Slashdot Mirror
Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos
An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."
How much of it was child porn?
When someone says reset phone and reset data, the OS should ensure a clean wipe not a soft wipe. Should atleast fill it with 0s. And people should try to keep most of their data on sd cards and move those alongs when they get new phones.
:p.
What kind of people sell sd cards along with phone. I thought everyone are misers.
Am tempted to know what kind of nudie pics where available
Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger.
How many people actually have the ability to securely wipe data on their phone to start with, without rooting it? For lots of folks, the "factory reset" option is the only thing they can do on their own, and that likely only deletes prefs and network settings and erases file system directory info. It does not overwrite the bits in the phone's storage to make them unrecoverable.
good job guys, now many more people will download and install your app. way to go!
Does the same thing occur with iPhones or Windows Phones or Blackberrys?
I bought 40~ used iphones off ebay and at least 12 of them were still logged into social media accounts (facebook, twitter, instagram, snapchat) and had thousands of photos and videos. i did not see any nudes but i did have fun with some of their profiles.
So taking out the SD card and a factory reset is not enough anymore? But how do you run DOD quality data wiping software on a phones built-in memory anyway? Most people hock phones and they are re-sold with phone numbers still on them. That should not happen. Let alone personal photos.
liberare massarum ex ignorantia, clausa descendit molestie.
Mobile industry is afoul with moral hazard. They simply don't care about their clients because they only want to get paid once and then milk the clients for information.
Google's Android phones flat out REFUSE to uninstall Facebook, for example.
Users do not have control because we're experiencing what Oligarchy feels like.
Some of us remember what it was once like when you wanted to buy something and they would kiss your ass and make you at home while you were shopping. If you had any problems they would bend over backwards to serve you. That mentality is dead in the goods & service industry.
We are approaching the dusk of the psychopathic corporation era. Nothing after that folks. Thanks for playing.
The dangers of knowledge trigger emotional distress in human beings.
Install the Adblock Plus add-on into Firefox. Blocks many of the advertisements.
.
Yes, most devices we use don't actually wipe the data when you "reset to factory settings". Even desktop OSes don't do it (either by default, either at all, need special tools, etc). I bet this feature is really low on the "to do" list for most manufacturers of not only phones but also wifi routers, TVs, wireless cameras, you name it. We didn't (or maybe barely) manage to educate them not to put trivial backdoors, secure wipe is a long way out.
Agreed, I use the adblock plus addon with 3 subscriptions and almost never see any ads anywhere. It's fucking great! :-)
Why do we still talk like we're in middle school? Why the code talking? "personal pictures", "manhood"? Can't we just say they found pictures of guys penises, and nude to semi-nude women?
People take nude photos of themselves, don't realize it's still on the phone, and sell the thing. The fault lies with the cell phone makers who aren't actually doing real deletes of pictures. That's just dumb. Back when storage medium was on a hard drive, and computers do a LOT of IO, deleting the reference to the file made sense to improve performance. But all phones use flash as storage, and there's simply not a lot of IO that's going on in your typical phone usage. The OS should be wiping the file, or at the very least remove the reference, and wipe the file at a later (but soon) time after (like perhaps while the user is typing something and is otherwise idle).
The reality is phones get stolen, and the data is far less secure than on a PC. The OS needs to keep up with that. Deleting data for good should mean actually deleting the data. The shortcuts that've been done in the past should be a thing of the past.
AccountKiller
This article is good reading in itself but it wound up being an advert for the poster's product. I wonder how much Dice got paid to post this "story"? Is it any wonder I spend more time over at soylentnews.org, the name of which I was going to bury in a link but couldn't because the link gets replaced with "slashdot.org"?
It's really quite a simple choice: Life, Death, or Los Angeles.
Really?! Hackers?
Who fills out a loan application on a phone? That has got to be the most painful web experience ever!
"resetting" your phone to manufacturer settings doesn't wipe any data. Even manually "deleting" it and then "resetting" the phone doesn't do that. It merely marks the flash memory in the phone to be "reusable".
The only way to make sure the data is gone is to fill the phone up with garbage data after you've done a factory reset so there is something else written to the flash memory. After you've filled it up to the last bit, do another factory reset and you will be as close as you can get without destroying the physical device to wiping your data properly.
I was promised a flying car. Where is my flying car?
This article motivated me to take a picture of my manhood, just in case i decide to sell my phone some day.
... by the time I am ready to get a new phone, its not worth the time to even post on ebay, toss that shit in the wood chipper (minus battery)...
You could do something more worthwhile with it, too.
That's a good start, but I doubt it over writes any data - this *seems* like a soft delete and I'd expect one could still get the original data (??)
It'd also be nice if Android had such a feature built in.
Never happened. True story.
Nope... Apple iPhones actually securely erases the encryption keys which renders the contents of the storage useless.
It's a big button called "Erase All Contents and Settings". It does precisely that.
Uninstall flash.
So no one knows you had the Grinder app installed?
By the time it is old it is worthless. Just smash it up and throw it in the river.
They have circumvented a protection measure, that is wiping the phone- a faulty protection measure, but that doesn't matter, as history taught us if you find holes and publicize them, no matter the responsibility of the manufacturer, you are terrorist!
