Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos

An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."

Where the fault lies?

[PC_THE_GREAT]

When someone says reset phone and reset data, the OS should ensure a clean wipe not a soft wipe. Should atleast fill it with 0s. And people should try to keep most of their data on sd cards and move those alongs when they get new phones.

What kind of people sell sd cards along with phone. I thought everyone are misers.

Am tempted to know what kind of nudie pics where available :p.

Re:Where the fault lies?

[tlhIngan]

But how many people actually reset phone and reset data? I'd imagine a lot of people simply manually delete their photos and unhook their Internet accounts from the phone. Hardly a wipe.

But it's so easy to do on iOS. You can do it on the phone - Settings->General->Reset

And it wipes the phone - the flash storage is encrypted. Resetting it wipes the key and generates a new one. It then reboots and reformats the user storage using the new key and mounts it. The old data is irrecoverable because the key is lost, and the new data is written using a new key.

Even prior to encrypted storage, iOS3 created the option to do it where it erases and wipes the storage - anything 3GS and newer wipes keys (so wiping takes a couple of minutes), older ones took a couple of hours.

No reason Android can't do the same - either by sending TRIM commands to the entire user storage area and then forcing a write-all-with-zeroes to be doubly sure.

Re:Where the fault lies?

[MyFirstNameIsPaul]

I would not trust an encryption method as a replacement for permanent data destruction, but I may be more paranoid than most.

Re:Where the fault lies?

[Razed+By+TV]

I think you're looking at it from the wrong angle. For general purpose phone use, encryption is reasonable. But for the purposes of permanent deletion, why rely on encryption when you could just shred the data and be done with it once and for all?

Who's at fault for this?

[SeaFox]

Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger.

How many people actually have the ability to securely wipe data on their phone to start with, without rooting it? For lots of folks, the "factory reset" option is the only thing they can do on their own, and that likely only deletes prefs and network settings and erases file system directory info. It does not overwrite the bits in the phone's storage to make them unrecoverable.

Re:Who's at fault for this?

[Mr0bvious]

As stated above this really should be an inbuilt OS feature - "Reset for resale"

It shouldn't take an understanding or knowledge of the intricacies of how the device works or how to properly erase data. It should be automatically done by the OS since most phone users do not know how to do it properly.

Re:Who's at fault for this?

[baenpb]

Agreed, but the money's not there. This promotes resale, which takes away from apple's.....i mean...the phone manufacturer's....bottom line.

Garbage In

[mfh]

Mobile industry is afoul with moral hazard. They simply don't care about their clients because they only want to get paid once and then milk the clients for information.

Google's Android phones flat out REFUSE to uninstall Facebook, for example.

Users do not have control because we're experiencing what Oligarchy feels like.

Some of us remember what it was once like when you wanted to buy something and they would kiss your ass and make you at home while you were shopping. If you had any problems they would bend over backwards to serve you. That mentality is dead in the goods & service industry.

We are approaching the dusk of the psychopathic corporation era. Nothing after that folks. Thanks for playing.

Re:Garbage In

That's the carrier's doing

Re:Only Android?

[exomondo]

They don't mention if any of the devices were using Android's full device encryption either or which of the devices they recovered deleted data from rather than just receiving a phone where the user had forgotten to delete their data. Seems less like a study and more like a sales pitch.

Can't we just say people took naked pics?

[Vellmont]

Why do we still talk like we're in middle school? Why the code talking? "personal pictures", "manhood"? Can't we just say they found pictures of guys penises, and nude to semi-nude women?

People take nude photos of themselves, don't realize it's still on the phone, and sell the thing. The fault lies with the cell phone makers who aren't actually doing real deletes of pictures. That's just dumb. Back when storage medium was on a hard drive, and computers do a LOT of IO, deleting the reference to the file made sense to improve performance. But all phones use flash as storage, and there's simply not a lot of IO that's going on in your typical phone usage. The OS should be wiping the file, or at the very least remove the reference, and wipe the file at a later (but soon) time after (like perhaps while the user is typing something and is otherwise idle).

The reality is phones get stolen, and the data is far less secure than on a PC. The OS needs to keep up with that. Deleting data for good should mean actually deleting the data. The shortcuts that've been done in the past should be a thing of the past.

This post is an advert

[mendax]

This article is good reading in itself but it wound up being an advert for the poster's product. I wonder how much Dice got paid to post this "story"? Is it any wonder I spend more time over at soylentnews.org, the name of which I was going to bury in a link but couldn't because the link gets replaced with "slashdot.org"?

Re:"What to do before selling or giving away your.

[L4t3r4lu5]

Well no, it doesn't. You've contradicted yourself. What iOS does is delete the encryption key, as you stated, which renders the data inaccessible without recovering the key. The data is still entirely intact; Just really, really hard to recover :)