In a dusty plastic bin under my bed lies at least four laptops, six cellphones, and a half-dozen hard drives. I have no idea what’s on any of them. Most of these devices predate the cloud-storage era, and so likely contain solitary copies of photos, texts, and emails, among other confidential files (porn?) that I’d probably be horrified to learn had fallen into the hands of strangers.
In retrospect, I should’ve taken a sledgehammer to my pile of electronic garbage long ago, or maybe tossed it into a burn barrel before soaking the charred remains in a bath of hydrochloric acid. Overkill? Maybe not.
A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild. For around six months, he collected used desktop, hard disks, cellphones and more from pawn shops near his home in Wisconsin. It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII)—the bread and butter of identity theft.
Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six cellphones. The total cost of the experiment was a lot less than you’d imagine. “I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600,” he said.
Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good.
The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver’s license numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.
Only two of the devices were erased properly, he said: a Dell laptop and a Hitachi hard drive. And only three were encrypted.
The silver lining here is that, despite how inexpensive the experiment was to perform, it still cost more to gather all that PII than you’d make selling it on any dark net marketplace (though Frantz did not attempt to assess whether any of the documents or photos might hold any value as blackmail material).
“No matter how we calculate the value of the data gathered, we would never recoup our initial investment of around $600,” he said. “This raises a fascinating point: Data leakage/extraction is so common that it has driven down the cost of the data itself. I saw several dumps of Social Security numbers on the Darknet for even less than $1 each.”
A similar study at the University of Hertfordshire recent found that more than two-thirds of used USB drives sold in the U.S. and U.K. still contained the data of their previous owners. Out of 100 drives purchased in the U.S., 64 had data that was deleted deleted, but could easily be recovered.
The important thing to remember is that when a file appears to be deleted, it may not be. On a desktop or laptop computer, when a user deletes a file, the operating system mere flags the space that the data occupies as available to be overwritten. Without this, the workflow would get bogged down, as data erasure is actually more time consuming than you might think. Fifty gigabytes of space, for instance, could take up to an hour or more to properly wipe. Unless the space is overwritten, deleted files can be easily recovered.
There are a lot of tools available to help users properly sanitize a hard disk, such as BitRaser and BitBleach. Used properly, these will generally overwrite data thoroughly enough that most commercial forensic data-recovery tools will be fairly useless. (More authoritative methodologies can be read here.) Frantz recommends using DBAN, also known as Darik’s Boot and Nuke.
But in the end, if you’re device was host to some very sensitive data, why chance it? Demolish that fucker and buy yourself some piece of mind. Frantz offers a few suggestions for how to go about this, in no particular order, include thermite, which is always fun (and stupid-dangerous) to use:
- Incineration (be careful of toxic by-products)
- Industrial shredding
- Drill/drill press
All of these methods require the use of proper safety gear and some requiring training. Even if you’re just bashing the shit out of an old hard drive with a hammer, don gloves and safety googles and beware of flying shards of circuitry. Never stick a hard drive in your microwave or try to melt it in your oven. If you don’t have a large area clear of all flammable materials, you should not be burning anything, ever. It may even be illegal for you to do so. The inside of your home is not an appropriate place to try and destroy your computer.
(Just for fun, there’s a great video here of the folks at Hack-a-Day experimenting with “thermite-based anti-forensic techniques.”)
If you don’t have access to any of the tools required, the space, or experience necessary, there’s probably a data destruction company in your area that operates in compliance with various privacy laws like HIPAA.
“If you’re worried about your data ending up in the wrong person’s hands, destroy the data,” said Frantz. “If you wish to do a good deed and donate your technology so others can benefit, make sure it’s at least wiped to an acceptable standard.” Even if a company claims they’ll erase your data for you, he adds, “there’s no good way to know whether that’s actually true unless you perform the wipe yourself.”
Now if you’ll excuse me, I need to find a big ass hammer and some acetone.