Wiping a Smartphone Still Leaves Data Behind

KindMind writes "To probably no one's surprise, wiping a smartphone by standard methods doesn't get all the data erased. From an article at Wired: 'Problem is, even if you do everything right, there can still be lots of personal data left behind. Simply restoring a phone to its factory settings won't completely clear it of data. Even if you use the built-in tools to wipe it, when you go to sell your phone on Craigslist you may be selling all sorts of things along with it that are far more valuable — your name, birth date, Social Security number and home address, for example. ... [On a wiped iPhone 3G, mobile forensics specialist Lee Reiber] found a large amount of deleted personal data that he recovered because it had not been overwritten. He was able to find hundreds of phone numbers from a contacts database. Worse, he found a list of nearly every Wi-Fi and cellular access point the phone had ever come across — 68,390 Wi-Fi points and 61,202 cell sites. (This was the same location data tracking that landed Apple in a privacy flap a few years ago, and caused it to change its collection methods.) Even if the phone had never connected to any of the Wi-Fi access points, iOS was still logging them, and Reiber was able to grab them and piece together a trail of where the phone had been turned on.'"

doesn't sound like built in wipe was used

Did the previous owner use the "erase all content and settings" feature of that phone? Or just restore it. That would have been using the built in tool and would have overwrote the data. http://support.apple.com/kb/ht2110

Re:doesn't sound like built in wipe was used

[BasilBrush]

Quick, someone tell 2008 that they have a problem with phone security.

Re:doesn't sound like built in wipe was used

[icebike]

When you do read TFA you find out this:

Take the two Motorola devices(android). Both were wiped, and neither had much to speak of stored in their built-in memory, just some application data with no personally identifiable fingerprints.

But one user left his micro SD card in the phone. Although the contents of the card were deleted, the card had not been formatted. This, apparently, meant the files were recoverable. And because Android cached application data to this SD card, Reiber could recover e-mail data as well — enough that we could positively identify the phone’s owner via his e-mail address. But the real treasure trove was the photos and documents. The photos still had metadata, including the dates, times and locations in which the photos were shot. And while the documents were benign, if the phone’s owner had stored sensitive information on his phone — think a tax return with a Social Security number, or a .pdf bank statement — we would have had that, too.

So other than USER Stupidity of leaving his SD card in the device he recycled, this once again is an Apple story pinned to a model long out of production dating to a problem long since fixed by Apple.

Not that it changes much, if the police who buy these forensic tools happen to get your phone they pretty much have everything they need to know everything about you. How does "AccessData" get around violations of the DMCA by building tools to circumvent encryption?

Re:doesn't sound like built in wipe was used

[icebike]

But you miss the point here, and as a result you got it exactly backwards.

The phones all handle wipe of internal storage just fine, but virtually none of the phones wipe microSD cards. MicroSd is a security nightmare.

Re:doesn't sound like built in wipe was used

[hairyfeet]

So in other words...no. There are SOME models, which ones fuck if you or me or anybody knows because you'd have to take the chips out and actually test to see if they were REALLY secure wiping or feeding your BS like in TFA, but its NOT any specific vendor or model or anything that is predictable...great.

Ya know I used to get pissed at the guys that would waste perfectly good working HDDs by taking a .357 to the thing when we have easy peasy ways to wipe those but with SSDs? they may actually have a point. it probably saves the vendors an assload of money as well since nobody will be sending back failed drives to get it replaced under warranty. i know my gamer customers just throw away the drives after smashing them even if they are under warranty because there is no way to wipe them and they don't want to risk their data being stolen by some third world refurb center. At least with a HDD as long as it wasn't completely tits up I could usually zero out a drive before sending it in, with these I think I'd opt for the .357 approach too.

Depends on the phone and the methods used

[guruevi]

Most decent cell phones have built-in encryption which wipes the phone by simply deleting the built-in keys. Some cheap-ass droids and the 'feature-phones' may not have it built-in but it's fairly easy to wipe a phone that has the feature.

Off course, if you use the wrong methods (such as simply 'restoring' the phone) or using unencrypted external media, not much is going to help you. If you really need to get rid of your data (eg. in an enterprise environment) I would hope those in charge of the devices would know how to configure and manage the phones correctly so they can be remotely wiped etc

Re:Depends on the phone and the methods used

The bad news is that only since Android 4.0 that there has been decent encryption in devices. Before that, only some Motorola devices had some ability to encrypt the SD card and the main filesystems.

The good news is that Android has grown up, and uses dmcrypt to encrypt the /data partition. One can even have the passphrase that decrypts the filesystem separate from the screen unlocking PIN, using a command line and the vdc cryptfs changepw command. This way, if the device falls into the wrong hands and gets power-cycled, an attacker has to guess a 20+ character passphrase as opposed to a 4-8 digit PIN.

