Slashdot Mirror
Cell Phone Secrets Die Hard
duplo1 writes "According to an article on CNN, "Selling your old phone once you upgrade to a fancier model can be like handing over your diaries. All sorts of sensitive information pile[s] up inside our cell phones, and deleting it may be more difficult than you think." It seems that corporate security policies need to extend their disposal standards to mobile devices; but what is there to educate consumers regarding such a potential breach of privacy?"
so what use is the Factory Reset on phones?
All they'll get from me is the number for the local Domino's Pizza... well - maybe some 900 numbers...
Even if you take preventive measures to erase sensitive data from devices, you still have mega-corporations who accidentally release sensitive data like a good smelly fart.
Just stick in in the microwave for about 10 seconds.
Computers are useless. They can only give you answers.
-- Pablo Picasso
I use the ultimate security system. I give my old phones to my baby daughter. Proof of the security is that her own mother won't touch it anymore. Ferpect.
Common sense? When a big organisation gets rid of it's old computers it (usually) destroys the harddisks totally. Why should it be any different with mobile phones?
In a previous organisation that I worked for, the IT department (who happened to be in charge of all things cellular) made sure that every outgoing phone went through it's hands before going back to the cell operator for an upgrade or onselling etc.
The only education needed is in the specific technology department that handles these things and they just need to basically make sure that things are taken care of before the phone leaves the company - it usually isn't that hard.
of selling old phones. Even if you buy a new one every year (which I'm sure few of us do), it's worth practically nothing. Everytime I upgrade phones, I do the same thing: transfer all the desired information to the new one and 'stress test' the old one. (hint: most don't pass the 20lb maul test).
Lose: misplace or fail || Loose: not bound together
I noticed the article really didn't cover a non-destructive way to erase the data permanently.
In my company, we dispose of cellular telephones and other information technology equipment in the proper manner. First, we place that of which we are disposing on a steel platform. Then, a gentleman wielding an enormous iron sledgehammer approaches the aforementioned device, after which he proceeds to smash the fscking thing to bits. Finally, the aforementioned device is placed into the appropriate refuse recepticle. Thus, we are assured that the privacy of our employees is protected from unwanted breaches.
This appears to be an ad on the CNN site disguised as "news".
How does someone get such free advertising?
NTT DoCoMo, in Japan, has a little hole-punch-like device they use to destroy the internal memory chip when you give your phone back, and best of all they do it right there on the spot: you give them your old phone, and they stick it in the device and go "crunch!" Of course, I haven't actually seen the schematics for any (much less all) of the DoCoMo phones so I could theoretically be being fooled, but given the nearly paranoid attitude among Japanese these days over personal information, I doubt DoCoMo would take that risk.
heat BBQ to full temp, place phone into BBQ and cover with hot coals, roast for 30 minutes occasionaly turning, serve
I want to blame the sellers for being idiots and not properly clearing their devices... but really, it's the manufacturers who need to be clearer. Having different kind of "wipes" on a device but not labelling them differently is just plain stupid. There needs to be one option called "quick reset", and another called "Secure Wipe - You will lose everything forever, are you really sure???" and then have 5 queries after it. It's bad when a consumer gets misled by thinking "wipe" means "wipe", but I've had devices where I've found that my "wipe" wasn't total either, and it's because the manufacturer is misleading with their instructions.
That said, i remember the good old days, when you didn't loan out your floppies without running a wipe program on them... otherwise the boys found your 'secret stash' that you just deleted.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
Uh, an AP news release on CNN.com. Did you think this wouldn't make it out at the time of the interview? Idiot. Expect prices on used phones to spike a bit on feeBay over the next few days. The bad guys, even the technophobic lazy slobs, all know now, thanks to you. Thanks, guys!
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
does that mean that calling logs will be available? What about sms?
"Police expert admits mobile phone forensics barrier"
o ne_forensics_barrier/
As posted to the internet just last month:
"A police digital forensics expert has admitted that some mobile phones are impenetrable to software used by police in forensic examinations. The revelation follows a paper by a Cambridge researcher which originally made the claim."
http://www.theregister.co.uk/2006/07/07/mobile_ph
I bought a "smart" phone off eBay, it was a good deal, works great. Turns out the old user was a doctor. I know this because, even though he had figured out how to erase his messages and crap, the thing was set up on his hospital's corporate wifi email system, with portable Outlook. The first time I got online (do you know how cool it is that all the pubs in my neighborhood have free wifi now? it's very cool.) It reached out and REFILLED the inbox with hundreds of VERY personal emails (his and his patients), including attachments.
