Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two-Thirds of Second-Hand Memory Cards Contain Data From Previous Owners (bleepingcomputer.com)

Posted by msmash on from the how-about-that dept.

Catalin Cimpanu, writing for BleepingComputer: A recent study conducted by academics from the University of Hertfordshire in the UK has revealed that almost two-thirds of second-hand memory cards still contain remnants of personal data from previous owners. For their study, researchers analyzed 100 second-hand SD and micro SD memory cards purchased from eBay, conventional auctions, second-hand shops, and other sources over a four-month period. All in all, researchers say the memory cards they recovered were previously used in smartphones and tablets, but some cards were also used cameras, SatNav systems, and even drones. The research team says the analysis process consisted of creating a bit-by-bit image of the card and then using freely available software to see if they could recover any data from the card. Their efforts were successful and worrisome at the same time, as the team says it managed to recover data from the memory cards, including intimate photos, selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and other personal documents.

56 of 130 comments (clear)

  1. Just Surprised... by rally2xs · · Score: 3, Interesting

    ...that it's ONLY 2/3rds. Who remembers / bothers to erase that data, anyway? For my cameras and GPSs, I doubt that I'd bother. Info available is immensely non-useful to anyone else. A PC memory I would erase, and spend time writing 1's, 0's, and then random #'s to it, but the other hardware I really wouldn't care about.

    And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them. Everybody knows that.

    1. Re:Just Surprised... by KiloByte · · Score: 4, Insightful

      And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them.

      That kind person who made you lose the card is selling; he can't drink, smoke nor inject that card in its present form. And you did not get an opportunity to clean the data.

      Thus, we'd need some way to encrypt the cards yet still be able to comfortably share them between diverse systems, as unless the card is sitting in the dust behind your couch, the data is likely to be used. Not by the direct "finder", but as soon as anyone pays for the copy, those nudes and bank statements will be out there. Oh, by the way: if you're evil enough, here's a business opportunity. Don't take it.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:Just Surprised... by 91degrees · · Score: 1

      When I saw the headline, I assumed that was the number of people who didn't even bother to delete everything.

    3. Re:Just Surprised... by Anonymous Coward · · Score: 2

      Thats nothing! A few years ago some folks bought 100 used copy machines. In every case, the hard drives in those machines had not only records of copier usage, but the actual documents that had been copied. Wait...you didn't know that copiers had hard drives and kept copies of documents? Some of the used copiers had come from police stations, and had copies of case documents on them.

      Be careful what you copy and where!!!

    4. Re:Just Surprised... by thegarbz · · Score: 1

      Info available is immensely non-useful to anyone else.

      Last time I found a memory card the contents were useful enough to directly identify the owner even though it contained nothing but camera snaps. Hell the last 2 times that was true and the second time I found the camera in the bottom of the ocean.

      Don't discount what is on your memory card. It's like those people who don't realise that posting a selfi with your plane ticket barcode visible is about all that is needed for someone to come in and cancel your flight on you.

    5. Re: Just Surprised... by Bing+Tsher+E · · Score: 1

      Not before she makes a backup copy on Carlos Danger's laptop.

    6. Re:Just Surprised... by ctilsie242 · · Score: 1

      I read that the SD secure part which consists of 20% of the card is still present, but you have to have a special controller to access that part. I wish the specs were more open, as it would possibly be a useful way to back up sensitive data, or just store the key to the rest of the card there.

    7. Re:Just Surprised... by ctilsie242 · · Score: 1

      What blows my mind is that it isn't hard to create an encryption system to guarantee that temporary files stored there are zapped. It can be as simple as deleting the old cruft, creating an LUKS volume or eCryptFS directory on bootup, keeping the key in RAM, and storing files there. If the copier gets power cycled, the keys are forgotten, and the documents are never accessible. Next bootup, the files are cleared out, and a new volume is made.

      If the copier uses Windows, a partition that is formatted and a new BitLocker key assigned can do similar.

