Slashdot Mirror

← Back to Stories (view on slashdot.org)

Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos

Posted by Soulskill on from the delete-then-rewrite-then-smash-into-bits dept.

An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."

20 of 231 comments (clear)

  1. Where the fault lies? by PC_THE_GREAT · · Score: 3, Insightful

    When someone says reset phone and reset data, the OS should ensure a clean wipe not a soft wipe. Should atleast fill it with 0s. And people should try to keep most of their data on sd cards and move those alongs when they get new phones.

    What kind of people sell sd cards along with phone. I thought everyone are misers.

    Am tempted to know what kind of nudie pics where available :p.

    1. Re:Where the fault lies? by tlhIngan · · Score: 4, Insightful

      But how many people actually reset phone and reset data? I'd imagine a lot of people simply manually delete their photos and unhook their Internet accounts from the phone. Hardly a wipe.

      But it's so easy to do on iOS. You can do it on the phone - Settings->General->Reset

      And it wipes the phone - the flash storage is encrypted. Resetting it wipes the key and generates a new one. It then reboots and reformats the user storage using the new key and mounts it. The old data is irrecoverable because the key is lost, and the new data is written using a new key.

      Even prior to encrypted storage, iOS3 created the option to do it where it erases and wipes the storage - anything 3GS and newer wipes keys (so wiping takes a couple of minutes), older ones took a couple of hours.

      No reason Android can't do the same - either by sending TRIM commands to the entire user storage area and then forcing a write-all-with-zeroes to be doubly sure.

    2. Re:Where the fault lies? by MyFirstNameIsPaul · · Score: 4, Insightful

      I would not trust an encryption method as a replacement for permanent data destruction, but I may be more paranoid than most.

      --

      I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

    3. Re:Where the fault lies? by gnasher719 · · Score: 3, Funny

      When someone says reset phone and reset data, the OS should ensure a clean wipe not a soft wipe. Should atleast fill it with 0s. And people should try to keep most of their data on sd cards and move those alongs when they get new phones.

      There's one phone that just throws away the encryption keys, which are never stored anywhere than on two locations on the hard drive (in encrypted form), so only these two locations need to be wiped. That phone also has the ability to access a small amount of flash memory directly without the firmware interfering, to make sure that no invisible copies of those keys are created. Well, it's not Android...

    4. Re:Where the fault lies? by Razed+By+TV · · Score: 4, Insightful

      I think you're looking at it from the wrong angle. For general purpose phone use, encryption is reasonable. But for the purposes of permanent deletion, why rely on encryption when you could just shred the data and be done with it once and for all?

    5. Re:Where the fault lies? by BasilBrush · · Score: 4, Interesting

      Because throwing the keys away on an encrypted drive is more secure than overwriting an unencrypted drive with zeros, as the data recovery experts will be glad to tell you.

  2. Who's at fault for this? by SeaFox · · Score: 3, Insightful

    Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger.

    How many people actually have the ability to securely wipe data on their phone to start with, without rooting it? For lots of folks, the "factory reset" option is the only thing they can do on their own, and that likely only deletes prefs and network settings and erases file system directory info. It does not overwrite the bits in the phone's storage to make them unrecoverable.

    1. Re:Who's at fault for this? by Mr0bvious · · Score: 5, Insightful

      As stated above this really should be an inbuilt OS feature - "Reset for resale"

      It shouldn't take an understanding or knowledge of the intricacies of how the device works or how to properly erase data. It should be automatically done by the OS since most phone users do not know how to do it properly.

      --
      Never happened. True story.
    2. Re: Who's at fault for this? by viperidaenz · · Score: 5, Funny

      Copy goatse, not music.

      Give them a surprise if they try and snoop your old data.

  3. Only Android? by exomondo · · Score: 3, Interesting

    Does the same thing occur with iPhones or Windows Phones or Blackberrys?

    1. Re:Only Android? by exomondo · · Score: 3, Insightful

      They don't mention if any of the devices were using Android's full device encryption either or which of the devices they recovered deleted data from rather than just receiving a phone where the user had forgotten to delete their data. Seems less like a study and more like a sales pitch.

  4. Factory reset. by bejiitas_wrath · · Score: 4, Interesting

    So taking out the SD card and a factory reset is not enough anymore? But how do you run DOD quality data wiping software on a phones built-in memory anyway? Most people hock phones and they are re-sold with phone numbers still on them. That should not happen. Let alone personal photos.

    --
    liberare massarum ex ignorantia, clausa descendit molestie.
  5. Re:Garbage In by djdanlib · · Score: 4, Informative

    > Google's Android phones flat out REFUSE to uninstall Facebook, for example.

    It uninstalls just fine, thank you very much.

    Or are you referring specifically to Nexus devices?

  6. ... and the water is wet by itsme1234 · · Score: 3, Interesting

    Yes, most devices we use don't actually wipe the data when you "reset to factory settings". Even desktop OSes don't do it (either by default, either at all, need special tools, etc). I bet this feature is really low on the "to do" list for most manufacturers of not only phones but also wifi routers, TVs, wireless cameras, you name it. We didn't (or maybe barely) manage to educate them not to put trivial backdoors, secure wipe is a long way out.

  7. Re:Garbage In by Anonymous Coward · · Score: 3, Insightful

    That's the carrier's doing

  8. Can't we just say people took naked pics? by Vellmont · · Score: 4, Insightful

    Why do we still talk like we're in middle school? Why the code talking? "personal pictures", "manhood"? Can't we just say they found pictures of guys penises, and nude to semi-nude women?

    People take nude photos of themselves, don't realize it's still on the phone, and sell the thing. The fault lies with the cell phone makers who aren't actually doing real deletes of pictures. That's just dumb. Back when storage medium was on a hard drive, and computers do a LOT of IO, deleting the reference to the file made sense to improve performance. But all phones use flash as storage, and there's simply not a lot of IO that's going on in your typical phone usage. The OS should be wiping the file, or at the very least remove the reference, and wipe the file at a later (but soon) time after (like perhaps while the user is typing something and is otherwise idle).

    The reality is phones get stolen, and the data is far less secure than on a PC. The OS needs to keep up with that. Deleting data for good should mean actually deleting the data. The shortcuts that've been done in the past should be a thing of the past.

    --
    AccountKiller
  9. Re:"What to do before selling or giving away your. by SJ · · Score: 4, Informative

    Nope... Apple iPhones actually securely erases the encryption keys which renders the contents of the storage useless.

    It's a big button called "Erase All Contents and Settings". It does precisely that.

  10. Re:This post is an advert by mendax · · Score: 3, Informative

    I don't know what you're doing. I tried several times without success. soylentnews.com was always replaced with slashdot.org.

    D'oh! I'm an idiot. It helps if the href contains an "http://" as part of the URL. Ok. No more conspiracy theories now, at least not on this issue.

    --
    It's really quite a simple choice: Life, Death, or Los Angeles.
  11. Re:Really? by David+Jao · · Score: 5, Informative

    They could have filled out the loan application somewhere else and uploaded it to a service like Dropbox. Viewing it later on the phone would leave a cached copy on the phone.

  12. Re:"What to do before selling or giving away your. by L4t3r4lu5 · · Score: 3, Insightful

    Well no, it doesn't. You've contradicted yourself. What iOS does is delete the encryption key, as you stated, which renders the data inaccessible without recovering the key. The data is still entirely intact; Just really, really hard to recover :)

    --
    Finally had enough. Come see us over at https://soylentnews.org/