Caveat Venditor, Used USB Drive Owner

TL;DR

This study investigates the security risks of used USB drives sold online by analyzing their contents, revealing many still contain private data and highlighting the need for better public awareness and data erasure practices.

Contribution

It provides empirical evidence on the prevalence of private data on used USB drives sold online, emphasizing the gap between advice and actual user behavior.

Findings

Many used drives contain private and sensitive data

No malicious software was found on the drives

Public awareness of data erasure needs improvement

Abstract

USB drives are a great way of transferring and backing up files. The problem is that they are easily lost, and users do not understand how to secure or properly erase them. When used to store private and sensitive information, this constitutes a risk that users may be unaware of. Consider that people sell used USB drives online -- presumably either their own or drives others have lost. This raises some interesting questions, such as whether sellers know how to ensure that private data is erased before they relinquish the drive to an unknown buyer, and whether sellers use these drives in an attempt to compromise an unwary buyer's device. Governments do indeed issue advice about the risks of used mobile media, but we do not yet know whether this advice is reaching, and being heeded by, the general public. To assess the situation, a sample of used USB drives were purchased from eBay sellers to determine, first hand, what was on the drives. This acts as an indicator of actual security-related behaviours to answer the questions posed above. Using forensic analysis, it was found that a great deal of private and sensitive information remained on many of the drives, but there was no trace of malicious software. More effective ways of enlightening the public are needed, so that private data is not unwittingly leaked via sold used media.