Slashdot Mirror
Cell Phone Secrets Die Hard
duplo1 writes "According to an article on CNN, "Selling your old phone once you upgrade to a fancier model can be like handing over your diaries. All sorts of sensitive information pile[s] up inside our cell phones, and deleting it may be more difficult than you think." It seems that corporate security policies need to extend their disposal standards to mobile devices; but what is there to educate consumers regarding such a potential breach of privacy?"
so what use is the Factory Reset on phones?
All they'll get from me is the number for the local Domino's Pizza... well - maybe some 900 numbers...
Even if you take preventive measures to erase sensitive data from devices, you still have mega-corporations who accidentally release sensitive data like a good smelly fart.
Just stick in in the microwave for about 10 seconds.
Computers are useless. They can only give you answers.
-- Pablo Picasso
I use the ultimate security system. I give my old phones to my baby daughter. Proof of the security is that her own mother won't touch it anymore. Ferpect.
Common sense? When a big organisation gets rid of it's old computers it (usually) destroys the harddisks totally. Why should it be any different with mobile phones?
In a previous organisation that I worked for, the IT department (who happened to be in charge of all things cellular) made sure that every outgoing phone went through it's hands before going back to the cell operator for an upgrade or onselling etc.
The only education needed is in the specific technology department that handles these things and they just need to basically make sure that things are taken care of before the phone leaves the company - it usually isn't that hard.
of selling old phones. Even if you buy a new one every year (which I'm sure few of us do), it's worth practically nothing. Everytime I upgrade phones, I do the same thing: transfer all the desired information to the new one and 'stress test' the old one. (hint: most don't pass the 20lb maul test).
Lose: misplace or fail || Loose: not bound together
In my company, we dispose of cellular telephones and other information technology equipment in the proper manner. First, we place that of which we are disposing on a steel platform. Then, a gentleman wielding an enormous iron sledgehammer approaches the aforementioned device, after which he proceeds to smash the fscking thing to bits. Finally, the aforementioned device is placed into the appropriate refuse recepticle. Thus, we are assured that the privacy of our employees is protected from unwanted breaches.
NTT DoCoMo, in Japan, has a little hole-punch-like device they use to destroy the internal memory chip when you give your phone back, and best of all they do it right there on the spot: you give them your old phone, and they stick it in the device and go "crunch!" Of course, I haven't actually seen the schematics for any (much less all) of the DoCoMo phones so I could theoretically be being fooled, but given the nearly paranoid attitude among Japanese these days over personal information, I doubt DoCoMo would take that risk.
I want to blame the sellers for being idiots and not properly clearing their devices... but really, it's the manufacturers who need to be clearer. Having different kind of "wipes" on a device but not labelling them differently is just plain stupid. There needs to be one option called "quick reset", and another called "Secure Wipe - You will lose everything forever, are you really sure???" and then have 5 queries after it. It's bad when a consumer gets misled by thinking "wipe" means "wipe", but I've had devices where I've found that my "wipe" wasn't total either, and it's because the manufacturer is misleading with their instructions.
That said, i remember the good old days, when you didn't loan out your floppies without running a wipe program on them... otherwise the boys found your 'secret stash' that you just deleted.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
"Police expert admits mobile phone forensics barrier"
o ne_forensics_barrier/
As posted to the internet just last month:
"A police digital forensics expert has admitted that some mobile phones are impenetrable to software used by police in forensic examinations. The revelation follows a paper by a Cambridge researcher which originally made the claim."
http://www.theregister.co.uk/2006/07/07/mobile_ph
I bought a "smart" phone off eBay, it was a good deal, works great. Turns out the old user was a doctor. I know this because, even though he had figured out how to erase his messages and crap, the thing was set up on his hospital's corporate wifi email system, with portable Outlook. The first time I got online (do you know how cool it is that all the pubs in my neighborhood have free wifi now? it's very cool.) It reached out and REFILLED the inbox with hundreds of VERY personal emails (his and his patients), including attachments.
I have no idea what any of the xrays were trying to show me, but he seemed pretty concerned about some spots in a couple of them. I thought it was cool I could zoom in on them with my phone. Man I hope copies are being kept on the server...
More details than CNN
2 50.pdf
"This report gives an overview of current forensic software, designed for acquisition, examination, and reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations."
http://csrc.nist.gov/publications/nistir/nistir-7
I accidentally broke my old phone, and I wasn't due for an "upgrade" from my provider, so I had to buy a new one. When I got my "new" phone for around $120 dollars, I promptly installed my SIM card only to find that, in addition to my address book, I also had several listings for people I didn't know. My first thought was that these were numbers of associates at the phone store, preloaded in case I had any problems, but after examining the body of the phone and discovering scratches, I realized, to my dismay, that this was a second-hand phone. When I brought it back, I got the feeling that they didn't really want to replace it with a new one, but there just happened to be another customer buying a dozen or so phones for his business, so they really had no choice.
I always wondered what would have happened if I had called those people in the phone's memory to try to find out who's phone I had.
If you can read this sig, you're too close.
If anyone wants your calling info, they can just ask the NSA... (or steal one of their unencrypted, non-password protected laptops...)
"But this one goes to 11!"
It really makes you wonder where the knowledge gap occurs. Many people know that when you delete files from a computer that they are not really deleted and they could be restored. How could they miss the connection? If you've seen one microchip, you've seen them all. Be afraid, be very afraid...
But anyway, who in their right mind would put sensitive information on a medium that its user can lose control over? (Lets overlook the computers that the government has been misplacing with everyones social security numbers for a split second) You (generally) wouldnt let someone use your computer if it has information that you do not want them to see, why should a cellular telephone be any different.
Next thing you know someone will be surprised at the ability to intercept bluetooth. Someone will be transmitting sensitive information via bluetooth and some buck tooth 14 year old will be around the corner to intercept it...