I have no idea what any of the xrays were trying to show me, but he seemed pretty concerned about some spots in a couple of them. I thought it was cool I could zoom in on them with my phone. Man I hope copies are being kept on the server...
Went to South Korea this summer and bought a used cellphone to use while he was there. The previous owner deleted all the phone numbers, but didn't delete her cosplay pictures.
More details than CNN
2 50.pdf
"This report gives an overview of current forensic software, designed for acquisition, examination, and reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations."
http://csrc.nist.gov/publications/nistir/nistir-7
I accidentally broke my old phone, and I wasn't due for an "upgrade" from my provider, so I had to buy a new one. When I got my "new" phone for around $120 dollars, I promptly installed my SIM card only to find that, in addition to my address book, I also had several listings for people I didn't know. My first thought was that these were numbers of associates at the phone store, preloaded in case I had any problems, but after examining the body of the phone and discovering scratches, I realized, to my dismay, that this was a second-hand phone. When I brought it back, I got the feeling that they didn't really want to replace it with a new one, but there just happened to be another customer buying a dozen or so phones for his business, so they really had no choice.
I always wondered what would have happened if I had called those people in the phone's memory to try to find out who's phone I had.
If you can read this sig, you're too close.
If anyone wants your calling info, they can just ask the NSA... (or steal one of their unencrypted, non-password protected laptops...)
"But this one goes to 11!"
It really makes you wonder where the knowledge gap occurs. Many people know that when you delete files from a computer that they are not really deleted and they could be restored. How could they miss the connection? If you've seen one microchip, you've seen them all. Be afraid, be very afraid...
But anyway, who in their right mind would put sensitive information on a medium that its user can lose control over? (Lets overlook the computers that the government has been misplacing with everyones social security numbers for a split second) You (generally) wouldnt let someone use your computer if it has information that you do not want them to see, why should a cellular telephone be any different.
Next thing you know someone will be surprised at the ability to intercept bluetooth. Someone will be transmitting sensitive information via bluetooth and some buck tooth 14 year old will be around the corner to intercept it...
In closing, since people did not know that their data does not necessarially go away, did you know that if you do not secure a wireless router, people can potentially intercept information?
Its a pity you cannot legislate stupidity...
If you did, you would know that 1-900 numbers don't work on cell telephones.
Simple you either dont sell the darn phone and just smash it microwave it and just to be sure toss it into an acid bath overnight, or you make phones use an SD card or something which you have to get at behind the battery or something and it has everything on it, and it becomes removable insert said sd or micro SD into new phone and bingo same number same info same everything maybe even same OS. Sound good?
so wheres the link to the pics, dammit?
-b.
Even if you take preventive measures to erase sensitive data from devices, you still have mega-corporations who accidentally release sensitive data like a good smelly fart.
Even when they don't release it publically, they lack both the competence or will to keep it to themselves. I remember, ten years ago, an acquaintance who taunted a friend with private medical information. She had been a clerk for a debt collection agency and used her access to look up all of her friends. The big dumb companies share things they should not and don't keep tabs on it. Imagine what clerks at ChoicePoint could do, then think of how owned their little windoze terminals are. There's not much real privacy left anymore.
Cell phones are not free platforms and the owners are some of the most notorious abusers of personal privacy. Almost all of the Baby Bells were too happy to comply when the Bush administration asked them to break the law and tap their customers. Just to get a Cigular phone six years ago, I had to give the creeps monthly access to my credit record! You have to remember that the parent company at one time refused to allow people to plug modems into their network. The babies continue to stonewall broadband to this day. They will do anything and everything to get some crummy little franchises over their users. Your "secrets" are the last of their concerns, except where it can be used for their own marketing purposes.
My answer kind of sucks, but it works. My cell phone is nothing more. I put names into it because the phone company already knows who I'm talking to. Nothing else goes in. I don't SMS, I will never use their calenders. I resent GPS tracking. I'll never trust their cameras and I'll keep it in a box if I'm ever talking about something sensitive. The damn thing is like a bug in my pocket that can be abused by anyone with the technical wherewithal to pull the wool over the Baby Bells. These days, that's about anyone.
