SD cards – those tiny devices that go into your camera or tablet – may be small, but they can hold a lot of revealing information. Because they are often used for storing photos, that information can be highly visual. A research team from the University of Hertfordshire just bought 100 second-hand SD cards and found two thirds of them carrying incriminating files.
The team, commissioned by consumer device advisory site Comparitech, found that 65% of the SD cards still had sensitive files ranging from pornography and intimate personal photos through to passport pictures.
SD cards use a different technology to hard drives, but they have some commonalities. One of these is that deleting a file or even using the standard quick format option in your operating system doesn’t really erase the data. It only marks the file as deleted in the drive’s index, which tells the operating system that the space occupied by that file is now available. The file’s data is still there, and curious users – or organizations wanting to prove a point – can recover it with freely-available forensics tools.
The researchers’ report on the project explains that the cards came from various sources including second hand shops, auctions, and eBay. Researchers typically bought the cards one at a time, and then used a free data forensics tool called FTK Imager to create a bit-for-bit copy of each card. This enabled them to work from a copy without disturbing the original. Then, they used WinHex and OSForensics to work out what data was in the imaged disk.
Four of the drives couldn’t be read at all, four of them had no data present, 25 had been properly wiped with a data erasing tool, and 29 had been improperly formatted, leaving the data easily recoverable. On two of the disks, files had only been deleted (again, leaving the files exposed). Alarmingly, 36 of the drives’ former owners had taken no steps to remove their data. This enabled the researchers to recover data from 65% of the cards.
What was on the cards?
The most common content (around 37%) was photographic, followed by multimedia. ‘Sexualised content’ came third, accounting for just over 5%. Business documentation and CVs came last.
One card contained a large collection of photos, some of them intimate, from a female student at a UK university. A photograph of her passport was on the same card. On others, the researchers found photographs of a woman together with her email address and phone number, and the names and phone numbers of friends. On yet another was personal details including vehicle registration numbers, credit card PIN numbers, home addresses and phone numbers from another UK university student, the report said.
Why are people leaving sensitive information on SD cards for others to find? Alarmingly, some of them seem to think that it isn’t their job to remove it, the report suggested:
While the sellers had, in some cases, claimed prior to sale that the media had been formatted or wiped, in other cases they had included a disclaimer saying that there may be data present and that they buyer should remove it.
These cards come from smart phones and tablets, but also from satnav systems, drones, and dash cams. The researchers warned of growing attack footprints as the number of devices containing these cards grows.
For example satellite navigation systems (SatNav) data can be used to determine the home location of the user, and also the routes that they regularly use and locations that they have identified as being of interest, which may include their place of work and the homes of family and friends.
Securing your SD cards
So, how can you avoid becoming report-fodder and erase the data from the SD cards in your own systems securely? While the UK’s National Cyber Security Centre has some good tips for wiping other electronic media, when it comes to cheap, removable flash media of this kind it essentially tells you not to bother.
These are generally inexpensive and can be destroyed locally using an affordable office shredder or disintegrator designed to produce particles no greater than 6 mm. As with SSD, it is almost impossible to remove every bit of user data from these devices, so thorough destruction must take place at end-of-life to avoid residual data from posing a risk to your business.
That’s all well and good, but some people may want to make a little money back on their cards by selling them, especially as the capacity and cost increases. The most popular card size in the Comparitech/University of Hertfordshire study was just 2Gb in size, but there were some 128Gb monsters in there. There are even 400Gb SD cards now available, which will cost you £200 or more out of the box. That’s a lot of money to run through the shredder.
Luckily, there are other options. Comparitech suggests a full format, which writes zero values to the entire drive as opposed to a quick format, which just marks the entire drive as available. However, it warns that some forensics tools may be able to detect data even after writing those zero-values.
For the truly paranoid, there are dedicated tools for wiping removable media. Comparitech lists some on its secure wiping guidance page. The SD Association also offers an SD card formatter that it says will do the job.
Finding sensitive data on old devices has become something of a sport in the cybersecurity marketing business. The National Association for Information Destruction did one last year, as did Kroll Ontrack. Here’s another from 2009. Back in 2006, one research project found child abuse imagery, causing the academics involved to bring in the police.
They’re great fodder for companies needing a quick bit of easy PR because finding consumers with poor OPSEC is like shooting fish in a barrel. As this latest report says:
Despite advice from various governments and media organisations, and the media exposure of the issue, the message about data security risks from remnant data is being ignored. Vendors/sellers are either not responding to the warnings or are disregarding them.
People will continue leaving personal files on removable storage because for many security unsavvy users, the steps involved will be too big – and the understanding of the potential consequences too small.
Given that users aren’t stepping up with better security, the report concluded by asking for vendors to fill the gap.
Given the short life cycle of current digital devices, with users regularly replacing and upgrading their mobile devices, it is perhaps an omission that better advice on data disposal tools (factory reset options or encryption) and advice are not issued by the original vendors.
Unless someone figures out a better way to force-wipe that data, we’ll be seeing plenty more of these surveys for years to come.