The ugly: Just the /data filesystem is encrypted. If you have a SDcard, you are SOL unless you have a Motorola device that has their own file based mechanism of writing encrypted data.

As for iOS, AFAIK, it mainly relies on hardware chip voodoo to only allow access to the AES key once the chip validates the PIN, and to mitigate an attack against just four digits (which is the typical PIN code length.) If one of the chips has a weakness, game is over.

With the latest devices, both iOS and Android are decently secure, except both have strengths weaknesses. Android can be set to have a reasonably strong passphrase, then use a PIN once /data is mounted. However, Android can't encrypt SD cards. iOS is encrypted immediately, but the downside is that the OS relies on magic smoke ASICs to enforce its security.

This is old news, and no longer correct for iPhone

[kallisti]

The key line: "On a wiped iPhone 3G"

Starting with the iPhone3GS, iOS encrypts everything with a random AES256 key. When you say to wipe the device, it erases that key rendering everything else unusable. This is mentioned in the article, but downplayed. It's been a long time since you could even buy an iPhone 3G, so it seems alarmist to bring it up now.

http://blog.itsecurityexpert.co.uk/2011/10/securely-wiping-your-personal-data-from.html

A contrived test: old phone, old operating system?

[perpenso]

Did the previous owner use the "erase all content and settings" feature of that phone? Or just restore it. That would have been using the built in tool and would have overwrote the data. http://support.apple.com/kb/ht2110

The author used the last iPhone (3G) running the last iOS version (4) that would exhibit such behavior. It seems a contrived test.

An upgrade to iOS 5 would fix the problem on the 3G. On newer phones the encryption key needed to access the data is destroyed, so the problem never would have occurred.

Newer phones

[Selfbain]

I'd be more interested to see if he can still do it on a newer model. The earlier models of iPhones were well known to have poor security.

Re:A contrived test: old phone, old operating syst

[sethmeisterg]

EXACTLY. Wish my mod points hadn't expired.

Re:Can't hide it

[BasilBrush]

With iOS it certainly isn't. Note the iPhones used in the article were deliberately selected to be very old. iPhone 3G.

With newer iPhones, every single byte is written using a hardware based encryption key. AES-256. Wiping the phone involves deleting just the key. At that stage none of the phone's data is recoverable. Not by anyone.

Re:68,000 wifi points??

[jxander]

Some napkin math, assuming he purchased the phone in July 2008 when 3G went on sale, and it's been in use constantly for the last 57 months ... and ball-parking 30 days/month ... he hit 40 Wi-Fi points and 36 cell towers every day.

Even with the assumption that these are not unique access points (i.e. his home WiFi is counted 3 or 4 times a day, depending on how often he comes and goes) ... that's still an insane number. If we change the time-frame to 2 years, roughly the average lifespan between upgrades, he's up to 95 WiFi points per day.

Quite the busy bee.

Vague useless article.

[Andy+Dodd]

The article makes no mention of WHICH Android revision each of the given phones tested was using.

It was a known problem with Gingerbread and earlier that the wipe method used by most Android devices was insufficient. That's why Google added secure erase prior to reformat with ICS (maybe HC too, not sure...)

https://android.googlesource.com/platform/system/extras/+/c2470654d4b4db09a7052fc5fa108ac21f1b1948

Interesting result of this: Samsung's eMMC chips that were shipped in the Galaxy S II and original Galaxy Note couldn't handle this secure erase command properly, and using a standard "secure" wipe had a pretty good chance of corrupting the wear leveller so badly the chip would be rendered useless. (Samsung's own recoveries were "neutered" so as not to issue a secure erase command.)

TL;DR - Unless crippled by the manufacturer, any recent Android device (ICS or newer) should not have any of the issues with data remaining easily recoverable after a wipe described by this article. LG didn't do anything special here - they just implemented ICS or later and that's all that was needed.

Re:A contrived test: old phone, old operating syst

[ejasons]

The author used the last iPhone (3G) running the last iOS version (4) that would exhibit such behavior. It seems a contrived test.

More than just contrived, it is very intellectually dishonest...

Re:A contrived test: old phone, old operating syst

[Alter_3d]

The author used the last iPhone (3G) running the last iOS version (4) that would exhibit such behavior. It seems a contrived test. An upgrade to iOS 5 would fix the problem on the 3G. On newer phones the encryption key needed to access the data is destroyed, so the problem never would have occurred.

Sorry, but the iPhone 3G tops out at version 4.1.2. The 3GS, on the other hand, does have support for iOS 6, if I remember correctly.