In closing, since people did not know that their data does not necessarially go away, did you know that if you do not secure a wireless router, people can potentially intercept information?
Its a pity you cannot legislate stupidity...
-b.
Even if you take preventive measures to erase sensitive data from devices, you still have mega-corporations who accidentally release sensitive data like a good smelly fart.
Even when they don't release it publically, they lack both the competence or will to keep it to themselves. I remember, ten years ago, an acquaintance who taunted a friend with private medical information. She had been a clerk for a debt collection agency and used her access to look up all of her friends. The big dumb companies share things they should not and don't keep tabs on it. Imagine what clerks at ChoicePoint could do, then think of how owned their little windoze terminals are. There's not much real privacy left anymore.
Cell phones are not free platforms and the owners are some of the most notorious abusers of personal privacy. Almost all of the Baby Bells were too happy to comply when the Bush administration asked them to break the law and tap their customers. Just to get a Cigular phone six years ago, I had to give the creeps monthly access to my credit record! You have to remember that the parent company at one time refused to allow people to plug modems into their network. The babies continue to stonewall broadband to this day. They will do anything and everything to get some crummy little franchises over their users. Your "secrets" are the last of their concerns, except where it can be used for their own marketing purposes.
My answer kind of sucks, but it works. My cell phone is nothing more. I put names into it because the phone company already knows who I'm talking to. Nothing else goes in. I don't SMS, I will never use their calenders. I resent GPS tracking. I'll never trust their cameras and I'll keep it in a box if I'm ever talking about something sensitive. The damn thing is like a bug in my pocket that can be abused by anyone with the technical wherewithal to pull the wool over the Baby Bells. These days, that's about anyone.
Friends don't help friends install M$ junk.
Of course, I haven't actually seen the schematics for any (much less all) of the DoCoMo phones so I could theoretically be being fooled, but given the nearly paranoid attitude among Japanese these days over personal information, I doubt DoCoMo would take that risk.
I think greed has more to do with it than anything else; by destroying the phone instead of reselling/recycling/donating it, they protect the market for new phones. If people sold their phones instead of tossing them or letting them be destroyed, then people whose phones died and just simply needed a -working- phone, would be able to get one used instead of having to buy a new one.
Right now, SIM/provider locks are used to help artificially inflate the 'cost' of phones, and get extra money for providers on the contract side, too. I have an old "legacy" AT&T account that costs me $25/month. My phone is on the fritz, and when I asked about getting a new one from "Cingular", Cingular told me that I'd have to get a different plan. Surprise surprise- the "same" plan from Cingular is well over $30, which means that they're getting an extra $120 a year from me.
In the case of the article- they're talking about Smartphones with flash-memory devices, where you need to zero out the memory device to assure no data can be recovered, just like you have to zero a hard drive. "Normal" phones don't have any of these issues- and the article neglects to mention this clearly.
So, just pop the memory card out, pop it into a reader, and run a full format of the card, or just copy a file nearly the same size as the card to it. Done. Nothing to see here, move along, "security research" company scaring people needlessly.
PS: Your phone contains MANY toxic chemicals that DO NOT belong in a landfill. They MUST be properly recycled or donated. If you're too lazy to have it properly recycled or sell it on ebay, please donate it and its charger to a local domestic abuse shelter, as any cell phone by law must be able to dial 911.
Please help metamoderate.
Here in australia, you can ring 19xx numbers from cellphones just fine (unless you have a prepaid or other wierd account/plan)
Am I the only one here who disassmbles cell phones for parts? LCD Screens, vibrating motors. Most things are too entirely small to use, but I do it anyway.
As article said:
;-)
"Palm Inc., which makes the popular Treo phones, puts directions deep within its Web site for what it calls a "zero out reset." It involves holding down three buttons simultaneously while pressing a fourth tiny button on the back of the phone.
But it's so awkward to do that even Palm says it may take two people. A Palm executive, Joe Fabris, said the company made the process deliberately clumsy because it doesn't want customers accidentally erasing their information."
They haven't seen kungfoo of emacs users 5 keys to a command
2c
About two years ago, I traded in my Blueberry for a Treo 600. My friends at the local cellphone shop agreed to sell my Blueberry for me and promised to clear the memory and personal data before doing so. Thru some glitch ( I love that word ), they didn't get the speed dial numbers erased from the phone. My closest family members and friends went thru a week of getting annoying calls in the middle of the night (the new owner had it in his pocket and everytime he sat down, it dialed someone on the list), before we finally realized what was happening. Thankfully he sat on it one too many times and cratered the screen on the unit in just under two weeks. When they finally got the unit back, it was destroyed beyond repair. I should have done that in the first place. Live and Learn, eh?
Whats wrong with this world, why are you selling a cell phone when it still works. If it works for you, keep it. I think you're just wasting money on a new phone that you don't need. Keep your phone and keep your privacy, untill it breaks; then dispose of it accordingly.
"To be is to do." --Socrates
"To do is to be." -- Aristotle
"Do-Be-Do-Be-Do..." --Sinatra
The industry is already aware of the problem and has solved it.... the answer is:
Nokia/IntelliSync Device Manager OMA
You buy a per device license and you can then use the licenses in any ratio between the Professional Edition (which specializes in PDA management) and the OMA edition which specializes in phones. With the OMA edition - for which I developed the training class - you can establish a secure trusted connection to the handset. A 4-digit hex fingerprint is required to avoid MITM. From that point on - any action can be carried out by the central adminstrator without further user intervention, including application installation, settings, inventory, and a complete device wipe. Available applications include Blackberry and 4-5 other email solutions, Norton AV, and Pointsec flash disk encryption.
The problem is not the technology the technology is HERE. The problems are: