Your Smartphone Is an Accident Waiting to Happen
On a hot Saturday in Oakland, California, I wandered around the Coliseum flea market, passing stalls of fake MAC makeup and beat-up power tools, searching for used smartphones.
This particular Saturday I found what I was looking for almost immediately: a small table of BlackBerrys and Razrs of every color and shape, arranged neatly on an orange tablecloth.
As I was paying for a Samsung Rogue, I noticed a battered first-generation Motorola Droid. My heart skipped a beat: Three months before, my own Droid had been stolen, and all of the information with it. What if this phone was mine? Of course it wasn’t, but I couldn’t be sure until I haggled for it and brought it home. Just like the Rogue, this Droid had a drained battery; I wasn’t even sure it would work if I did charge it up.
When I got home and charged the phones, I found so much information on both that I could have constructed an intricate portrait of each former owner’s life in the month before the phone left their hands.
I had access to bank email, photos of family and friends, the nicknames the owners used for their parents--all for $60 and an afternoon at the flea market.
When I contacted the original owners of the phones, their stories were similar: The phones had been stolen, the owners desperately tried to get them back, and--not having installed a remote-wiping app--the owners had to accept the fact that their data was out in the wild. The owner of the Motorola Droid, Emily Smith, even remotely accessed her voicemail and found that the thief was using the phone as her own. But that knowledge couldn't help her get the phone back, and when I met up with Smith in San Francisco, she said that she switched from Android to an iPhone, because Apple's MobileMe would allow her to remotely lock her handset should it be stolen in the future. I returned the Droid to Smith. The owner of the Samsung Rogue was not able to meet up with me, and asked that we destroy the information on it.
Smith’s story is a familiar one: A lot of people’s phones are stolen, but as smartphones get smarter, the loss of data is going to become more disconcerting. When you lose a phone, you don’t just lose your own information, but also contact details, photos with other people in them, and the messages that other people have sent you. Installing an app that can remotely lock and erase the information on your phone is a great way to prevent a devastating mistake.
That said, if someone really has it out for you, or is specifically looking to harvest personal data, all they really have to do is grab the phone and put it in a Faraday bag (made of a special material that inhibits all communication from the network to the phone, preventing any remote-wiping tools). Or, easier still, if you have a GSM-based phone that requires a SIM card to communicate with the network (think AT&T and T-Mobile), all the thief needs to do is remove the SIM card to prevent your remote-wiping app from destroying your information.
Information That Won't Come Off a Phone
Some types of phone information can’t be wiped off even if you follow the instructions correctly.
The last phone we found information on was an HTC SMT5800 Windows-based smartphone sold to us by Jason Mills’s SoonerSoft. Mills had done a complete factory reset of the phone, leaving no email or contacts behind. But deep in the phone’s menu we found a 'call duration' option that listed the number of incoming and outgoing calls that the previous user had made in total hours and minutes.
“On some phones, call duration is not wipeable,” Mills says. “They’ll let you wipe the contacts and everything, but keep a list of call time so if the phone is resold, [a reseller] couldn’t say this phone is refurbished or brand-new; they’d have to say it’s used.”
Admittedly, aggregate call duration isn’t enough information to run a successful blackmail campaign, or commit identity theft. Nevertheless, if some trace of the phone’s previous data remains visible to the naked eye, a talented forensics expert--or even just a really smart hobby hacker--could certainly retrieve some of the files that used to be on that particular phone. “You’d be shocked,” notes Paul Henry, a security and forensics analyst, and owner of vNet Security. “The bottom line is that anything that appears on the phone is written on nonvolatile RAM, and literally, unless it’s overwritten, it can exist forever.”
Wiping a Phone vs. Forensically Wiping It
Even if you do everything right, and you wipe the phone exactly according to the directions, you might want to reconsider passing the handset along. “A phone is a lot like your PC: When you delete something, it's not actually gone. A skilled investigator can carve out specific items that he or she is looking for,” says Christopher Shin, vice president of engineering for Cellebrite, a mobile forensics company.
Cellebrite has developed a vast repertoire of tools for various phone operating systems and hardware. The company's forensic products can retrieve information off of nearly 3500 mobile-device models, from iPhones to Garmin GPS systems.
Of course, Cellebrite offers its equipment only to law enforcement personnel, so it’s not as if criminals are running around Smartphone Town with the key to the city. Consider, too, that it’s actually considerably harder for a person with no hacking experience to recover deleted data on a phone than it is for that person to recover deleted data on a discarded hard drive, simply because so many different mobile operating systems exist, especially on feature phones from two or three years ago. And many of the phones being discarded today have proprietary operating systems that won’t work with the free data-recovery software that you can download off the Internet with the click of a button.
That said, no smartphone--whether it’s an Android device, a BlackBerry, or an iPhone--is impossible to forensically analyze, and not all of the experts who are analyzing phones are good guys. Shaun Hipgrave, managing director for Forensic Telecommunications Services, analyzes iPhones, and says that no matter what kinds of security Apple adds to the iPhone, hackers will crack it. “The hacking community doesn’t do it for financial gains, they do it for intellectual stimulus,” he says.
So how do you make sure your data is for your eyes only? First, always wipe your phone yourself before you sell it to another person or to a company. Every phone has a different process: Most models allow you to restore factory settings through the phone’s menu, and many will require you to enter your phone’s password once or many times over. To restore the phone correctly, check the manual, or do a Google search for a step-by-step video.
If you’re really worried about unauthorized recovery of your data, BlackBerrys are a good choice: If you do a factory reset on the phone and don’t touch it for 30 days, the memory will automatically reorganize, making it harder for hackers to carve out pieces of your data in a forensic analysis. iPhone apps such as iErase and Android apps like ShreDroid will write over deleted data on your handset with random 1s and 0s after you’ve conducted a factory reset.
None of these solutions are perfect, and information might still be available from your used phone regardless. So if you’re especially paranoid, do as vNet Security's Paul Henry does with his old phones and those of his family: Take apart the phone, and use a hammer to break the memory chip into bits. Hey, you could probably get some money from the scrap metal.