Recycled phones retain their previous owners’ data

Mobile phone contracts generally have a 12-24 month contract, and new handsets are released just as quickly. As a result, users often upgrade their phones as fast as they renew their contracts – and combined with difficult economic times this has led to a large second-owner mobile phone market. But mobile phones are hugely personal and increasingly powerful devices, used for private, financial and business purposes – and data left behind could be a problem for both the owner and his or her employer.

BlackBelt, a mobile phone security firm, wanted to see whether users adequately remove data from their old phones before recycling them to friends, family, or strangers. In partnership with YouGov it surveyed more than 2000 UK adults to discover attitudes and practices in mobile phone data wiping. It found that 25% of users have knowingly owned a second-hand or refurbished device; and that nearly a third of those had found the previous owner’s contacts, photos or other information. “I’d heard anecdotal evidence about the amount of private data, people were finding on second hand handsets, however these figures throw this into stark relief,” commented Ken Garner, BlackBelt’s business development manager.

Users seem to understand the need to clean out their data before recycling and often try to do so – but, quite rightly, do not believe it is very effective. For example, 59% of recyclers have tried to manually delete their data, 72% have removed their SIM card, and 50% have performed a factory reset. But despite this only 26% believe that manual deletion completely wipes data from the handset, and only 37% believe a factory reset is fully effective.

The simple fact is that it is difficult to remove data from a mobile device because of the wear leveling technique used to promote the life of solid state memory. Solid state has a limited lifetime. Wear leveling increases this by distributing the memory usage so that no single area gets overused too quickly, and by minimizing data overwrites. “In reality,” notes BlackBelt, “it isn’t possible for an individual to perform a full removal of personal data from any smart phone or tablet using a device’s in-built factory reset or by re-flashing the operating system. This is because contemporary devices are fitted with solid state memory, which uses a technique called wear leveling to minimize data corruption and extend its lifespan by over-ruling instructions to permanently overwrite old data.”

If the data isn’t overwritten, it is relatively easy to recover. Wired recently tested this. “We wanted to see what kind of data was lurking on our devices, so we rounded up every old phone we could scrounge up from around the office and asked the owners to wipe them,” it reported. Then it gave them to AccessData, one of several companies that sells phone forensic software. AccessData recovered email data, documents, photos, contacts, and a geographic history based on WiFi access points. “So what can you do about all this the next time you’re ready to upgrade phones? The alarming answer is not much,” concluded Wired.

BYOD makes this a business as well as a personal problem. “With the rise of Bring Your Own Device schemes in the workplace, it’s not just our personal data that’s at risk,” warns BlackBelt’s Garner. And there’s only two real solutions. The first, suggested by Wired, is a hammer. The second, suggested by BlackBelt, is specialist software that will do the job thoroughly: there is software to recover phone data; and there is software to destroy phone data.

What’s hot on Infosecurity Magazine?