Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two-Thirds of Second-Hand Memory Cards Contain Data From Previous Owners (bleepingcomputer.com)

Posted by msmash on from the how-about-that dept.

Catalin Cimpanu, writing for BleepingComputer: A recent study conducted by academics from the University of Hertfordshire in the UK has revealed that almost two-thirds of second-hand memory cards still contain remnants of personal data from previous owners. For their study, researchers analyzed 100 second-hand SD and micro SD memory cards purchased from eBay, conventional auctions, second-hand shops, and other sources over a four-month period. All in all, researchers say the memory cards they recovered were previously used in smartphones and tablets, but some cards were also used cameras, SatNav systems, and even drones. The research team says the analysis process consisted of creating a bit-by-bit image of the card and then using freely available software to see if they could recover any data from the card. Their efforts were successful and worrisome at the same time, as the team says it managed to recover data from the memory cards, including intimate photos, selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and other personal documents.

11 of 130 comments (clear)

  1. Just Surprised... by rally2xs · · Score: 3, Interesting

    ...that it's ONLY 2/3rds. Who remembers / bothers to erase that data, anyway? For my cameras and GPSs, I doubt that I'd bother. Info available is immensely non-useful to anyone else. A PC memory I would erase, and spend time writing 1's, 0's, and then random #'s to it, but the other hardware I really wouldn't care about.

    And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them. Everybody knows that.

    1. Re:Just Surprised... by KiloByte · · Score: 4, Insightful

      And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them.

      That kind person who made you lose the card is selling; he can't drink, smoke nor inject that card in its present form. And you did not get an opportunity to clean the data.

      Thus, we'd need some way to encrypt the cards yet still be able to comfortably share them between diverse systems, as unless the card is sitting in the dust behind your couch, the data is likely to be used. Not by the direct "finder", but as soon as anyone pays for the copy, those nudes and bank statements will be out there. Oh, by the way: if you're evil enough, here's a business opportunity. Don't take it.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:Just Surprised... by Anonymous Coward · · Score: 2

      Thats nothing! A few years ago some folks bought 100 used copy machines. In every case, the hard drives in those machines had not only records of copier usage, but the actual documents that had been copied. Wait...you didn't know that copiers had hard drives and kept copies of documents? Some of the used copiers had come from police stations, and had copies of case documents on them.

      Be careful what you copy and where!!!

  2. Who sells them? by fph+il+quozientatore · · Score: 2

    Who the heck sells a memory card? They are as cheap as a McDonald's burger, and by the time you exit the store there are already larger ones on sale.

    --
    My first program:

    Hell Segmentation fault

    1. Re:Who sells them? by Anonymous Coward · · Score: 2, Insightful

      Thieves. That's also why they don't bother erasing the card.

  3. You've discovered my secret! by necro81 · · Score: 2

    My secret past-time is buying up old memory cards, finding the goodies, and then blackmailing the former owners, committing industrial espionage, and generally being amused. Now you all have gone and ruined it by warning everyone!

    Oh, wait, people are still lazy? Don't care about security? Wouldn't know how to wipe a card even if they did care? Well, then, I guess I'm all set.

    disclaimer: this post is in jest

  4. Re:Academics by ShanghaiBill · · Score: 4, Informative

    Who proposes such a study and then who approves it?

    According to TFA, a company, Comparitech.com, commissioned the study.

    Are these the kind of studies Universities should be pursuing?

    This wasn't a vast team of world-class researchers. It was likely one undergrad on academic probation working for class credit, sitting at a desk with a small pile of cards, plugging each one into the slot and pushing a button. Total cost: about $200 to buy the cards.

  5. Link to original source by Anonymous Coward · · Score: 4, Informative

    I could not find the link to the actual report in the summary or the linked article (unless I missed it). But some googling located it.

    https://cdn.comparitech.com/static/docs/survey-data-remaining-second-hand-memory-cards-uk.pdf

    It is linked in the story of the company that commissioned the research in the first place: https://www.comparitech.com/blog/vpn-privacy/secondhand-memory-card-study/

  6. Re:It's probably an undergraduate project by Oswald+McWeany · · Score: 2, Insightful

    There should be a separation of Education and State.

    No... there really shouldn't be. Not even close. That's about the stupidest idea I've heard in a long time. We had that in the 1700's. If you want 2% literacy follow that route! It's a benefit to EVERYONE that all of society is educated. Even if you're some rich snob, it's to your benefit that society is educated enough that it can create entrepreneurs, doctors, etc.

    --
    "That's the way to do it" - Punch
  7. Re:FAT chance by Oswald+McWeany · · Score: 2

    I'm not fat, I've got big ntfs!

    --
    "That's the way to do it" - Punch
  8. Time for storage to be encrypted by default? by davidwr · · Score: 2

    It would cost a bit more but maybe it's time for camera-cards, USB sticks, and the like to routinely use strong encryption with a non-secret-by-default key stored on a the medium itself.

    To the end user, it would "just work" except there would be a "quick erase" mode that would scramble the key then either do a normal operating-system-level "long" or "quick" format using the new key.

    Even a "quick format" by the OS would be good enough since the left-over data would be encrypted with a now-deleted key.

    Now, the key itself would need to be stored on a different part of the device than the rest, one that does not have "wear leveling" applied to it.

    It would also require a device that had its own intelligence, but that's a very low bar these days.

    As an option, manufacturers could have a volatile and non-volatile copy of the key and allow the host device to read and write the volatile copy (with or without write-back to the non-volatile copy), allowing the device to behave both as a "normal" memory stick or camera card or, optionally, as an "encrypted" data stick or camera card where the host device held the key when power was not supplied to the device.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.