  2. Re:Academics by Megol · · Score: 1, Funny

    If you weren't a lazy bastard you'd click on the relevant link to see that this study was commissioned by a company.
    But you are, so you waste a lot of bandwidth just to be a POS.

  3. Who bothers? WHO BOTHERS? by Anonymous Coward · · Score: 1

    That's the first damn thing on my mind whenever such a device is leaving my control.

    WTF is wrong with you people? Bell curve, that's what.

    1. Re:Who bothers? WHO BOTHERS? by Oswald+McWeany · · Score: 1

      That's the first damn thing on my mind whenever such a device is leaving my control.

      WTF is wrong with you people? Bell curve, that's what.

      I wouldn't even SELL or giveaway any SD card/ HDD, etc, even if I had wiped it. Not worth potential privacy and identity loss, even if I have wiped it with special software... I just would never take that risk. Who even sells their used SD cards? What do you get $2? Not worth it.

      --
      "That's the way to do it" - Punch
    2. Re:Who bothers? WHO BOTHERS? by ctilsie242 · · Score: 1

      I have never bothered selling a used memory card. If it is leaving my possession, it gets the "dd if=/dev/urandom of=/dev/sdwhatever" treatment, at least once or twice.

  4. Who sells them? by fph+il+quozientatore · · Score: 2

    Who the heck sells a memory card? They are as cheap as a McDonald's burger, and by the time you exit the store there are already larger ones on sale.

    --
    My first program:

    Hell Segmentation fault

    1. Re:Who sells them? by Carrot007 · · Score: 1

      Stupid people that's who!

      The sort of people that do not know how to properly delete files (really a once over zeroing is fine, or choose your favourite number!).

      I am more worried about the sort of people that buy these second hand cards to trust their data to!

      I have many old cards. I should bin them but I like to hoard! They are all far too small anyway (16gb is the minimum these days, 64gb is usual, your view may differ!) I tend to buy above the burger price but below the point where the price gets silly.

      --
      +----------------- | What is the question!
    2. Re:Who sells them? by 110010001000 · · Score: 1, Funny

      I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

    3. Re:Who sells them? by Anonymous Coward · · Score: 2, Insightful

      Thieves. That's also why they don't bother erasing the card.

    4. Re:Who sells them? by Wycliffe · · Score: 1

      I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

      Where are you getting 400 used memory cards a month?

    5. Re:Who sells them? by OzPeter · · Score: 1

      I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

      So you are buying them for $6 and selling them for $5 with the intention of making up for the loses with volume?

      --
      I am Slashdot. Are you Slashdot as well?
    6. Re:Who sells them? by OzPeter · · Score: 1

      I have many old cards. I should bin them

      Which raises the question of what is the environmentally way of disposing of them?

      That's one reason I also have a hoard of memory cards - I have no idea of the best way to dispose of them and the amount of money I'd make on selling them isn't worth my time*

      ---

      *Anyone want to bid on an San Disk EC-8CF 8MB CompactFlash card? It's Nikon branded!

      --
      I am Slashdot. Are you Slashdot as well?
    7. Re:Who sells them? by 110010001000 · · Score: 1

      You can break them in half to be safe. But there isn't really an environmentally sound way to dispose of them.

    8. Re:Who sells them? by PPH · · Score: 1

      Which raises the question of what is the environmentally way of disposing of them?

      What about an SD card is hazardous?

      --
      Have gnu, will travel.
    9. Re:Who sells them? by Oswald+McWeany · · Score: 1

      But there isn't really an environmentally sound way to dispose of them.

      Throw them into an active caldera. They get instantly melted down and form part of the earth's magma. The only downside is you have to walk to the volcano- not drive because driving pollutes. Some people have a longer walk/swim than others.

      --
      "That's the way to do it" - Punch
    10. Re:Who sells them? by Oswald+McWeany · · Score: 1

      Yes. I call it the Tesla strategy.