Friends don't help friends install M$ junk.
TransFlash is totally the new CF.
twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.
From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy
Of course, I haven't actually seen the schematics for any (much less all) of the DoCoMo phones so I could theoretically be being fooled, but given the nearly paranoid attitude among Japanese these days over personal information, I doubt DoCoMo would take that risk.
I think greed has more to do with it than anything else; by destroying the phone instead of reselling/recycling/donating it, they protect the market for new phones. If people sold their phones instead of tossing them or letting them be destroyed, then people whose phones died and just simply needed a -working- phone, would be able to get one used instead of having to buy a new one.
Right now, SIM/provider locks are used to help artificially inflate the 'cost' of phones, and get extra money for providers on the contract side, too. I have an old "legacy" AT&T account that costs me $25/month. My phone is on the fritz, and when I asked about getting a new one from "Cingular", Cingular told me that I'd have to get a different plan. Surprise surprise- the "same" plan from Cingular is well over $30, which means that they're getting an extra $120 a year from me.
In the case of the article- they're talking about Smartphones with flash-memory devices, where you need to zero out the memory device to assure no data can be recovered, just like you have to zero a hard drive. "Normal" phones don't have any of these issues- and the article neglects to mention this clearly.
So, just pop the memory card out, pop it into a reader, and run a full format of the card, or just copy a file nearly the same size as the card to it. Done. Nothing to see here, move along, "security research" company scaring people needlessly.
PS: Your phone contains MANY toxic chemicals that DO NOT belong in a landfill. They MUST be properly recycled or donated. If you're too lazy to have it properly recycled or sell it on ebay, please donate it and its charger to a local domestic abuse shelter, as any cell phone by law must be able to dial 911.
Please help metamoderate.
Why else would Cingular have sent us two pre-paid padded envelopes along with our new phones for our old cell phones? They didn't even try to hide it ("We recycle them").
This is the same problem companies had with old hard drives from their employee's computers both at work and at home. People give away or sell their old equipment and with it go their "secrets". Of course, the more important pieces of information were already snooped by industrial espionage, given the sorry state of security on the dominant software platform. Keyloggers abound and employees have been sending things unencrypted all along.
Non free "smart" phones exasperate the problem because they are even more closed than the dominant platform. How do you wipe the "hard drive" on the thing without ruining it? Does the local phone shop even have what's needed to wipe and reload the flash memory? I can only imagine the mess Windoze mobile versions are. Then there's the cell phone aspect of all this. How much liberty does the phone company have to read and manipulate the contents? The Baby Bells have lately brought new meanings to the term "untrusted network".
Free software phones, like the one being developed by Trolltech have a lot of potential to fix the problems. If it has the usual KDE encryption goodies, your messages and data will be secure. Moreover, reasonable steps can be taken to separate system files from your files and keep your safe. How hard would it be to have a removable SD card as your home directory? If you've ever dropped a PDA and shattered it's screen you know that having removable memory with files in standard formats are good for more than privacy when you sell the phone. The non free phones are going to go the way of non free dedicated Internet access terminals of eight years ago, right down the drain. The way Vista is going with "signed" code and other nonsense, I don't think M$ has learned that lesson or that their "smart phones" will be getting any smarter any time soon.
Friends don't help friends install M$ junk.
A few years ago, I had a phone that I really, *really* liked, but had used it so much that I wore the face off of the buttons. So I bought another on eBay, and took the buttons out and installed them in my old phone. But first, I powered up the phone just out of curiosity. It was still activated in the previous owner's name, the address book was still populated, etc.. They hadn't even bothered *trying* to erase any data.
Oh, you're not stuck, you're just unable to let go of the onion rings.
So I was just talking about big dumb companies not being able to keep data they should not have in the first place? ATT loses credit card data. That's information they actually need. Do you think they care about your email, besides keeping it for the NSA? Stooges.
Friends don't help friends install M$ junk.
They're all bastards. Skype is much better, when you're able to use it. (Although at the end of 2006 their policies will change and will suck.) http://home.comcast.net/~plutarch/malfy.html
Am I the only one here who disassmbles cell phones for parts? LCD Screens, vibrating motors. Most things are too entirely small to use, but I do it anyway.
