Buy an electronic device and get the data for free: personal information remains on the donated gadgets

If you have accumulated old computers, flash drives, telephones or hard disks, and you do not use them, you may want to take them to a commission for sale, to a thrift store , sell them yourself or send them for recycling. But have you ever wondered what happens to these devices and the data stored on them? Are your data destroyed, or are these things resold, storing all your memories and personal data available to the next owner? And if this data is available, what will happen if someone like me starts combing all the commission and charity shops near my home, only to find out how much personal data he can find there?

To find out exactly how much, I spent six months extracting all the data that I could find in devices sold where they sell refurbished computers or accept gadgets for resale as a gift. Towards the end of the experiment, studies showed that many businesses do not provide what they guarantee and do not erase data from devices that people offer them.

Let's see how my experiment went, what data I managed to extract, and methods for guaranteed removal of data from your old devices before selling them.

Process

My first step was the least interesting part of the experiment: I studied which businesses sell refurbished, donated, or used computers near my Wisconsin home. I visited 31 stores and bought everything I could for $ 600. Here's what I got:

Desktop computers and laptops - 41
Removable media (flash drives, memory cards) - 27
Hard drives - 11
Mobile phones - 6

When I bought the device, I returned to the control center (as I call my basement) and started the extraction process data. Bringing a computer home, I tried to download it to find out if it was loading, and if it required a password. I wrote a script in PowerShell, which passes through the disk and compiles a list of all images, documents, saved emails and the history of correspondence in instant messengers. Then I beautifully archived and cataloged all this on the desktop. Only one laptop from Dell was cleaned as it should.

Most of the hard drives had an IDE interface, so I used an external device to quickly connect hard drives (an IDE toaster ), and a Python script that cataloged all the data. I found that not a single hard drive was encrypted, and everything worked fine (except for the old 30 GB Hitachi, which was cleared).

The phones I bought were very old and I had to buy three different proprietary charges on eBay, which increased my costs to $ 650 (not including gas and coffee). The phones did not require a PIN, and for some of them I could not find software to connect to a computer.

In the case of flash drives and memory cards, I just plugged them in, and then used a Python script to organize the data.

In general, the result of my research was shocking. Of the 85 devices purchased, only two (a Dell laptop and Hitachi hard drive) were thoroughly cleaned. And only three devices were encrypted.

Data

Armed with a mountain of data and a basement cluttered with iron that was older than me, I developed a plan to sort all the data in search of personal information. I used pyocr to determine social security numbers, birthdays, credit card numbers, and phone numbers in images or PDFs. Then I used PowerShell to go through all the documents, emails and texts in search of the same information. I kept all the regulars for processing personal information .

Despite the fact that optical character recognition does not work 100% accurately, and there could be data on the images or in the PDF that I could not extract, I can confirm that the regulars used to extract social security numbers, birthdays, credit card numbers The phone numbers and driver's license numbers were pretty comprehensive.

Below is the final count of the processed data (not including several correspondence histories in MSN / AIM) and file formats. I excluded some formats (XML, HTML, and CSS) for short.

Images (JPEG, TIFF, GIF, BMP, PNG, BPG, SVG) - 214 019
Documents (DOC, DOCX, PDF, CSV, TXT, RTF, ODT) - 3 406
Emails (PST, MSG, DBX, EMLX) - 148 903

As you can see, a lot of things were found. And the most interesting thing is that I managed to extract a lot of personal information. Here is the layout for the unique values ​​for each type of information:

Email addresses - 611
Date of birth - 50
Social security number - 41
Bank card number - 19
Driver license number - 6
Passport number - 2

It is surprising that most of the numbers from bank cards were received from photographs or scans of cards, and both the front and the back of the card were photographed. Passport numbers were also taken from scans.

Cost

Conducting research further, I realized how cheap and easy it is to buy information from people in Darknet. Social security numbers cost $ 1, full documents (dox) cost $ 3. So we can’t justify the initial investment of $ 600.

An interesting conclusion follows from this: data leaks are so common that they dropped the cost of the data. I saw several dumps in Darknet with social security numbers that cost even less than $ 1 apiece.

How to safely get rid of your gadgets

When giving to a charity or selling a gadget, you need to make sure that all the data from it is deleted, and not hope that the seller will do it for you. But if you want to give your gadgets for recycling, here are some ways to make sure that you can’t restore data from them by permanently destroying the device or media:

• Hammer.
• Burning (caution, toxic products of combustion).
• Industrial grinding.
• Drill.
• Acid.
• Electrolysis.
• Microwave.
• Termite welding.

When using such methods, you will need to secure the workplace and put on reasonable protection (at least glasses and gloves). And providing protection, with the destruction of gadgets you can have fun.

Here, for example, how thermite welding destroys a desktop PC:



In principle, if you have not physically destroyed the device, specialists will be able to extract data from it. If this excites you, then it is better to play it safe and destroy it. However, usually it’s enough just to clean your device, it’s usually very easy and simple [for example, for Android devices it’s enough to encrypt all the data and then reset to factory settings].

If you want to clean your hard drive, Darik's Boot And Nuke will help . However, this method will not work with solid state drives or RAID drives. In the latter case, PartedMagic works well .

Conclusion

If you are worried that your data may be in the hands of attackers, destroy the data. If you want to donate the device for good purposes, make sure that it is cleaned. Even if you receive a written assurance of data destruction, you won’t be able to verify it - except to erase it yourself.