New research by Abertay University in Dundee, Scotland, has found that many USBs being resold still have leftover data that can be misused.
The university researchers purchased 100 USB devices being resold on an online auction site and examined each of them. While 98 of the USBs appeared to be empty from a cursory glance, the researchers later discovered that only 32 of the drives were properly wiped before resale – the rest still contained data that could be recovered.
Using publicly available software and tools, the researchers managed to partially recover some of the data previously saved on 26 of the devices. More alarming was that the researchers used the same methods to fully recover every single file saved on the remaining 42 USB drives. Many of the files they recovered were determined to be of high sensitivity, including files named “passwords,” contracts, bank statements, and tax returns.
The researchers also found that some of the other USBs had images containing embedded location data.
“This is extremely concerning, and the potential for this information to be misused with extremely serious consequences is enormous,” said professor Karen Renaud of Abertay University’s division of cybersecurity.
Renaud warned that unscrupulous buyers could possibly use recovered files to access sellers’ accounts if the passwords were still valid, or even attempt to reuse the passwords on other accounts.
“They would likely be able to find a seller’s e-mail address from the files we found on the drive. They could try to siphon money from the bank accounts or even blackmail a seller by threatening to reveal embarrassing information,” the professor additionally warned.
The sellers would not have been aware they left data on the drive, Renaud said, adding that most people do not realise that computers typically do not remove “deleted” files.
“What happens is that the file is removed from the index so that they are effectively hidden from view. They’re still there though and if you know how, you can easily recover them using publicly available forensics tools,” the professor explained.
She recommended that those looking to resell their USB devices should download free software that can permanently wipe USB data. Renaud also suggested that for users who want to discard their USBs, they should physically destroy the device (such as with a hammer) to prevent third parties from misusing the data.