As article said:
;-)
"Palm Inc., which makes the popular Treo phones, puts directions deep within its Web site for what it calls a "zero out reset." It involves holding down three buttons simultaneously while pressing a fourth tiny button on the back of the phone.
But it's so awkward to do that even Palm says it may take two people. A Palm executive, Joe Fabris, said the company made the process deliberately clumsy because it doesn't want customers accidentally erasing their information."
They haven't seen kungfoo of emacs users 5 keys to a command
2c
About two years ago, I traded in my Blueberry for a Treo 600. My friends at the local cellphone shop agreed to sell my Blueberry for me and promised to clear the memory and personal data before doing so. Thru some glitch ( I love that word ), they didn't get the speed dial numbers erased from the phone. My closest family members and friends went thru a week of getting annoying calls in the middle of the night (the new owner had it in his pocket and everytime he sat down, it dialed someone on the list), before we finally realized what was happening. Thankfully he sat on it one too many times and cratered the screen on the unit in just under two weeks. When they finally got the unit back, it was destroyed beyond repair. I should have done that in the first place. Live and Learn, eh?
Nothing like misleading/incomplete information in an article.
All the references for "recovered data" seems to come from "smart phones". They specifically mention a Treo and a Blackberry. These are basically handheld computers that happen to include a phone. They store large amounts of data in addition to phone records, so they'll also have measures to prevent accidental erasure that would lose more than just old caller ID records.
But the AP weanies who wrote the article are clueless and just calls them all "phones". Then the Slashdot summary just says "phones". These aren't phones, they're pocket computers designed to retain large amounts of information. The better they are at retaining the data, the harder it's naturally going to be to remove it all on purpose.
Now there will be more cheap Nokias and Motorolas going into landfills in pieces because no one told people the difference. No one will tell them about removing a SIM card from a GSM phone vs. a CDMA phone that doesn't have a SIM card.
Whats wrong with this world, why are you selling a cell phone when it still works. If it works for you, keep it. I think you're just wasting money on a new phone that you don't need. Keep your phone and keep your privacy, untill it breaks; then dispose of it accordingly.
"To be is to do." --Socrates
"To do is to be." -- Aristotle
"Do-Be-Do-Be-Do..." --Sinatra
Nothing that a big mighty magnet can't fix!
My blog: http://www.redcode.nl
Ah yes. My mom had to learn the hard way - when she sold her old cell phone to a friend of mine, she neglected to delete all of her data, which resulted in my friend's screaming in terror upon being faced with my mom's amateur camphone pr0n pics... ;_;
Why would you leave your data on your phone if you are planning to give it away. If you does then sorry to say but "law does not protect the fools".
The warning labels say really bad things could happen if you dispose of the phone in a fire... Well, I WANT the darn thing destroyed beyond repair so how about tossing it into a fire? Outdoors of course because there is a non-zero chance that it could explode, and it WILL release stuff you don't want to breath, but that's what outdoor bonfires are for. Ok, it would be bad for the environment if everyone did this, but most people just toss them in the trash, trade them in, or give them to charity so it wouldn't be much of an enviro impact. If you're worried about it, just use a REALLY hot fire.
There ought to be other warnings that could be useful without using fire... For example, I had a phone that recommended against eating the phone and/or battery. I'm pretty sure that eating the phone (or convincing another critter to eat it) would render the memory unreadable, nearly as thoroughly as disposing of it in a fire.
The problem is there are two conflicting requirements. As long as the phone stays with you, there's a requirement to preserve the integrity of the data at all costs. But at some point you are going to want rid of the data, and its integrity becomes a liability rather than an asset.
Now, it's not at all hard to implement a "FORGET ALL" functionality: all you have to do is overwrite the entire memory with any combination of ones and zeros that doesn't represent the stored data, and if you need more than 50 bytes for that then you're not trying. The problem is that, right up until the moment you want to pass the phone on to someone else, you don't want it to be at all easy to do this: you want it to be hard, so it doesn't happen accidentally {or get done to you maliciously}.
It needs to be hidden behind some complicated procedure that is never going to happen accidentally -- such as activating dial lock, plugging the recharger into the phone whilst switched off at the wall socket, then turning on the wall socket switch whilst pressing * and RH Soft Key together on the phone. {I think it would be best to require the recharger plugged in to perform the security erase, since the battery could conceivably run out mid-cycle and leave data intact.} Even then, some idiot is bound to try it out "just to see what it does".
