Dumping yards are treasure to malicious hackers
Hundreds of thousands of electronic devices are dumped each year into the digital graveyards. It creates a significant environmental problem and puts companies that haven't cleaned their electronics properly at risk.
When Zachary was about 16 years old, he started picking up old computers on the side of the road during bulk pickup.
"I wasn't looking for any data. I was just a 16-year old that wanted to build a better computer by scavenging good parts. I observed that most of these machines still had their hard drive in them. I wouldn't doubt that most computers people toss still have their hard drives in them," Zachary told CyberNews.
He is from Monmouth County in New Jersey and used to look for spare computer parts from 2009 until recently. As he didn't have malicious purposes, Zachary never looked for what was on the hard drives but observed that they were not destroyed or wiped.
"The hard drive (or solid-state drive in recent years) is where all the data is stored, so if you dump that, anybody can just take it out and read it. It's like leaving a journal out on the kitchen table. (...) The data probably could've been used for anything. I don't know what was on there because I typically destroyed the drives and replaced them with better ones that I own. I know there were bootable partitions on the original drives, and that means they weren't cleared and erased," he told CyberNews via email.
Zachary's experience is a perfect example of the data sanitization problem.
"Gartner just released their data sanitization analysis, and they conclude that around 50% of the market has matured, but 50% is still immature when it comes to implementing the correct processes," Fredrik Forslund, vice-president of enterprise & cloud erasure solutions at Blancco, told CyberNews.
And the two core problems arise from incorrect disposal of used electronics. Firstly, when used computers end up in charities or dumpsters, their former users become susceptible to cyber attacks. Threat actors can restore the information and use it to blackmail companies or even release ransomware upon them.
Secondly, it has disastrous consequences on the environment. When the hard drive is smashed and the whole system destroyed, the device becomes worthless and probably ends up in places like the Agbogbloshie landfill in Ghana's capital Accra. You can guess how the story goes on from here - children with nimble fingers are trying to recover anything of value while being exposed to carcinogens and toxic fumes. The UN Environment Programme highlights that heavy metals and other hazardous substances found in electronics contaminate groundwater and pose other environmental and public health risks.
Our love of top-notch technology has a high price to pay. And I don't mean the 1000$ you paid for iPhone12.
Rapid innovation and lowering costs led to increased consumption of electronic goods. And while this improved our quality of life, health, and entertainment, the downside is also significant. According to the World Economic Forum, the amount of e-waste will more than double by 2050 to 120 million metric tons annually.
If you live, for example, somewhere in Europe, it might be hard for you to imagine the scope of the problem that it creates. Meanwhile, Africa, and especially Ghana’s capital Accra, is now infamous for being a digital graveyard for computers, TVs, and other electronics from developed countries. Around 350,000 metric tons of e-waste leave Europe illegally while in the US, ¾ of used devices end up in landfills. This waste finds itself in some of the world’s poorest areas.
“When these products enter a used and end-of-life state, a large amount of this equipment is sorted incorrectly and shipped illegally around the world, to then be disposed of or treated under rudimentary conditions,” the United Nations claimed.
Modern electronics can contain up to 60 different chemical elements. Some of them are hazardous, but many also have economic value and can be extracted from electronics. Mobile phones also contain other valuable materials, such as plastic, glass, and ceramics. They could also be turned into secondary materials.
Some initiatives are underway to tackle this problem. But here’s another catch - businesses led by the fear that their used equipment will be of some use to malicious hackers, keep destroying the technology instead of putting it to use by, for example, donating it to the charity. Once you’ve heard that some company gifted old computers to a non-profit in Africa and then got hacked, you will most probably smash your hard drive before throwing out your computer.
Let’s take a closer look at the reasons why companies get rid of their electronics not in the most environmentally-friendly way.
"I do see it often enough in the news, talking about companies doing refurbishment and discovering all this privileged information," Michael Schenck, senior cybersecurity consultant with more than a decade of experience in the aerospace and defense industry.
There are many issues with the way we handle devices and not only computers. Smartwatches, phones have gigabytes of storage, and many valuable data can be retrieved from other smart devices, such as printers or even vacuum cleaners.
"These devices that hold all sorts of information about us that we may not even realize that it is there," Schenck said.
Work from home acceleration has created more e-waste problems as companies scrambled to buy laptops for employees and more people wanted upgrades for their home computers and attached devices. E-waste represents exposure not only for home users but also for the companies they work for, Stel Valavanis from onShore Security in Chicago believes.
While a company may have a fully enforced policy of wiping computer hard drives, their remote workforce is now much more inclined to leave company data on their personal computers. And it's not just files: personal computers accessing company networks store Wifi, VPN, browser entries and cookies, and other credentials that remain on improperly wiped devices. Cybercriminals know this and harvest components they find in e-waste dumps," he said.