      Booooo! You're bashing Musk again! Booooo!

      - I was expecting to see you on the Musk offering to help the Thai cave victims article earlier. You let me down, you weren't there.

      --
      "That's the way to do it" - Punch
    11. Re:Who sells them? by ctilsie242 · · Score: 1

      Thefts come to mind, be it cell phones, cameras, or whatnot. A cell phone, even if it will never work for a provider, is still worth a lot, due to the screen and other parts, and a SD card, especially a larger one, is just icing on the cake.

      Some Android phones do a great job at full volume encryption, so the SD card's loss means data isn't loss. Other phones don't do that, which can be a security risk.

  5. It's probably an undergraduate project by Anonymous Coward · · Score: 1

    The only problem is that taxpayers are funding it.

    There should be a separation of Education and State.

    1. Re:It's probably an undergraduate project by Oswald+McWeany · · Score: 2, Insightful

      There should be a separation of Education and State.

      No... there really shouldn't be. Not even close. That's about the stupidest idea I've heard in a long time. We had that in the 1700's. If you want 2% literacy follow that route! It's a benefit to EVERYONE that all of society is educated. Even if you're some rich snob, it's to your benefit that society is educated enough that it can create entrepreneurs, doctors, etc.

      --
      "That's the way to do it" - Punch
  6. You've discovered my secret! by necro81 · · Score: 2

    My secret past-time is buying up old memory cards, finding the goodies, and then blackmailing the former owners, committing industrial espionage, and generally being amused. Now you all have gone and ruined it by warning everyone!

    Oh, wait, people are still lazy? Don't care about security? Wouldn't know how to wipe a card even if they did care? Well, then, I guess I'm all set.

    disclaimer: this post is in jest

    1. Re:You've discovered my secret! by cshark · · Score: 1

      Quite the racket you've got going on. But what do you do with the cards after you get the data off of them and blackmail the owners? That's a lot of media. I was thinking, you know, cost per gigabyte on memory cards is so low, it's almost negative. I bet you could do something fun with drive clustering if you had the hardware to do it.

      --

      This signature has Super Cow Powers

    2. Re:You've discovered my secret! by necro81 · · Score: 1

      But what do you do with the cards after you get the data off of them and blackmail the owners?

      Load them with malware, then sell them back on eBay! Or sprinkle them at various political gatherings to see who's gullible enough to pick them up and plug them in.

    3. Re:You've discovered my secret! by Aighearach · · Score: 1

      most memory cards can be used directly by microntrollers with built-in SPI communication. Even just an arduino can give the access. Not to make it fast, but when you're hunting for a "fun" use case, that won't matter; you can still over-build it.

    4. Re:You've discovered my secret! by cshark · · Score: 1

      How devious.

      --

      This signature has Super Cow Powers

    5. Re:You've discovered my secret! by cshark · · Score: 1

      I like the political espionage angle.

      --

      This signature has Super Cow Powers

  7. Re:Academics by ShanghaiBill · · Score: 4, Informative

    Who proposes such a study and then who approves it?

    According to TFA, a company, Comparitech.com, commissioned the study.

    Are these the kind of studies Universities should be pursuing?

    This wasn't a vast team of world-class researchers. It was likely one undergrad on academic probation working for class credit, sitting at a desk with a small pile of cards, plugging each one into the slot and pushing a button. Total cost: about $200 to buy the cards.

  8. Re:Pics by Rik+Sweeney · · Score: 1

    They're on the card, you just need PhotoRec.

    --
    Summation 2
  9. Link to original source by Anonymous Coward · · Score: 4, Informative

    I could not find the link to the actual report in the summary or the linked article (unless I missed it). But some googling located it.

    https://cdn.comparitech.com/static/docs/survey-data-remaining-second-hand-memory-cards-uk.pdf

    It is linked in the story of the company that commissioned the research in the first place: https://www.comparitech.com/blog/vpn-privacy/secondhand-memory-card-study/

  10. Re:Academics by 110010001000 · · Score: 1

    I can find that undergrad something better to do, like updating APK's HOST FILES list.

