There’s a way to recover a significant volume of personally identifiable information (PII) from the vast majority of devices sold in second-hand electronics shops, says an IoT escurity, incident response and penetration testing company.
Rapid7 says that it’s seeking to raise awareness of the importance of wiping devices properly. Its researchers were able to recover 611 email addresses, 50 dates of birth, 19 credit card numbers, six driving licence numbers and two passport numbers; from 85 devices sold second-hand electronics shops. Of those 85 bought by the company, which cost $600 in total to buy, only two had been fully erased properly, and only three were encrypted.
The company describes how it managed to recover the information in a blog on its website, but in short, the researchers simply booted up the devices and inserted a PowerShell or Python script to index images, documents, emails and instant messenger conversation histories — subsequently extracting PII throughout the files.
The IT firm says it hopes the research will help consumers understand how easy it is to recover personal information from old gadgets; if consumers haven’t taken the necessary steps to wipe devices properly. In the hands of cyber-criminals, that data can then be used for fraud, identity theft, or blackmail, or be sold on the dark web for as little as £1, the company warns.
Josh Frantz, senior security consultant at Rapid7, led the experiment. He said: “Although we conducted the research with electronics from shops in the US, consumers across the globe should take these findings into consideration because cybercriminals can apply the same techniques we did to second-hand electronics in any country.”
“The best way to protect yourself is to make sure you follow the right steps to wiping your devices — and there are plenty of good guides around to help you do that. Or, if you’re really worried about potential data exfiltration, err on the side of caution and literally destroy them with a hammer.”
