Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

Last week it was first reported by kotaku.com that computer forensic experts from Drexel University told them hackers can steal credit card information from your old/used Xbox 360 hard drives, even after restoring your console to factory settings. Speaking to Kotaku in a phone interview, researcher Ashley Podhradsky said Xbox publisher Microsoft is doing a "disservice" to its customers by not doing a better job of keeping personal data protected.

"Microsoft does a great job of protecting their proprietary information," she said. "But they don't do a great job of protecting the user's data."

According to the initial Kotaku report "Podhradsky, along with colleagues Rob D'Ovidio and Cindy Casey at Drexel and Pat Engebretson at Dakota State University, bought a refurbished Xbox 360 from a Microsoft-authorized retailer last year. They downloaded a basic modding tool and used it to crack open the gaming console, giving them access to its files and folders. After some work, they were able to identify and extract the original owner's credit card information."

Microsoft was fast to fire back, sending Kotaku the following statement the next day. Microsoft's Jim Alkove, General Manager of Security of Interactive Entertainment Business, said they are investigating the Drexel University study:

"We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims.

Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."

So I had to ask who is telling the truth? Microsoft claimed that the Xbox is "not designed to store credit card data locally on the console", while Podhradsky claimed the opposite. I decided to do a little digging and came across the full report made by Podhradsky which had screenshots to prove her claims and outlines what software/methods were used to obtain that information.

Referring to a program called EnCase, the report proclaims "utilizing EnCase is its ability to discover credit card information on a hard drive by looking for numbers encoded with ASCII digit characters that match valid credit card company identifiers. These numbers are then run against the Luhr formula (an algorithm used to validate credit cards, social security numbers, and other identification numbers). Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10.
Image 10 – EnCase credit card hit

Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card."

Yikes, that's a little scary and seems to contradict Microsoft's response that the Xbox was "not designed to store credit card data locally on the console". Podhradsky's team was also able to retrieve other info related to the previous owner of the hard drive, including a list of deleted files, possible first name, and undisclosed network vulnerabilities. The report explains, " with XFT 2.0, examiners were able to recover user names, gamer tags, and a cache
containing a user’s player list complete with the gamer tags of other Xbox players. This
finding is extremely significant because it can not only aid law enforcement seeking to establish a connection between users, but it can also pose a risk to anyone who has been in contact with a user whose system has been compromised. Gamer tags can be searched through any number of gamer databases or social networking sites to gain additional information about a player.
Image 11, Cache containing Player’s “Buddy-
List&# 148;

If that wasn't bad enough, the researchers were also able to extract the previous owner's Live marketplace purchase history...

"While XFT does not enable users to read larger files such as databases, it does enable the option to export the data. In one example, we exported the marketplace database for closer examination using notepad. After a quick look through the file, we came to the text “Purchase History Items&# 148;, and decided to take a closer look in DFF. Once in DFF, strings of text in German, Italian, and French were discovered. Because Xbox is an
international platform, one might expect to see multiple languages in the marketplace data file. The real red flag here is that while we could not locate the boot loader in or around the partition one would expect to find it, we were able to locate the user’s purchase history where we would expect to – in the marketplace. This suggests that the system information is more secure than the user’s personal data.

So what can we all do to protect our personal data from being compromised on the Xbox 360? The 4th section of the report leaves us some advice for protecting our data...

"Steps Consumers Should Take
When consumers sell or dispose of their used Xbox 360’s they need to take more steps than simply returning the device back to “factory settings.&# 148; During this project researchers were able to recover personal identifying information from an Xbox 360 that had in fact been returned back to the original “factory setting.&# 148; The original eBay posting coupled with investigative tools such as ProDiscover, showed the media was
indeed written with 0’s. However, it is the opinion of the researchers that not all of the partitions are overwritten during the factory setting process.
When consumers are upgrading to a new Xbox and need to sanitize their old device, it is the opinion of the researchers that users should physically remove the HD from the console (as indicated in section 2), and run a software sanitizer on the drive.
There are several options available for both open source and commercial data sanitization tools..... When selecting a tool, the authors note it is important to select a tool that emphasizes patterns in write fill in addition to passes. This is imperative to making sure that slack and unallocated space is overwritten.
Book and Nuke, by DBAN is a free tool downloadable online. The researchers tested Boot and Nuke by sanitizing a drive with the tool then attempted to recover residual data. The drive was searched and forensically analyzed, however no residual data could be recovered. The process included acquiring a new drive, forensically imaging the drive with FTK Imager, acquiring an MD5 and SHA-1 hash, placing data on the drive, running Boot and Nuke on the drive, forensically imaging with FTK imager, and obtaining a final hash. The hash files were the same and no data was found, therefore the researchers can infer that the drives are indeed sanitized."

Free tools you can use to "sanitize" your xbox 360 hard drive...

Darik’s Boot & Nuke
http://www.dband.sourceforge.net

Erase
http://eraser.heidi.ie/

Wipe
http://www.wipe.sourceforge.net

So there you have it. User must be vigilant to protect their data and must use 3rd party software to ensure all the tracks they may leave behind on the 360 hard drive.
As forensic tools advance in the near future, the question raises , "what other data will hackers eventually be able to retrieve?" from a "factory restored" drive. Podhradsky and her team say "Future work will include analyzing the Microsoft Xbox Kinect motion system." Makes you wonder if eventually hackers will be able to steal data such as face/voice recognition files, or even someday your fingerprint/retina scan info, etc. Remember Microsoft did already change the TOS to allow them to eavesdrop or record anything collected by the kinect. Be careful gamers!

The full research paper was obtained through the Association for Information Systems Electronic Library (AISeL), where it was published. Copies can be ordered through them, or you can download it here for free....

"Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives"
Download:
https://hotfile.com/dl/151947849/af5518d/Identity_Theft_and_Used_Gaming_Consoles.pdf.html

Talk about it: http://forums.xbox-experts.com/viewtopic.php?f=4&t=5640

sources:
kotaku.com/
Podhradsky, Dr. Asley L.; D'Ovidio, Dr. Rob; and Casey, Cindy, "Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives" (2011). AMCIS 2011