34:28 AM
Not just memory cards
Ages ago I purchased an Ebay Lexmark priner for a medical office I supported - it was identical to other systems so installation would be smooth, same drivers.  it arrived, worked great and when I hooked it up, a ton of saved print jobs from WHEREVER IT CAME FROM before starting winding out.  About 50 of them.  So not just cards but any memory device can have data. 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6504
PUBLISHED: 2018-09-20
A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).
CVE-2018-6505
PUBLISHED: 2018-09-20
A potential Unauthenticated File Download vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Unauthenticated File Downloads.
CVE-2018-14796
PUBLISHED: 2018-09-20
Tec4Data SmartCooler, all versions prior to firmware 180806, the device responds to a remote unauthenticated reboot command that may be used to perform a denial of service attack.
CVE-2018-14821
PUBLISHED: 2018-09-20
Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to Port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to r...
CVE-2018-14827
PUBLISHED: 2018-09-20
Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.