Moreover, it is clear they have an interest in selling their own protection products, and that they have given bad ideas to people who normally would have started using the second hand phone and overwriting the crap with their own crap.
So why doesn't avast end up in trouble like $RANDOM_HACKER ? Huh?
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
Seems Apple have done it right, thanks for the heads up.
Obviously I'm rather ignorant regarding storage on iOS devices - I didn't realise that all data was encrypted by default (does that include images etc?).
Never happened. True story.
You mean like an iPhone? (as stated several times elsewhere on this thread).
I was wondering why someone would buy 20 crappy phones from me on eBay.
Just kidding. I take all my dirty pictures with a Polaroid. :)
Serious? Seriousness is well above my pay grade.
Why didn't they test iPhones, too? Oh right. Because they encrypt their filesys by default and if you throw away the key before selling the buyer is locked out.
But it would be interesting to know if this really works for all the installed apps as well as for the system services.
Microsft spel chekar vor sail, worgs grate !!!
Well no, it doesn't. You've contradicted yourself. What iOS does is delete the encryption key, as you stated, which renders the data inaccessible without recovering the key. The data is still entirely intact; Just really, really hard to recover :)
Finally had enough. Come see us over at https://soylentnews.org/
Seriously - you're a tosser and a coward.
But thanks for pointing out what I missed.
Tosser.
Never happened. True story.
How is this not a violation of the Computer Fraud and Abuse Act (CFAA)? They bypassed security measures (deletion) to access someone else's personal information without authorization. Given how broadly this has been interpreted in the past (Andrew Auernheimer was prosecuted for visiting public URLs on the Internet), Avast's act clearly should be considered a violation. Or is this a case of "if a corporation does it, it is not illegal"?
that you knew enough to wipe those copies of the keys yourself. I mean, EVERYONE knows that key lives in that directory right? Anyone who really CARED about the product would know enough to learn about it.
Unless you have the backdoor key
Korma: Good
If Google is suddenly perceived as untrustworthy, there will be great market pressure for Android without Play, or any other Google products. For Google's balance sheet, I hope they have not been foolish.
Although the factory reset option hands the request off to the recovery partition after a reboot, so clockworkmod or the equivalent would be responsible for making this happen.
No, I just didn't like his pompous righteous attitude and unnecessary insults.
There's more than one way to point out that someone overlooked a detail (or failed at reading comprehension) without being an arse about it.
Never happened. True story.
Required tools:
1.) Goggles
2.) Hammer.
It little behooves the best of us to comment on the rest of us.
This is an issue in general today. I get a lot of laptops given to me that people think are beyond repair (at least thats what best buy "geek" squad told them) first thing I do is pull the hard drive and check it. 98% of the time it is completely functional and has ALL of their info on it. I always wipe and begin the rebuild of the computer but this all to say people seem to be completely ignorant of the fact that the hard drive needs to be wiped. Just cause it didn't power on doesn't mean your data is lost. I also get computers and parts given to me by people i know at electronic recycling centers and the same is true. When I think of the amount of devices being recycled these days you realize there is a wealth of data just waiting to be accessed by the wrong people in these electronic recycling centers. People NEED to be educated on data storage and the need for it's destruction before getting rid of ANY device where it was used.
Simple (only tens of thousands of lines code needed, hehheh). You program a Full Secure Erase feature in the phone. It wipes all personal data, resets all the settings, removes user-installed apps, deletes caches and erases the memory card. All the jazz. Filling with zeroes is used where appropriate. Then the phone is put into OOBE (out-of-box experience) mode, which means that on next startup it says "Hey, I see you are using the phone for the first time, let's set up a couple of things."
Make this a de-facto standard feature on every smartphone. You probably want to password-protect the operation so that thieves cannot exploit it so easily to "anonymize" the phone.
Then you just advocate folk about the risks and why using this "FSE" feature is important before selling your phone.
The data is still entirely intact; Just really, really hard to recover :)
unless you are the NSA that is
have you seen my sig? there are many others like it but none that are the same
How do they throw away the keys? If they're just zeroing the area with the identity/security info it might not be that much more secure.
That said, scrambling the stored keys *and* zeroing the storage space is probably the best solution.
I'm sure there's a Kernel of Truth in this article and if I found it I'd run it on my old Laptop Of Doom. But if Avast told me the sun was shining I'd have to take a walk to the nearest window before believing it. Seriously. This just reads like exaggerated marketing FUD for their Android app.
Not intended as a jibe at the contributor of this article, of course, but rather a jibe at the world at large. When camera phones became common enough to get thrown away, I remember doing the exact same thing with dumpster-dived mobile phones. (I was a teenager at the time, with a customary deficiency of both moral scruples and better things to do.) Surely, anyone who has ever salvaged or otherwise second-handed any form of storage device already knows that people are notoriously bad at wiping. Now and again this resurfaces in the public eye in the form of a news article or similar. Despite this, it continues to be a problem. Why? Why aren't people learning? Why does this news topic refuse to age?
I was retaliating to his poor behaviour, probably not the best form but not quite the same as his unprovoked insults.
Never happened. True story.
Just ask to friend the former owner on Facebook. A lot easier and you'll get more data.
Did iPhone not give up any info?