  11. SD card sellers are cows. by Anonymous Coward · · Score: 1

    You are all cows. Cows say moo. MOOOOOOO! MOOOOOOO! Moo cows MOOOOOO! Moo say the cows. YOU DBAN-NEEDING COWS!!

    1. Re:SD card sellers are cows. by Aighearach · · Score: 1

      I doubt they'd manage dban, if you want these cows to make progress that easy you'd have to somehow teach them to follow a shepherd.

      No, you're going to have to team up with app guy for this one. Make it easier.

  12. Re:Academics by cre1mer · · Score: 1

    Remember that academics have to establish themselves with peer reviewed papers. So they need to study something to get started. Once they get tenured at a university, they can study something serious like basket weaving from 10,000 years ago.

    --
    Goodbye, Slashdot!
  13. TRIM on file deletion would do the job by evanh · · Score: 1

    but alas SD cards don't seem to support it.

  14. Help me out by cshark · · Score: 1

    Why is it shocking that you can recover unsecured data from a used memory card again? Especially when you're using recovery software to do the job? This one falls into the "no duh," category.

    --

    This signature has Super Cow Powers

    1. Re:Help me out by 110010001000 · · Score: 1

      Exactly. That was my point. How is this considered "academic study"? Of course I get crucified by the dullards on here who think this is novel research.

  15. Re:Academics by Anonymous Coward · · Score: 1

    Two of your questions were answered. You asked, "Who proposes such a study and then who approves it?" The previous comment explains that the study was commissioned by a company. More specifically, the company was Comparitech.com, which is in the article. And since the University of Hertfordshire conducted the study, I'd say there's a good chance they approved it. If you're looking for the name of a specific individual or group who signed off on it, I'd recommend getting in touch with the university directly. With respect to whether these are the kinds of studies that universities should be pursuing, I believe that the pervasive and growing scourge of data and identity theft suggests that they are certainly not without merit. Studies such as these can bolster public education campaigns, make business cases for new approaches to data security and secure deletion, inform private sector and governmental policy decisions related to storage media disposal, and so on. But these points aside, the term "snowflake" is sufficiently charged that I feel it's rather safe to assume that you're on the side of the political divide that believes in the absolute infallibility of the free market, in which case the very fact that this study was commissioned by a private company should justify it. Now, if that assumption is incorrect, and you're just concerned that this study in some way starved a more deserving study on climate change mitigation, for example, then you have my apologies.

  16. Re:FAT chance by DontBeAMoran · · Score: 1

    most PROGRAMMERS don't understand how FAT works

    Which is ironic, given the high percentage of fat programmers.

    --
    #DeleteFacebook
  17. Re:FAT chance by DontBeAMoran · · Score: 1

    P.S. The only reason I know so much about FAT is I tried to write a boot sector virus in assembler in school. Yeah, it didn't work as expected and I ended up erasing my own boot sector.

    This reminds me of this story.

    --
    #DeleteFacebook
  18. Re:Academics by 110010001000 · · Score: 1

    But look a who funds these "studies". Think about why they are funding them.

  19. Re:Academics by houghi · · Score: 1

    That is what they did. Plugging in second hand devices, That is how I got access to their network.

    The second resaearch will be "How many random SD cards do you have to put in before your network is infected."

    --
    Don't fight for your country, if your country does not fight for you.
  20. Re:Academics by Anonymous Coward · · Score: 1

    I'm just not understanding why this makes you so angry. Maybe the company has an idea for simplifying the task of secure deletion for non-tech-savvy users, and wanted to commission a quick-and-dirty study to see how prevalent the problem of recoverable data on secondhand media is before proceeding? Maybe they just want to use it as propaganda to convince people to only buy new media, as you suggest (which I agree would be unethical). But to get so upset about it suggests that you feel it is materially harming more deserving research? I just don't think that whoever did this work would have been qualified to instead be working on cancer cures or something. Nor would the company who paid for it have been likely to otherwise spend that money on cancer research. So who's getting hurt here, or "taken in?" I don't see an ulterior motive on the surface, unless it is subsequently used to try to convince people that reusing storage media is inherently unsafe. And I don't see how this work being done prevents other, more significant or "real" research being done.

