Skip to content
Naked Security Naked Security

You left WHAT on that USB drive?!

Nudies, taxes, and memos - oh, my! Research shows that even if we think we've deleted content on the sticks, we're leaving all that and more.

Back in 2011, Sophos picked up a stash of USB keys from a lost property auction as an experiment. It turned out that they were a scary bunch of sticks: 66% of them contained malware, and not a single one was encrypted.

Well, the more things change, the more things USB drive-related remain hair-raising…

A new study found that you don’t just run a good chance of catching something from second-hand drives: you also run the risk of getting an eyeful of sensitive data that the previous owner may or may not have even bothered to drag to the trash – not that that would actually delete the data, mind you, but at least it’s an attempt.

The study, done by the University of Hertfordshire and commissioned by a consumer product comparison website called Comparitech, looked at what could be found on second-hand drives picked up on eBay, in second-hand shops and through traditional auctions.

The researchers found that about two-thirds of second-hand USB memory sticks bought in the US and the UK have recoverable and sometimes sensitive data. In one-fifth of the devices studied, the past owner could be identified.

They bought 200 USB drives – 100 in the US and 100 in the UK – between January and May 2018.

People in the US who offload their sticks turned out to at least be aware of the need to erase their data, with only one of the drives showing no sign of an erasure attempt. In the UK, however, 19 of the devices showing no sign of attempted cleansing.

That said, researchers couldn’t recover any data from 16 of the UK devices and 18 in the US, having been properly wiped.

47 of the UK USB stick owners and 64 of US owners tried to delete their data, but didn’t succeed and the data could easily be retrieved by the researchers.

Sir, you need to zip up your unerased stick

The treasure trove of data included quite sensitive material. The researchers found nude images of a middle-aged man, for one thing, along with far more.

Some other notable findings on the drives:

  • Photos of bundles of money and shotguns plus a search warrant giving the name of the person to be searched, a forfeiture submission for the seizure of drugs giving the name of the person that had their property seized.
  • Chemical, fire, and power safety documents for a project in Cardiff, Wales, along with risk assessment documents and the name of the drive’s owner.
  • Lab reports for a petrochemical company, with the name and Social Insurance Number of the USB drive’s owner.
  • Documents containing the stock exchange dealings of a trader along with their passport and addresses in France and the UK for the past six years.
  • Wage slips and tax statements with name, address, and contact details.
  • Photos of a soldier – including a deployment screening sheet containing his home and duty addresses.
  • A resume and filled-out W-4 tax form with full name and address.

With the contact details they recovered, the researchers could identify, and could have contacted, the former device owners of 20 of the US sticks and 22 of the UK sticks.

They didn’t, though, leaving the people who left their sensitive data on the drives none the wiser about their personals floating around and their poor security hygiene.

Trashcans: More like shelves than furnaces

The research suggests that many people don’t understand the risks of leaving data on USB drives before selling them, and that those who do understand the risks don’t understand how to erase data so it can’t be recovered.

We’ve all gone through the ritual dragging of files into the trash can, or highlighting them and hitting the “Delete” key, and then selecting “Empty Trash.” Those steps don’t permanently erase data from a USB drive, though. Neither does one-pass reformatting of storage media. The research found that…

Eight USB sticks in the US and 16 in the UK had been reformatted, but the data could be recovered “with minimal effort.”

To fully erase data, you have to overwrite the storage area where it’s residing. Comparitech offers this guide on how to do so.

6 Comments

Why on earth do people/companies resell USB keys? They’re so cheap to buy, the resale value must be low and the risks are high. For that matter, with the numbers from the article above, likely the entire market for used USB keys are baddies who just want to get stuff off of them.

Any business that makes heavy use of USB keys should invest $10 in a hammer, and dispose of them properly.

The New South Wales railway company actually changed its policy after the research Lisa mentioned at the start of the article. We worked with the NSW Privacy Commission to advise on its new policy – it seemed rather wasteful to tip working USB devices into landfill just because they were a few months old, but the cost of wiping them reliably for resale turned out to be unrealistic. So these days they do just get crushed and dumped, for the greater good of all.

If the USB drives are old enough to sell off there is a device called a “vice”.
You just put the USB into it, tighten and keep turning and keep turning and keep turning!

1. Gaffer tape USB key to clay pigeon.
2. Cycle working parts of shotgun.
3. “Pull.”
(Only problem is – DO NOT MISS -)

More seriously, and usefully for Mac users like me.

Insert USB device, then run the command…

$ diskutil list

…to figure out the device name of the device you just plugged in (e.g. /dev/disk3).

$ diskutil zeroDisk /dev/whateveritwasinthestepabove

Might as well. Then use a vice. Or snap open the USB’s plastic container and drop the circuit board through a crosscut shredder.

What a waste of precious, and getting scarcer, minerals and metals :'( surely it’s not that difficult to zerofill them in the background and then reuse/recycle?

I agree with Samantha; what an absolute waste. Of course we should be re-selling and re-using them. Its just a matter of actually wiping them. In this day and age for companies to be dumping perfectly usable hardware into landfill is criminal.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?