Re:68,000 wifi points??

[EvanED]

Even with the assumption that these are not unique access points ... that's still an insane number. If we change the time-frame to 2 years, roughly the average lifespan between upgrades, he's up to 95 WiFi points per day.

If the wifi points are non-unique, 100 wifi points per day would be downright easy to achieve. I probably pass far more than that on the way to and from work each day on the bus.

Remember, it's not "how many networks have you connected to" but "how many have come in range of your antenna."

Unique points would be a lot harder to hit, but as someone else points out, you could probably rack up access points very quickly in a metropolitan area.

Re:Can't hide it

[h4rr4r]

Only if you are so stupid that your PIN is only 4 numbers and you allow unlimited retires. I am pretty sure iOS now makes the retry interval longer and longer to avoid this attack.

They just brute force it, that is not anything special.

Re:AND WIPING MY ASS STILL LEAVES POO BEHIND!

[DougOtto]

Which begs the question: "How do blind people know when to stop wiping?"

Re:A contrived test: old phone, old operating syst

[organgtool]

As others have pointed out, the iPhone 3G topped out at iOS 4 (and that's if you can't deal with how slowly it ran). Even if it could run iOS 5, you neglected the possibility that the person could have sold the phone before iOS 5 even came out. My iPhone 3G definitely had no such erase option and since the damn phone refuses to mount like a proper USB device, I was not able to use software from my laptop to securely wipe the phone before selling it. Oh well, at least I haven't had my identity stolen yet.

Load the 3G with music ...

[perpenso]

After erasing the contents fill the 3G with music to overwrite, then erase again?

Re:A contrived test: old phone, old operating syst

[Jafafa+Hots]

But you're assuming that everyone who had an older phone ran out and ditched it the moment the new ones came out and thus there are no older iPhones with older software in use.

Oh wait... we're talking about Apple. Ok, yeah, everyone DID immediately ditch their old phone the moment the new model came out. Nevermind.

Re:Can't hide it

[PhunkySchtuff]

If you have it set, the device PIN unlocks the AES key that decrypts the phone's filesystem.
If you allow unlimited guesses at the PIN, you can unlock the AES key and decrypt the filesystem.

If you erase the phone (reset all content and settings) the phone securely wipes it's AES key - the filesystem is from that point forwards nothing more than random data. If you have an attack against AES256 then you stand a chance at recovering something, but you don't...

There's no use in guessing the PIN as the encryption key that the PIN unlocks has been erased.

Tried to call

[SuperKendall]

Quick, someone tell 2008 that they have a problem with phone security.

I tried to call the iPhone owners but they were all on AT&T and had no reception.

Then I tried to call all the Android owners but their batteries were all dead...

Re:Tried to call

[Sponge+Bath]

Tried to call all the Windows Phone owners, but they didn't exist.

So?

[ArchieBunker]

This was to prove that selling your OLD PHONE can raise security issues

Re:No "Fight back" once key is gone

[giveen796]

I just talked to the forensics guys I know, I was wrong. And you are correct.

There is an app for that ...

[perpenso]

After erasing the contents fill the 3G with music to overwrite, then erase again?

Pretty sure the filesystem in iOS can have partially empty blocks. I'd make a copy of my music, then run find . -type f -print0 | perl -n0e 'truncate($_, -s $_ >> 13 13)' to make sure that all the files were rounded off to 4096 bytes first.

I just thought to check for apps that wipe storage, there are several. I should have known there was an app for that. :-)

Re:Sentence doesn't make sense!

[bogaboga]

I guess I didn't make myself clear...Let me rephrase:

If you destroy your 1st Android phone and obtain a second one, there's no way of removing any reference to the 1st phone from Google Play. Or is there? I have 7 devices listed, six of which I no longer own. How do I prevent them (the six I no longer use), from getting listed on Google Play? Got it?

Re:This is old news, and no longer correct for iPh

[giveen796]

Actually, I was wrong, I misunderstood somethings. Not afraid to admit I was wrong.

Re:Email, of course

[Lumpy]

In the 26 years I have had email and 12+ years I have had a smartphone I have never, EVER sent or received an email with my social security number in it.

This fear is a Capitol F in FUD.

Sigh. Again, for real security, get a blackberry

Once again, blackberries solved this problem about 10 years ago (or more).

If you want real, audited, certified security, get a blackberry.

If security isn't important to you, android & iphone are fine.

Sadly, most people are in the latter category.

Re:Can't hide it

[viperidaenz]

Retry interval and retry count are irrelevant if you just read the data directly from the flash chip. That's one interface in the iPhone that is completely open and standards based.

Best wiping solution

[Grand+Facade]

"Will it blend?"