And it probably needs to be a matter of law for manufacturers to implement such a feature, because phone companies have another good reason not to implement it: apart from idiots deliberately nuking their data then complaining when they can't get it back, if the only way to be sure the data is gone is to destroy the entire phone, then they will sell more phones. We also need, in the same bill, a legal onus on any person who acquires any kind of used data storage device to respect the confidentiality of any residual data left in that device. If you sell your phone containing personal information and the person who buys it reads your old text messages, they should be held liable if that information leaks out. If they're just using it normally, your messages will soon get obliterated by the new owner's messages. Actually poking about for data and disclosing it to third parties should be punishable.
Je fume. Tu fumes. Nous fûmes!
I have a sony/ericsson k750i at the moment (handed down) which is an amazing phone. I've been exploring inside the FS and found that it stores things all over the place (phone mem/flash). It's amazingly counter-intuitive but thanks to this I received some sweet (although NN) pics of my best friend's girlfrend pole-dancing.
on the 650, it's easier as you suggest. On the 600, it's a very convoluted thing that one person can do, but not do easily. However, this is a good thing: they document it in the manual, tell you the keys to press and you definitely won't do it by accident. Ric
You can format a Nokia Symbian Powered Smartphone by powering off the phone then powering on while holding down *, 3 and Call (Green button), letting go when prompted for your pin. This has applied to all the smartphones I've owned since 4 years ago. 6600, 6680, N70 and N80. The add-in memory card in each can simply be removed.
When have you ever seen a phone without a master reset feature? I know I never have.
They even point this out in TFA:
Palm Inc., which makes the popular Treo phones, puts directions deep within its Web site for what it calls a "zero out reset." It involves holding down three buttons simultaneously while pressing a fourth tiny button on the back of the phone.
But it's so awkward to do that even Palm says it may take two people. A Palm executive, Joe Fabris, said the company made the process deliberately clumsy because it doesn't want customers accidentally erasing their information.
Oh cry me a river - it's supposed to be hard to do a master reset, that's so you don't do it by accident and wipe your phone!
Is it really that difficult to push four buttons at once? What are we now, chimps?
I would expect someone who uses 'behoove' so obliquely in conversation to be snappy enough to have already reached this conclusion.
Step one: Place phone in bucket of water while turned on for 3 days
Step two: Place under rear tire of car and then back up
Step three: smash with hammer
Now its safe to give back to the phone company for recycle
-- I am the NRA, enough said...
If all bluetooth-enabled phones are like mine, nobody is going to send any data, sensitive or otherwise, by bluetooth.
In my mighty Samsung A640's user manual, the bluetooth section takes all of 1 page. Just enough to tell you how to turn it on and change the device name. Just like the GPS feature: it makes a little icon light up on the screen, no more.
You're not old until regret takes the place of your dreams.
I need software to read deleted short messages from a Samsung a900.
And before you ask, YES, it's my phone.
Do daemons dream of electric sleep()?
The industry is already aware of the problem and has solved it.... the answer is:
Nokia/IntelliSync Device Manager OMA
You buy a per device license and you can then use the licenses in any ratio between the Professional Edition (which specializes in PDA management) and the OMA edition which specializes in phones. With the OMA edition - for which I developed the training class - you can establish a secure trusted connection to the handset. A 4-digit hex fingerprint is required to avoid MITM. From that point on - any action can be carried out by the central adminstrator without further user intervention, including application installation, settings, inventory, and a complete device wipe. Available applications include Blackberry and 4-5 other email solutions, Norton AV, and Pointsec flash disk encryption.
The problem is not the technology the technology is HERE. The problems are:
1. Drop cell phone into 200% molar sulphuric acid. I forgot what molar means.
2. Watch...from a safe distance. Preferably in another with camera surviellance and ventilation.
3. Tape it and put on youtube, videogoogle, break, etc.
******
Alternative
1. Put phone in mass destabilizer unit.
2. Turn it on.
3. Turn it off.
The most a snoop would get off my phone is that I have a Cingular phone and I work for Verizon Wireless...
There's a lot of fucked up shit on the internet. And I've downloaded it all.