It's Scary How Much Personal Data People Leave On Used Laptops And Phones, Researcher Finds

Hack-a-Day explores thermite-based anti-forensic techniques (Screenshot: Jason Rollette, YouTube)

In a dusty plastic bin under my bed lies at least four laptops, six mobile phones, and a half-dozen hard drives. I have no idea what’s on any of them. Most of these devices predate the cloud-storage era, and so likely contain solitary copies of photos, texts, and emails, among other confidential files (porn?) that I’d probably be horrified to learn had fallen into the hands of strangers.

In retrospect, I should’ve taken a sledgehammer to my pile of electronic garbage long ago, or maybe tossed it into a burn barrel before soaking the charred remains in a bath of hydrochloric acid. Overkill? Maybe not.

A recent experiment by Josh Frantz, a senior security consultant at Rapid7, suggests that users are taking few if any steps to protect their private information before releasing their used devices back out into the wild.

For around six months, he collected used desktop, hard disks, mobile phones and more from pawn shops near his home in Wisconsin.

It turned out they contain a wealth of private data belonging to their former owners, including a ton of personally identifiable information (PII)—the bread and butter of identity theft.

Frantz amassed a respectable stockpile of refurbished, donated, and used hardware: 41 desktops and laptops, 27 pieces of removable media (memory cards and flash drives), 11 hard disks, and six mobile phones. The total cost of the experiment was a lot less than you’d imagine.

“I visited a total of 31 businesses and bought whatever I could get my hands on for a grand total of around $600 [$AU845],” he said.

Frantz used a Python-based optical character recognition (OCR) tool to scan for Social Security numbers, dates of birth, credit card information, and other sensitive data. And the result was, as you might expect, not good.

The pile of junk turned out to contain 41 Social Security numbers, 50 dates of birth, 611 email accounts, 19 credit card numbers, two passport numbers, and six driver’s licence numbers. Additionally, more than 200,000 images were contained on the devices and over 3,400 documents. He also extracted nearly 150,000 emails.

Screenshot: Josh Frantz / Rapid7

Only two of the devices were erased properly, he said: a Dell laptop and a Hitachi hard drive. And only three were encrypted.

The silver lining here is that, despite how inexpensive the experiment was to perform, it still cost more to gather all that PII than you’d make selling it on any dark net marketplace (though Frantz did not attempt to assess whether any of the documents or photos might hold any value as blackmail material).

“No matter how we calculate the value of the data gathered, we would never recoup our initial investment of around $600 [$AU845],” he said. “This raises a fascinating point: Data leakage/extraction is so common that it has driven down the cost of the data itself. I saw several dumps of Social Security numbers on the Darknet for even less than $1 each.”

The important thing to remember is that when a file is deleted, it isn’t actually gone. While it may no longer be visible in File Explorer, it still exists. The operating system has simply flagged the space that it occupies as available to be overwritten by another file down the line.

The reason for this is fairly simple: Real data erasure is actually pretty time consuming. Fifty gigabytes of space could take an hour or more to properly sanitize.

There are a lot of tools available to help users properly sanitize a hard disk, such as BitRaser and BitBleach. Used properly, these will generally overwrite data thoroughly enough that most commercial forensic data-recovery tools will be fairly useless.

(More authoritative methodologies can be read here.) Frantz recommends using DBAN, also known as Darik’s Boot and Nuke.

But in the end, if you’re device was host to some very sensitive data, why chance it? Demolish that fucker and buy yourself some piece of mind. Frantz offers a few suggestions for how to go about this, in no particular order, include thermite, which is always fun (and stupid-dangerous) to use:

  • Hammer

  • Incineration (be careful of toxic by-products)

  • Industrial shredding

  • Drill/drill press

  • Acid

  • Electrolysis

  • Microwaves

  • Thermite

All of these methods require the use of proper safety gear and some requiring training. Even if you’re just bashing the shit out of an old hard drive with a hammer, don gloves and safety googles and beware of flying shards of circuitry.

Never stick a hard drive in your microwave or try to melt it in your oven. If you don’t have a large area clear of all flammable materials, you should not be burning anything, ever. It may even be illegal for you to do so.

The inside of your home is not an appropriate place to try and destroy your computer. 

(Just for fun, there’s a great video here of the folks at Hack-a-Day experimenting with “thermite-based anti-forensic techniques.”)

If you don’t have access to any of the tools required, the space, or experience necessary, there’s probably a data destruction company in your area that operates in compliance with various privacy laws like HIPAA.

“If you’re worried about your data ending up in the wrong person’s hands, destroy the data,” said Frantz. “If you wish to do a good deed and donate your technology so others can benefit, make sure it’s at least wiped to an acceptable standard.”

Even if a company claims they’ll erase your data for you, he adds, “there’s no good way to know whether that’s actually true unless you perform the wipe yourself.”

Now if you’ll excuse me, I need to find a big arse hammer and some acetone.

Trending Stories Right Now