It is relatively easy to get back data left behind these hard drives using basic forensics and disaster recovery techniques such as hard drive recovery, file recovery, and data carving techniques, Keatron Evans, Principal Security Researcher at the Infosec Institute, told CyberNews.
"Extortion with the information is only the beginning of the problem. There's also the risk that things such as passwords, and other types of credentials, could be recovered as well. These can be sold on the black market and eventually used to allow an attacker to enter an organization unnoticed," he said.
It is also yet another weakness with the supply chain. "Company A might have stuff stored securely and have their hard drives decommissioned securely, however company B, who is a supplier for Company A, may have in their possession some of the same data but not decommission their drives using the same methods. Company B's drives could end up in the E-Graveyard in Africa and expose data belonging to Company A. Even though company A disposed of their drives in a secure method, it was their supplier Company B who led to Company A's data being exposed," he explained.
What is more, companies are bound not only to safeguard their secrets but protect their customers' data under the General Data Protection Rules (GPRD). Upon failing to do so, they face lawsuits and fines.
Well, you can only imagine the scope of problems that incorrect disposal of used electronics might create.
Miranda, the founder of VinPit, said that some incidents came to her notice of blackmailing people, performing phishing attacks on them, reviving IDs and SIM cards, accessing bank accounts, etc. Malicious hackers are also selling the private data they retrieve to shady e-commerce or other companies.
"Thus, these dumping yards are becoming treasures to potential hackers," she concluded.
Is there a way out?
You can do several things to make sure your data is safe before throwing out your computer.
"With a traditional hard drive that has mechanical spinning parts in it, for most use cases, you can do something simple, such as taking it to a mechanic shop and putting some holes through the hard drive to make it unrecoverable, especially outside the laboratory setting. But with newer solid-state drives (SSD), there's a lot more. It has to do with the piece of software designed, not just deleting things but resetting everything to zero," Schenck explained.
Well, it is possible to retrieve information even from a smashed hard drive. In that case, though, you would probably be a target of high interest with state-sponsored hackers breathing down your neck.
"Generally speaking, deleting things off your hard drive is not enough because there is software that you can buy off a shelf that can undelete things from the hard drive. When you delete something off a hard drive, all the computer's deleting is the beginning of that file that says "the file starts here." It's called the headers. All it is doing is deleting that header and not the entirety of the file, so all the ones and zeros that represent that file are still actually on the hard drive until it's overwritten," he said.
Well, a suggestion to destroy a perfectly good drive just to be safe would make some environmentalists cringe.
They highlight perfectly safe ways to destroy data without attacking a computer with a hammer or magnet.
How to get rid of your old computer
According to Forslund, when you smash your hard drive, you are destroying your system. It makes it financially and technically challenging to create a good second life for the computer or other electronics.
Nowadays, it is much easier to delete data than it was years ago.
"Ten years ago, it was very challenging to remove data securely from SSD drives. Twenty years ago, it was a challenge to do it properly on normal HDD drives. Today, hundreds of millions of devices are properly sanitized with software every year. There are no data leaks, there have been several tests and approvals and certifications of the technology," he told CyberNews.
He argues there's no need to use a magnet (it would work only with the hard drive, not SSD) or a drill to make data unrestorable.
"There's a lot of misconceptions in this industry. Some people might think that we reformat our computers and then we can get rid of them. That does not protect you from data breaches," he said. Forslund recommends using special software to do that, and better not choose a freeware version that might leave some data intact. The technology is mature, and any administrator taking care of the company's IT infrastructure can run it.
Of course, before you just throw your electronics out, you should consider redeploying it within your organization to create the biggest value of particular equipment.
"If you can't reuse it within the organization, there is a functioning secondhand market today. Once it has been cleaned out from data, you can refurbish and resell it. And then some other organization might have a perfect fit for the specifications on that system, and they can use it and hence release value," he said.
If you do not wish to sell it or there is no market for it, you can donate it to charity organizations, which might take computers from a company to a pre-school. Well, that's actually how a lot of electronics end up in Africa - they are being supposedly donated for good causes but may not be good enough for anyone to use. Then, the next stop is a dumpster, and then just hope some criminals won't find it with your data intact.
"If that doesn't work, so the system has absolutely no value left, then you should go to environmentally friendly recycling where you harvest a system from precious metals, things that can be recycled and reused on the raw material side. But in all of these different steps, of course, you need to make sure that you have no data left on the system by deploying the right software techniques," Forslund said.
He believes that the amounts of e-waste will continue rising at least for a while, and constantly there's more and more equipment being decommissioned.
"But I'm hoping that within the next few years, we can turn that and see it going down again by having more professional reuse commitments and then, of course, proper recycling for those systems that have reached the end of life," he said.
More from CyberNews:
Subscribe to our newsletter