  21. Re:Academics by 110010001000 · · Score: 1

    Good point. There isn't any problem with using Universities for corporate propaganda, which like you said, would be unethical. You make excellent points. No reason to be upset actually. Thanks for the responses!

  22. Re:Academics by mysidia · · Score: 1

    Next question: How many used infected Windows laptops do you have to sell, before your keylogger sends back some "interesting" data? J/K

  23. people don't understand or don't care by roc97007 · · Score: 1

    This is nothing new. Several years ago, a local electronics junk store got in a bunch of Blackberries of various models (probably a company going out of business) and were selling them for something like $5 apiece. Daughter was a major texter at the time, and liked the retro look and superior keyboard, so we bought several different models so she could switch between them as her mood took her.

    We discovered that all but one of them had not been wiped. Appointments, phone numbers, baby pictures, still intact. No sexting, fortunately, but probably only because these phones had been corporate owned. (Which isn't a guarantee, now that I think about it. Maybe we got lucky.) [1]

    People either don't understand or don't care about wiping their data. Even the ones that do make an effort often don't understand that deleting the files just deletes the directory entries, not the data itself. Utilities that truly wipe the data from cards (and drives and anything else that potentially holds personal data) are known to tech geeks and privacy geeks but not to Fred and Ethyl User.

    [1] Thinking further about it, the last time I "participated" in a layoff, a bunch of us were called to a meeting and told to surrender our badges and phones immediately. I have no idea whether whomever was in charge wiped the phones. Or just sold them on ebay.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:people don't understand or don't care by roc97007 · · Score: 1

      Toss memory cards in fire. Don't breathe the fumes.

      A sledgehammer for the HD. It's not enough to mangle the logic board, stepper and heads, you have to destroy the discs.

      On selling devices, you're right, but I don't think regular people know enough, and there's few around willing to tell them.

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  24. Re:FAT chance by Oswald+McWeany · · Score: 2

    I'm not fat, I've got big ntfs!

    --
    "That's the way to do it" - Punch
  25. Re:Academics by thegarbz · · Score: 1

    They should do separate analysis of solid state drives and magnetic drives as well to see if they suffer from the same issue.

    Why? That is what I would call: settled science

    Incidentally that study on harddisks a few years back also got to the number two-thirds. Maybe two-thirds of people don't know basic data security regardless of what they are selling online :-)

  26. Time for storage to be encrypted by default? by davidwr · · Score: 2

    It would cost a bit more but maybe it's time for camera-cards, USB sticks, and the like to routinely use strong encryption with a non-secret-by-default key stored on a the medium itself.

    To the end user, it would "just work" except there would be a "quick erase" mode that would scramble the key then either do a normal operating-system-level "long" or "quick" format using the new key.

    Even a "quick format" by the OS would be good enough since the left-over data would be encrypted with a now-deleted key.

    Now, the key itself would need to be stored on a different part of the device than the rest, one that does not have "wear leveling" applied to it.

    It would also require a device that had its own intelligence, but that's a very low bar these days.

    As an option, manufacturers could have a volatile and non-volatile copy of the key and allow the host device to read and write the volatile copy (with or without write-back to the non-volatile copy), allowing the device to behave both as a "normal" memory stick or camera card or, optionally, as an "encrypted" data stick or camera card where the host device held the key when power was not supplied to the device.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  27. Re:FAT chance by iggymanz · · Score: 1

    Most filesystems in common use don't delete the file's contents, so what's your point?