Hacking E-waste is the “greatest little secret” of cyber-security, and it’s worth paying attention
BLOG: Heidelberg Laureate Forum
Used electronics are an often overlooked problem of cyber-security, but perhaps we’d best pay more attention to their disposal and the data they still hold.
This article is part of our ongoing series on hacking and IoT. Also in this series:
- Welcome to the Internet of (hackable) Things
- People are hacking diabetes pumps — and that’s both bad and good
- How a smart vacuum cleaner was hacked to listen to conversations — even without a microphone
Electronic waste (or E-waste) is an umbrella term for any electric and electronic equipment that is discarded. E-waste is increasingly emerging as a major environmental problem since it’s so hard to recycle and it’s so easy for toxic contaminants to leach into the soil and water. The world produces around 50 million tons of E-waste every year, with some estimates suggesting that the amount will more than double by 2050.
But there’s another problem with E-waste: it can leak personal information.
During the E-waste World Conference, John Shegerian (a CEO of an electronics recycling company) called E-waste hacking “an overlooked crime” and “the greatest little secret of the cybersecurity world.” Although official figures are lacking, cybercrime costs the world around $1 trillion per year or even more, and Shegerian estimates that used electronics can be an important part of the problem.
The issue was also highlighted by a study from another researcher. Josh Frantz bought 85 used devices for $650, and tried to see what information he could retrieve from them. He found over 366,300 files, including images and documents, and was able to find personal details on multiple devices, including date of birth, social security numbers, credit card and passport numbers. All in all, just 2 of these 85 devices had been properly wiped.
Granted, the sample Frantz bought may not be representative of the entire industry, but it seems likely that this is a large-scale problem. A similar experiment from 2012 found half of the devices analyzed still contained personal information that could be accessed. Yet another analysis from 2019 found that two-thirds of 200 USB drives sold on eBay still contained personal information. Similarly, security vendor Avast was able to retrieve data from discarded phones. The owners thought all the data had been removed from the devices, but using commercially available software, Avast was able to retrieve it. Even discarded IoT devices can be used to hack WiFi passwords.
It seems to be a widespread problem and it seems to be getting worse, especially in the past year.
The pandemic probably made things worse
Many things changed over the past pandemic year, but there’s one thing in particular that’s relevant here: working from home. Millions of workers, particularly those whose work involves a computer, found themselves working from their own home as part of the social distancing effort.
That’s all fine, and there’s an ongoing debate about the merits of working from home, but in many cases, the home computer may not be as secure as the work computer. Furthermore, this means that many home computers are now storing company details in addition to our own personal details — and whereas companies are more likely to pay attention to how they discard used electronics, home users are unlikely to be as careful.
“Most people are staying in, working from their living room or study. But are their personal computers as secure as the ones at the office? Unlikely. This means recyclers offering data destruction services will have a ton more customers in the coming years,” Shegerian noted.
How to safely discard your electronics
Data can reside on computers for years, even if they are exposed to the elements. Even a full format or revert to factory settings isn’t always enough to delete everything. So what can you do?
A first step would have less to do with data and more with our consumer habits: the more storage drives we discard, the more the risk increases, so it’s always a good idea to use devices sustainably and limit our waste as much as possible. After all, it’s not just for security, but electronics contain hazardous materials like heavy metals that can contaminate the Earth.
If you do need to discard your device, the US Federal Trade Commission has a useful guide. First, you need to sign out of any online accounts — and there are specialized tools to help you do this. Secondly, you need to disconnect and forget all Bluetooth and Wireless connections, and then format your hard drive with specialized software and revert it to factory settings. If you want to be extra safe, you can employ a specialized company.
Of course, there’s also the “rockstar approach”: smashing your drives to pieces. You can also simply opt to keep your drives stored somewhere safe — both options get the job done, but come with obvious shortcomings.
The bottom line
E-waste is an increasingly worsening environmental problem. To overcome it or at least alleviate it, it’s important to recycle and donate/upcycle electronics. Re-homing computers and other electronics is the right thing to do, you just need to pay attention and protect your data.
Computer manufacturers, electronics stores, national organizations, and other groups have computer recycling and donation programs worth checking out.
If you’re particularly worried, you can just donate your computer and keep your hard drive.