Slashdot Mirror
Cell Phone Secrets Die Hard
duplo1 writes "According to an article on CNN, "Selling your old phone once you upgrade to a fancier model can be like handing over your diaries. All sorts of sensitive information pile[s] up inside our cell phones, and deleting it may be more difficult than you think." It seems that corporate security policies need to extend their disposal standards to mobile devices; but what is there to educate consumers regarding such a potential breach of privacy?"
Common sense? When a big organisation gets rid of it's old computers it (usually) destroys the harddisks totally. Why should it be any different with mobile phones?
In a previous organisation that I worked for, the IT department (who happened to be in charge of all things cellular) made sure that every outgoing phone went through it's hands before going back to the cell operator for an upgrade or onselling etc.
The only education needed is in the specific technology department that handles these things and they just need to basically make sure that things are taken care of before the phone leaves the company - it usually isn't that hard.
NTT DoCoMo, in Japan, has a little hole-punch-like device they use to destroy the internal memory chip when you give your phone back, and best of all they do it right there on the spot: you give them your old phone, and they stick it in the device and go "crunch!" Of course, I haven't actually seen the schematics for any (much less all) of the DoCoMo phones so I could theoretically be being fooled, but given the nearly paranoid attitude among Japanese these days over personal information, I doubt DoCoMo would take that risk.
Also in the article:
"Mansell pointed out that time-consuming manual examination can still retrieve phone data."
All they're saying is that non-standard formats make it harder to lift information - it's still there. Just like it's harder to recover lost data on ReiserFS than it is on ext2. It's still there, but the filesystem makes it a little more confusing.
Anyway, this should become less of a problem as manufacturers settle on a few standard formats to cut costs.
More details than CNN
2 50.pdf
"This report gives an overview of current forensic software, designed for acquisition, examination, and reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations."
http://csrc.nist.gov/publications/nistir/nistir-7
It resets the RAM and loads all the default settings for built-in applications from ROM. It typically doesn't touch the FlashRAM.
But that's just the typical reset. Factory Reset isn't a feature that is normally exposed without additional external attachments (a cable, a PC, and special software).
Of course, I haven't actually seen the schematics for any (much less all) of the DoCoMo phones so I could theoretically be being fooled, but given the nearly paranoid attitude among Japanese these days over personal information, I doubt DoCoMo would take that risk.
I think greed has more to do with it than anything else; by destroying the phone instead of reselling/recycling/donating it, they protect the market for new phones. If people sold their phones instead of tossing them or letting them be destroyed, then people whose phones died and just simply needed a -working- phone, would be able to get one used instead of having to buy a new one.
Right now, SIM/provider locks are used to help artificially inflate the 'cost' of phones, and get extra money for providers on the contract side, too. I have an old "legacy" AT&T account that costs me $25/month. My phone is on the fritz, and when I asked about getting a new one from "Cingular", Cingular told me that I'd have to get a different plan. Surprise surprise- the "same" plan from Cingular is well over $30, which means that they're getting an extra $120 a year from me.
In the case of the article- they're talking about Smartphones with flash-memory devices, where you need to zero out the memory device to assure no data can be recovered, just like you have to zero a hard drive. "Normal" phones don't have any of these issues- and the article neglects to mention this clearly.
So, just pop the memory card out, pop it into a reader, and run a full format of the card, or just copy a file nearly the same size as the card to it. Done. Nothing to see here, move along, "security research" company scaring people needlessly.
PS: Your phone contains MANY toxic chemicals that DO NOT belong in a landfill. They MUST be properly recycled or donated. If you're too lazy to have it properly recycled or sell it on ebay, please donate it and its charger to a local domestic abuse shelter, as any cell phone by law must be able to dial 911.
Please help metamoderate.
Here in australia, you can ring 19xx numbers from cellphones just fine (unless you have a prepaid or other wierd account/plan)
On my Motorola L6 (and other motos), there are options labeled "master reset" and "master clear". Activating both will clear out pretty much everything (including stored SMSs, phonebook contents and so on. Would probobly remove custom ringtones and pictures and such too)
Interesting. Does it reformat internal flash as well with factory-default settings? Most of the phones I've dealt with will wipe out the application settings folder but will leave the user data untouched, so it's less a "factory reset" than a "restore to original settings" reset.
Well if it was Wi-Fi there would be no data charge since it's not going through the cell provider's network!
This is pure rubbish: to zero-out a Treo 650, all you have to do is hold the power button while pressing reset. When the second Palm logo comes up, release power and hit up on the 5-way to confirm.
About two years ago, I traded in my Blueberry for a Treo 600. My friends at the local cellphone shop agreed to sell my Blueberry for me and promised to clear the memory and personal data before doing so. Thru some glitch ( I love that word ), they didn't get the speed dial numbers erased from the phone. My closest family members and friends went thru a week of getting annoying calls in the middle of the night (the new owner had it in his pocket and everytime he sat down, it dialed someone on the list), before we finally realized what was happening. Thankfully he sat on it one too many times and cratered the screen on the unit in just under two weeks. When they finally got the unit back, it was destroyed beyond repair. I should have done that in the first place. Live and Learn, eh?
if you're on a pre-pay, those phones are only good for that plan.
Not true. If a phone has been unlocked for $10 or so, it can be used on any compatible network. Meaning I could eBay a Cingular phone and use it with T-Mobile-To-Go and pay by the month.
Furthermore, for $75 I could eBay a used Motorola V330 that had been used with a T-Mobile 2-year contract. Then I could use it with T-Mobile-To-Go. I'd get a good phone for a great price that is more capable than the Samsung SGH-209. T-Mobile sells that one new for $99.
I happened to be researching them last week before buying.
The industry is already aware of the problem and has solved it.... the answer is:
Nokia/IntelliSync Device Manager OMA
You buy a per device license and you can then use the licenses in any ratio between the Professional Edition (which specializes in PDA management) and the OMA edition which specializes in phones. With the OMA edition - for which I developed the training class - you can establish a secure trusted connection to the handset. A 4-digit hex fingerprint is required to avoid MITM. From that point on - any action can be carried out by the central adminstrator without further user intervention, including application installation, settings, inventory, and a complete device wipe. Available applications include Blackberry and 4-5 other email solutions, Norton AV, and Pointsec flash disk encryption.
The problem is not the technology the technology is HERE. The problems are: