Slashdot Mirror

← Back to Stories (view on slashdot.org)

Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos

Posted by Soulskill on from the delete-then-rewrite-then-smash-into-bits dept.

An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."

38 of 231 comments (clear)

  1. Where the fault lies? by PC_THE_GREAT · · Score: 3, Insightful

    When someone says reset phone and reset data, the OS should ensure a clean wipe not a soft wipe. Should atleast fill it with 0s. And people should try to keep most of their data on sd cards and move those alongs when they get new phones.

    What kind of people sell sd cards along with phone. I thought everyone are misers.

    Am tempted to know what kind of nudie pics where available :p.

    1. Re:Where the fault lies? by tlhIngan · · Score: 4, Insightful

      But how many people actually reset phone and reset data? I'd imagine a lot of people simply manually delete their photos and unhook their Internet accounts from the phone. Hardly a wipe.

      But it's so easy to do on iOS. You can do it on the phone - Settings->General->Reset

      And it wipes the phone - the flash storage is encrypted. Resetting it wipes the key and generates a new one. It then reboots and reformats the user storage using the new key and mounts it. The old data is irrecoverable because the key is lost, and the new data is written using a new key.

      Even prior to encrypted storage, iOS3 created the option to do it where it erases and wipes the storage - anything 3GS and newer wipes keys (so wiping takes a couple of minutes), older ones took a couple of hours.

      No reason Android can't do the same - either by sending TRIM commands to the entire user storage area and then forcing a write-all-with-zeroes to be doubly sure.

    2. Re:Where the fault lies? by MyFirstNameIsPaul · · Score: 4, Insightful

      I would not trust an encryption method as a replacement for permanent data destruction, but I may be more paranoid than most.

      --

      I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

    3. Re:Where the fault lies? by gnasher719 · · Score: 3, Funny

      When someone says reset phone and reset data, the OS should ensure a clean wipe not a soft wipe. Should atleast fill it with 0s. And people should try to keep most of their data on sd cards and move those alongs when they get new phones.

      There's one phone that just throws away the encryption keys, which are never stored anywhere than on two locations on the hard drive (in encrypted form), so only these two locations need to be wiped. That phone also has the ability to access a small amount of flash memory directly without the firmware interfering, to make sure that no invisible copies of those keys are created. Well, it's not Android...

    4. Re:Where the fault lies? by Razed+By+TV · · Score: 4, Insightful

      I think you're looking at it from the wrong angle. For general purpose phone use, encryption is reasonable. But for the purposes of permanent deletion, why rely on encryption when you could just shred the data and be done with it once and for all?

    5. Re:Where the fault lies? by Lumpy · · Score: 2

      He has a special edition otterbox case that is filled with C4 explosives. if the phone gets more than 6 feet from him it detonates. sadly he goes through about 40 phones a year.

      --
      Do not look at laser with remaining good eye.
    6. Re:Where the fault lies? by BasilBrush · · Score: 4, Interesting

      Because throwing the keys away on an encrypted drive is more secure than overwriting an unencrypted drive with zeros, as the data recovery experts will be glad to tell you.

    7. Re:Where the fault lies? by jandrese · · Score: 2

      Uh, the factory reset doesn't wipe the storage on the phone. These phones that were bought off of eBay were probably factory wiped (people aren't quite as dumb as advertised), but the issue is that Factory Wipe doesn't do what people think it does.

      --

      I read the internet for the articles.
    8. Re:Where the fault lies? by SecurityGuy · · Score: 2

      Encryption that works now can be broken a year from now

      Not remotely. If you find 256 bit AES broken in a year, let us know.

    9. Re:Where the fault lies? by vux984 · · Score: 2

      Because throwing the keys away on an encrypted drive is more secure than overwriting an unencrypted drive with zeros, as the data recovery experts will be glad to tell you.

      But that's a false choice. There is a 3rd option... do both.

      Take your most private information, encrypt it, and put it on a flash drive.

      Then go and sell or give that flash drive away to someone else.

      Are you really going to say... well they don't have the keys, so we're good. Here you go. And hand them all your data intact (but encrypted).

      Or would you maybe just maybe think, yeah its encyrpted... but why tempt fate? Maybe I'll erase it first.

      I mean is there any good reason NOT to erase it first?

  2. Who's at fault for this? by SeaFox · · Score: 3, Insightful

    Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger.

    How many people actually have the ability to securely wipe data on their phone to start with, without rooting it? For lots of folks, the "factory reset" option is the only thing they can do on their own, and that likely only deletes prefs and network settings and erases file system directory info. It does not overwrite the bits in the phone's storage to make them unrecoverable.

    1. Re:Who's at fault for this? by Mr0bvious · · Score: 5, Insightful

      As stated above this really should be an inbuilt OS feature - "Reset for resale"

      It shouldn't take an understanding or knowledge of the intricacies of how the device works or how to properly erase data. It should be automatically done by the OS since most phone users do not know how to do it properly.

      --
      Never happened. True story.
    2. Re:Who's at fault for this? by viperidaenz · · Score: 2

      I can go in to the settings menu and select encrypt device.
      Not sure if that's new for Android 4.4 or if it came earlier.

    3. Re: Who's at fault for this? by viperidaenz · · Score: 5, Funny

      Copy goatse, not music.

      Give them a surprise if they try and snoop your old data.

    4. Re:Who's at fault for this? by rioki · · Score: 2

      I would wager that the real impact is the opposite. It is like used games, on the surface it looks like a "lost sale" but in reality it provides liquidity. The used phone market then fuels the new pone market, since those that sell the phone do not have / don't want to spend the money on their yearly upgrade cycle. On the other hand those that buy the used phones don't have the money to spend on a new phone. Even though they may have spent the money on a lower end device, it is not a lost sale, since as mentioned before they supported the sale of a high end device, which again has a higher profit margin.

      But if MBAs would also get that, that would be great.

  3. Only Android? by exomondo · · Score: 3, Interesting

    Does the same thing occur with iPhones or Windows Phones or Blackberrys?

    1. Re:Only Android? by exomondo · · Score: 3, Insightful

      They don't mention if any of the devices were using Android's full device encryption either or which of the devices they recovered deleted data from rather than just receiving a phone where the user had forgotten to delete their data. Seems less like a study and more like a sales pitch.

  4. Factory reset. by bejiitas_wrath · · Score: 4, Interesting

    So taking out the SD card and a factory reset is not enough anymore? But how do you run DOD quality data wiping software on a phones built-in memory anyway? Most people hock phones and they are re-sold with phone numbers still on them. That should not happen. Let alone personal photos.

    --
    liberare massarum ex ignorantia, clausa descendit molestie.
  5. Re:Garbage In by djdanlib · · Score: 4, Informative

    > Google's Android phones flat out REFUSE to uninstall Facebook, for example.

    It uninstalls just fine, thank you very much.

    Or are you referring specifically to Nexus devices?

  6. ... and the water is wet by itsme1234 · · Score: 3, Interesting

    Yes, most devices we use don't actually wipe the data when you "reset to factory settings". Even desktop OSes don't do it (either by default, either at all, need special tools, etc). I bet this feature is really low on the "to do" list for most manufacturers of not only phones but also wifi routers, TVs, wireless cameras, you name it. We didn't (or maybe barely) manage to educate them not to put trivial backdoors, secure wipe is a long way out.

  7. Re:Garbage In by advocate_one · · Score: 2

    correct, if it's part of the manufacturer's feature set, then it's not possible to remove it, BUT, you can disable it after having removed all updates to it. Had to do that with my Sony Xperia... came with facebook and other social media rubbish... Some could be deleted, but the rest had to be disabled from starting up but still take up space.

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  8. Re:Garbage In by Anonymous Coward · · Score: 3, Insightful

    That's the carrier's doing

  9. Can't we just say people took naked pics? by Vellmont · · Score: 4, Insightful

    Why do we still talk like we're in middle school? Why the code talking? "personal pictures", "manhood"? Can't we just say they found pictures of guys penises, and nude to semi-nude women?

    People take nude photos of themselves, don't realize it's still on the phone, and sell the thing. The fault lies with the cell phone makers who aren't actually doing real deletes of pictures. That's just dumb. Back when storage medium was on a hard drive, and computers do a LOT of IO, deleting the reference to the file made sense to improve performance. But all phones use flash as storage, and there's simply not a lot of IO that's going on in your typical phone usage. The OS should be wiping the file, or at the very least remove the reference, and wipe the file at a later (but soon) time after (like perhaps while the user is typing something and is otherwise idle).

    The reality is phones get stolen, and the data is far less secure than on a PC. The OS needs to keep up with that. Deleting data for good should mean actually deleting the data. The shortcuts that've been done in the past should be a thing of the past.

    --
    AccountKiller
    1. Re:Can't we just say people took naked pics? by GrumpySteen · · Score: 2

      Avast is a corporation. Corporations tend to be conservative in their use of language (outside of the porn industry, at least). Using the term "penis" in a press release isn't going to happen.

  10. This post is an advert by mendax · · Score: 2, Insightful

    This article is good reading in itself but it wound up being an advert for the poster's product. I wonder how much Dice got paid to post this "story"? Is it any wonder I spend more time over at soylentnews.org, the name of which I was going to bury in a link but couldn't because the link gets replaced with "slashdot.org"?

    --
    It's really quite a simple choice: Life, Death, or Los Angeles.
    1. Re:This post is an advert by mendax · · Score: 3, Informative

      I don't know what you're doing. I tried several times without success. soylentnews.com was always replaced with slashdot.org.

      D'oh! I'm an idiot. It helps if the href contains an "http://" as part of the URL. Ok. No more conspiracy theories now, at least not on this issue.

      --
      It's really quite a simple choice: Life, Death, or Los Angeles.
  11. Re:Garbage In by gl4ss · · Score: 2

    fb pays the carrier or does some favors.

    look into "facebook zero", they do direct collaboration with the operators to enable zero fee(to user) facebook access..

    --
    world was created 5 seconds before this post as it is.
  12. Re:Garbage In by viperidaenz · · Score: 2

    My phone didn't even have the Facebook app installed when I bought it.

    It still doesn't.

  13. Re:"What to do before selling or giving away your. by SJ · · Score: 4, Informative

    Nope... Apple iPhones actually securely erases the encryption keys which renders the contents of the storage useless.

    It's a big button called "Erase All Contents and Settings". It does precisely that.

  14. Re:Grinder by viperidaenz · · Score: 2

    So no one knows you had the Grinder app installed?

  15. Why not just destroy your old phone? by mtthwbrnd · · Score: 2

    By the time it is old it is worthless. Just smash it up and throw it in the river.

  16. Re:Really? by David+Jao · · Score: 5, Informative

    They could have filled out the loan application somewhere else and uploaded it to a service like Dropbox. Viewing it later on the phone would leave a cached copy on the phone.

  17. Terrorists! by marcello_dl · · Score: 2

    They have circumvented a protection measure, that is wiping the phone- a faulty protection measure, but that doesn't matter, as history taught us if you find holes and publicize them, no matter the responsibility of the manufacturer, you are terrorist!

    Moreover, it is clear they have an interest in selling their own protection products, and that they have given bad ideas to people who normally would have started using the second hand phone and overwriting the crap with their own crap.

    So why doesn't avast end up in trouble like $RANDOM_HACKER ? Huh?

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  18. Re:Problem solved. by brantondaveperson · · Score: 2

    You mean like an iPhone? (as stated several times elsewhere on this thread).

  19. Re:"What to do before selling or giving away your. by L4t3r4lu5 · · Score: 3, Insightful

    Well no, it doesn't. You've contradicted yourself. What iOS does is delete the encryption key, as you stated, which renders the data inaccessible without recovering the key. The data is still entirely intact; Just really, really hard to recover :)

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  20. Isn't this illegal? by JDG1980 · · Score: 2

    How is this not a violation of the Computer Fraud and Abuse Act (CFAA)? They bypassed security measures (deletion) to access someone else's personal information without authorization. Given how broadly this has been interpreted in the past (Andrew Auernheimer was prosecuted for visiting public URLs on the Internet), Avast's act clearly should be considered a violation. Or is this a case of "if a corporation does it, it is not illegal"?

    1. Re:Isn't this illegal? by Kazoo+the+Clown · · Score: 2

      I'd say it deserves whistleblower protection. But in this country no one in power wants to hear from whistleblowers. When whistleblowing is illegal, only criminals know anything.

  21. Android already does? by emil · · Score: 2
    • Settings / Security / Encrypt Phone - I've never used it, but I am assuming it encrypts everything under /data.
    • I understand that a format of /data is what happens behind the factory reset option. Using GNU shred on the device file for this filesystem might prevent any recovery.