recommended reading

Used Phones Are Full of Previous Owners’ Data

simone mescolini/Shutterstock.com

The ongoing high-profile legal fight between Apple and the government might give the impression that modern smartphones have evolved into impenetrable, encrypted fortresses. After all, even the FBI, with all its tools and resources, can’t hack its way into a 3-year-old iPhone.

Outfitted with the latest security technology, late-model iPhones and Androids are indeed very effective at hiding information. But they make up only a small subset of the billions of smartphones in the world. Much of the rest of the smartphone market is outdated, buggy and downright leaky.

Smartphones with poor security can continue to be dangerous even after they part ways with their owners. Researchers at Avast, a European software-security company, found more than 2,000 personal photos, emails and text messages on 20 phones they bought at pawn shops in four cities.

The pawn-shop owners said the smartphones were reset to factory settings and wiped of previous owners’ data before hitting the shelves. But Avast found that half the phones that had been reset suffered from a bug in an outdated version of Android that leaves data vulnerable to recovery, even after it has been deleted.

Phones with this software bug continue to be sold today, said Gagan Singh, Avast’s president of mobile security.

But more often than not, the presence of easily recoverable data wasn’t the phone’s fault—it was the owner’s. Twelve of the 20 phones examined were not, in fact, factory reset.

On some, owners tried to delete their files manually. In those cases, researchers were often able to dig up the deleted files with free data-recovery tools available online. Other owners hadn’t even tried to delete files or perform a factory reset before selling their devices—and two phones were even still signed into old Gmail accounts.

It may not come as a surprise that the pawn-shop owners made less-than-accurate claims about the smartphones they were reselling. In fact, it could be that the smartphone owners that didn’t reset their phones to factory settings were not planning to sell their phones: Pawn shops often end up with lost and stolen electronics.

In the end, the researchers compiled a massive trove of recovered information. They found more than 1,200 photos, including nearly 150 of children; 300 emails and texts; three invoices; and one contract.

And in keeping with CSI lore, some of the recovered data was potential blackmail material. Researchers found 170 Google searches for porn, 200 explicit photos and one adult video.

Advanced recovery methods can find even more: A pair of researchers at Cambridge University were able to extract passwords and encryption keys from buggy Android phones that had been factory reset.

As new smartphones ship with stronger and stronger encryption, used phones are becoming less likely to cough up previous owners’ information. The difference is stark: When Avast’s researchers ran a similar experiment last year, they found 40,000 emails, texts and photos. That’s a 95 percent decrease in just one year.

Current iPhones, for example, are outfitted with full-disk encryption, which renders data indecipherable without a passcode. This technology, which has locked the FBI out of many phones it wants to access, has also led to a drop in smartphone thefts.

But the newest, shiniest smartphones are out of reach for many in the U.S. and abroad. If a CEO leaves an iPhone 6S in a taxi and it’s stolen, an assistant can lock it remotely and expense a new one the next day. But for those who can’t afford a $650 phone, cutting-edge encryption is not the default. And that means that someone selling their entry-level smartphone at a pawnshop—perhaps for some cash between paychecks—can be putting themselves at risk of potentially disastrous credit fraud or identity theft.

(Image via /Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.