What Sensitive Data is Lurking on Your Old SD Card?

SD cards – those tiny devices that go into your camera or tablet – may be small, but they can hold a lot of revealing information. Because they are often used for storing photos, that information can be highly visual.

A research team from the University of Hertfordshire just bought 100 second-hand SD cards and found two-thirds of them carrying incriminating files. The team, commissioned by consumer device advisory site Comparitech, found that 65% of the SD cards still had sensitive files through to passport pictures.

SD cards use different technology to hard drives, but they have some commonalities. One of these is that deleting a file or even using the standard quick format option in your operating system doesn’t really erase the data.

It only marks the file as deleted in the drive’s index, which tells the operating system that the space occupied by that file is now available. The file’s data is still there, and curious users – or organizations wanting to prove a point – can recover it with freely-available forensics tools.

The researchers’ report on the project explains that the cards came from various sources including second-hand shops, auctions, and eBay.

Researchers typically bought the cards one at a time and then used a free data forensics tool called FTK Imager to create a bit-for-bit copy of each card. This enabled them to work from a copy without disturbing the original.

Then, they used WinHex and OSForensics to work out what data was in the imaged disk. Four of the drives couldn’t be read at all, four of them had no data present, 25 had been properly wiped with a data erasing tool, and 29 had been improperly formatted, leaving the data easily recoverable.

On two of the disks, files had only been deleted (again, leaving the files exposed). Alarmingly, 36 of the drives’ former owners had taken no steps to remove their data. This enabled the researchers to recover data from 65% of the cards.

What was on the cards?

The most common content (around 37%) was photographic, followed by multimedia. "Bad content' came third, accounting for just over 5%. Business documentation and CVs came last.

One card contained a large collection of photos, some of them intimate, from a female student at a UK university. A photograph of her passport was on the same card.

On others, the researchers found photographs of a woman together with her email address and phone number, and the names and phone numbers of friends.

On yet another was personal details including vehicle registration numbers, credit card PIN numbers, home addresses, and phone numbers from another UK university student, the report said.

Why are people leaving sensitive information on SD cards for others to find? Alarmingly, some of them seem to think that it isn’t their job to remove it, the report suggested:

While the sellers had, in some cases, claimed prior to sale that the media had been formatted or wiped, in other cases they had included a disclaimer saying that there may be data present and that they buyer should remove it.

These cards come from smartphones and tablets, but also from satnav systems, drones, and dash cams. The researchers warned of growing attack footprints as the number of devices containing these cards grows.

Securing your SD cards

So, how can you avoid becoming report-fodder and erase the data from the SD cards in your own systems securely? While the UK’s National Cyber Security Centre has some good tips for wiping other electronic media when it comes to cheap, removable flash media of this kind it essentially tells you not to bother.

That's all well and good, but some people may want to make a little money back on their cards by selling them, especially as the capacity and cost increases.

The most popular card size in the Comparitech/University of Hertfordshire study was just 2Gb in size, but there were some 128Gb monsters in there.

There are even 400Gb SD cards now available, which will cost you £200 or more out of the box. That’s a lot of money to run through the shredder.

Luckily, there are other options. Comparitech suggests a full format, which writes zero values to the entire drive as opposed to a quick format, which just marks the entire drive as available. However, it warns that some forensics tools may be able to detect data even after writing those zero-values.

For the truly paranoid, there are dedicated tools for wiping removable media. Comparitech lists some on its secure wiping guidance page. The SD Association also offers an SD card formatter that it says will do the job.

Finding sensitive data on old devices has become something of a sport in the cybersecurity marketing business. The National Association for Information Destruction did one last year, as did Kroll Ontrack.

Here’s another from 2009. Back in 2006, one research project found child abuse imagery, causing the academics involved to bring in the police.

Sophiya Wadra is a 29-year-old former health centre receptionist who enjoys football, running and charity work. She is stable and giving, but can also be very unintelligent and a bit disloyal. She has a post-graduate degree in Technology.