Social Icons

Monday, October 27, 2014

How a Smartphone Factory Reset Doesn’t Really Protect You

Tools used to recover data include FTX Imager. Credit: Avast  

Smartphones are no different than computers: you need to
overwrite or encrypt the data to get rid of it, despite what some
smartphone makers infer.

You might already know it, but there’s money in old
phones. If you’ve been selling-on devices when you’re done with them,
take note of some new research. Experts have found that when upgrading
to a new device, a simple factory reset doesn’t wipe clean your old phone.

The eBay experiment

Security software maker Avast performed the study. It analyzed 20 eBay-sourced, used phones, and was able to recover swaths of data including compromising stuff.

Remarkably all of the previous owners had performed factory resets. Something you’d think would clear the device.

The data that the security outfit uncovered included over 40,000 images and more than 750 e-mails and texts.

Of those images 750 were of women without many of their clothes, and
250 were selfies of probably better left un-photographed parts of the
male anatomy.

Contact names and addresses were still on the devices as was one completed loan application.

In the experiment Avast used specialist software to conduct the
hidden-data recovery job. But clearly there are failings with the common
factory reset, which basically eliminates the data index only.

Encrypt Your Android

Alternatives to a reset include overwriting and encrypting the data
itself. The Encryption process scrambles the data. The electronic
encryption keys are then deleted during the reset, said Ken Munro, a
security expert at Pen Test Partners.

Clearly there are failings with the common factory reset, which basically eliminates the data index only
“Any data in slack space on the device should be encrypted and pretty much irrecoverable,” he said. Encryption options
are built-into many post-Android 3.0 OS devices. Not all devices
support it, according to Munro. The next version of Android, currently
known as “L” and due later this year, will likely have encryption turned
on by default he said.


Overwriting the drive with ones and zeroes using a commercial
solution like a third-party app is another way of ensuring data can’t be
read again. Avast is one provider. There are varying degrees of
feature-creep in options at the Google Play store.

iOS issues

Avast didn’t check used iPhones during its eBay experiment. But
Apple’s iPhone could also be susceptible to erased data recovery
although it’s more complicated, said Avast’s mobile product manager
Tomas Zeman.

Despite being widely thought of as encrypted, Apple’s file system is
often unlocked and elements including images aren’t encrypted at all,
according to iOS forensics expert Jonathan Zdziarski.

Avast reckons that if an operating system is not encrypted, you can
be “somewhat successful” in recovering data using a similar extraction
technique as the one used for Android phones. But Zeman thinks that
iOS forensics is much harder to do than Android. “If the iOS encrypts
the data on the device, then if anybody tries to recover the data, they
recover encrypted data,” he said.  Sellers can take some precautions.

An old-tech solution

It’s only recently that mobile operating system makers have even
begun to address the issue of retiring, or handing-down devices. I
remember the days of smashing phones with a hammer. Some years ago, I
needed to end the life of a 2008 Palm Treo, the granddaddy of
smartphones. It was full of account numbers – we didn’t do selfies in
those days. There was no data deletion at all then, when performing a
factory reset. Factory resets were only used to un-hang stalled devices.

I wrapped the aging in a towel and smashed it to bits on the concrete
floor of my downtown loft. I then dumped the pieces in the street
recycling receptacle. I didn’t get hacked.

Bricked devices

And if you can’t factory reset the device before selling it? For example, if it’s bricked? “Then simply don’t sell it. If you can’t encrypt the device before wipe, definitely don’t sell it,” Munro said.

But don’t worry. eBay has hammers too, if you need one.

Encrypting a Jelly Bean or KitKat Android device

Step 1: Plug in the smartphone and let the battery charge.
Keep the power cable connected so there’s no chance of power failure.
That can corrupt the process.

Step 2: Open Settings and find the Security menu item. Choose the Screen Lock menu item and enter a long, hard-to-guess password. Then follow the prompts to confirm it.

Step 3: Scroll to the Encrypt phone item in Security settings and choose the Encrypt SD card option by marking the checkbox. Select Next, and confirm your password at the prompts.

Step 4: Press Encrypt phone. The process can take half-an-hour, and will reboot the phone a few times.

Tip: Removing any external SD cards, before starting
encryption, and storing them safely away, will eliminate any media on
that card being  | The Open Standard

No comments:

Post a Comment


Sample text

Sample Text

Sample Text