Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos

An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."

Re:Who's at fault for this?

[Mr0bvious]

As stated above this really should be an inbuilt OS feature - "Reset for resale"

It shouldn't take an understanding or knowledge of the intricacies of how the device works or how to properly erase data. It should be automatically done by the OS since most phone users do not know how to do it properly.

Factory reset.

[bejiitas_wrath]

So taking out the SD card and a factory reset is not enough anymore? But how do you run DOD quality data wiping software on a phones built-in memory anyway? Most people hock phones and they are re-sold with phone numbers still on them. That should not happen. Let alone personal photos.

Re:Garbage In

[djdanlib]

> Google's Android phones flat out REFUSE to uninstall Facebook, for example.

It uninstalls just fine, thank you very much.

Or are you referring specifically to Nexus devices?

Can't we just say people took naked pics?

[Vellmont]

Why do we still talk like we're in middle school? Why the code talking? "personal pictures", "manhood"? Can't we just say they found pictures of guys penises, and nude to semi-nude women?

People take nude photos of themselves, don't realize it's still on the phone, and sell the thing. The fault lies with the cell phone makers who aren't actually doing real deletes of pictures. That's just dumb. Back when storage medium was on a hard drive, and computers do a LOT of IO, deleting the reference to the file made sense to improve performance. But all phones use flash as storage, and there's simply not a lot of IO that's going on in your typical phone usage. The OS should be wiping the file, or at the very least remove the reference, and wipe the file at a later (but soon) time after (like perhaps while the user is typing something and is otherwise idle).

The reality is phones get stolen, and the data is far less secure than on a PC. The OS needs to keep up with that. Deleting data for good should mean actually deleting the data. The shortcuts that've been done in the past should be a thing of the past.

Re:Where the fault lies?

[tlhIngan]

But how many people actually reset phone and reset data? I'd imagine a lot of people simply manually delete their photos and unhook their Internet accounts from the phone. Hardly a wipe.

But it's so easy to do on iOS. You can do it on the phone - Settings->General->Reset

And it wipes the phone - the flash storage is encrypted. Resetting it wipes the key and generates a new one. It then reboots and reformats the user storage using the new key and mounts it. The old data is irrecoverable because the key is lost, and the new data is written using a new key.

Even prior to encrypted storage, iOS3 created the option to do it where it erases and wipes the storage - anything 3GS and newer wipes keys (so wiping takes a couple of minutes), older ones took a couple of hours.

No reason Android can't do the same - either by sending TRIM commands to the entire user storage area and then forcing a write-all-with-zeroes to be doubly sure.

Re:Where the fault lies?

[MyFirstNameIsPaul]

I would not trust an encryption method as a replacement for permanent data destruction, but I may be more paranoid than most.

Re:"What to do before selling or giving away your.

[SJ]

Nope... Apple iPhones actually securely erases the encryption keys which renders the contents of the storage useless.

It's a big button called "Erase All Contents and Settings". It does precisely that.

Re: Who's at fault for this?

[viperidaenz]

Copy goatse, not music.

Give them a surprise if they try and snoop your old data.

Re:Really?

[David+Jao]

They could have filled out the loan application somewhere else and uploaded it to a service like Dropbox. Viewing it later on the phone would leave a cached copy on the phone.

Re:Where the fault lies?

[Razed+By+TV]

I think you're looking at it from the wrong angle. For general purpose phone use, encryption is reasonable. But for the purposes of permanent deletion, why rely on encryption when you could just shred the data and be done with it once and for all?

Re:Where the fault lies?

[BasilBrush]

Because throwing the keys away on an encrypted drive is more secure than overwriting an unencrypted drive with zeros, as the data recovery experts will be glad to tell you.