back to article That 'wiped' Android phone you bought is stuffed with NAKED SELFIES – possibly

It's hard being a security researcher. Several of them just had to view thousands of nude selfies pulled from second-hand phones and tablets for a campaign warning people who sell old devices. The beleaguered infosec bods saw 750 photos of naked women and 250 images of manhood from a pool of 40,000 photos still stored on a …

  1. Destroy All Monsters Silver badge
    Holmes

    "My information could well be of use to you, Stalker"

    Also remember to wipe or crush your HDD/SDD before handing in your PC at the recycling center.

    1. Anonymous Coward
      Anonymous Coward

      Re: "My information could well be of use to you, Stalker"

      I have a drawer full of old, never to be used again HDD.

      Every now and again, when I feel the need to destroy, I'll take one out of the drawer and pulverise it with hammers, chisels and blow torches. Other times, I will get out my set of speciality screwdrivers and completely dismantle one of them before destroying the platters and throwing everything away.

      It's very therapeutic.

  2. GregC

    "...promoted its free Android anti-theft tool as a solution."

    So marketing then?

    Maybe I'm getting old and a bit too cynical, but every time I read a "report" like this the first thing I think is "what are they trying to sell?". It'd be nice to be wrong every now and then.

    Don't get me wrong, I don't doubt they did find all sorts of stuff, and of course you should properly wipe a device before you flog it. It'd just be nice to see something on the subject that doesn't originate from <insert infosec company here> who, coincidentally, just happen to be pushing a product related to that very problem.

    1. YetAnotherLocksmith

      Re: "...promoted its free Android anti-theft tool as a solution."

      Very effective to spend money to promote a free bit of software. Must be a great ROI. /sarcasm

      Raising awareness of crap locks on customer doors is something I do. People think they are secure, they aren't. Am I scaremongering? No, I'm telling the truth. Just like these guys I can demonstrate the flaws and fix it. Unlike them, I'll charge for it. In fact, they must have some other service to keep them in money, otherwise they'll need a second job. Are they cross promoting? Probably. But it is a free solution to an obvious issue some may not have thought about.

  3. stu 4

    Happened to me twice.

    Once, I bought a Sony UX-180 UMPC.

    the owner had thoughtfully left some pictures on it (it has a camera)... oh there are his kids.. looks like maybe Florida or something, there they are having dinner, very nice... WOHO.. there's the wife with a massive dildo up her furry cave.

    The next one was a camera from ebay. They'd deleted the photos from internal memory, but the phone had a 'noticeboard' feature (panasonic lumix) which let you store a few photos seperated (for maps, etc) and those were still there... I was treated to 4 photos of close ups of a toilet bowl and the owner's pride in his/her ability to excrete a large shite. lovely.

    As for scrubbing phones : can anyone suggest the best way of doing it then ?? Otherwise my own prize collection of my favourite shaped shites will be available to the next owner (obviously the camera triggered me to take up this facinating and valuable passtime)

    1. Anonymous Coward
      Anonymous Coward

      Re: Happened to me twice.

      "As for scrubbing phones : can anyone suggest the best way of doing it then??"

      With extreme prejudice, AKA a 50 cal round or two thru the old touch screen. Works every time!

    2. Evil Auditor
      Happy

      Re: Happened to me twice.

      stu 4, regarding your incident with the lumix, surely this is something that some of us would do deliberately when selling such a device.

      Oh, just me then?

    3. dogged

      Re: Happened to me twice.

      Copy everything to a PC, manually delete everything on the phone and then perform a factory reset.

      Don't forget your SD cards, if applicable.

      1. Steve Evans

        The only surefire way to erase everything, is to perform multiple overwrites on everything sensitive.

        Delete just sets a flag to say "This file is deleted". It's still there! A quick format isn't much better.

        A full forensic wipe, featuring multiple flipping of the bits over a long period of time is probably a bit OTT. The main risk you are facing is someone using recovery software against the device, not a forensic scientist removing the chips and going at them that way...

        So factory reset the device. Wipe the storage, then fill it up with something innocent.

        Then delete all those files/pictures, and fill it up again with something else innocent.

        Be warned though, that that will only overwrite your storage partition, not the system partitions (you've relied on the OS reset to do that).

        Are you paranoid yet?

        1. Slrman

          Personally, I keep everything on a micro SD card. I do periodically check the folders in main memory to be sure there's nothing there. If I were to sell or give away a device, I would not include the SD card. If I did, I'd erase everything then use my desktop system ant its "Erase Frees Space" feature. If I were paranoid or actually had something of a sensitive nature on it, I'd use one of the slower, but more secure, erasing options such as over write 7 times.

    4. a53

      Re: Happened to me twice.

      This:

      http://www.dailymail.co.uk/sciencetech/article-2686224/Wiping-Android-phones-DOESNT-work-Photos-texts-emails-recovered-reset-study-reveals.html

      Explains, at the end of the article exactly how to do it.

      1. Bloakey1
        Happy

        Re: Happened to me twice.

        <snip>

        "Explains, at the end of the article exactly how to do it."

        Errrr, are you from the University of Essex or Luton? Using the Daily Mail as an authoritative source does not go down well with me.

  4. Anonymous Coward
    Anonymous Coward

    One punter was so casual...

    Was it even his/her iPad to sell..?

    1. Jonathan Richards 1 Silver badge
      Stop

      Re: One punter was so casual...

      You beat me to it.

      "One punter was so keen to get the cash when selling someone else's iPad they did not even turn off the device, let alone wipe photos and emails stored within."

      There, that sounds more like it. Behaviour like that would make me, as a buyer, call off the deal instantly.

    2. YetAnotherLocksmith

      Re: One punter was so casual...

      But why would you turn it off? When you turn it back on it's exactly the same. It isn't like it wipes the thing!

  5. Roger B

    Phones

    We do repairs on a large number of phones running all the phone systems, iOS, Android, Windows and Blackberry, almost all have pictures on, I don't think we have found quite the ratio as these researchers though. It's almost tempting to set up a tumblr account and rake in the advertising money. For those asking, the best way to wipe your phone before trading it in, selling it on, disposing of it is a factory reset;

    Android has this in the settings menu, under privacy for some older models and under settings, back up and reset on newer kit

    Windows phone is under settings and about phone

    iOS is under settings, general, reset, erase all content and settings

    Blackberry could be anywhere, it seems to change all the time, best to RTFM and be prepared to wait, it can take up to an hour for some to wipe and reset.

    It's best to go through the new phone setup procedure at least once, to check everything has gone and then reset one more time. If your phone has been modded from its stock ROM be aware that these steps do not always work and your photos will stay until you manually delete them all.

    Hope this helps.

    1. JimmyPage

      Re: Factory Reset

      Will this really *wipe* the memory ? Or just like the old "quick format" trash the file allocation table ?

      There were scare stories in the 80s of people who had recovered sensitive data from formatted HDDs - and floppies.

      1. Roger B

        Re: Factory Reset

        I believe the Blackberry and perhaps iOS phones do the best job of scrubbing the memory,(Don't Blackberry have some sort of security certificate from various government organisations?) not so sure about Android and Windows phones, if you are really worried about the data on the phone, probably best not to sell it on, or manually reset and setup several times taking plenty of pictures or video to write over the older data.

        1. Bloakey1

          Re: Factory Reset

          "I believe the Blackberry and perhaps iOS phones do the best job of scrubbing the memory,(Don't Blackberry have some sort of security certificate from various government organisations?"

          <snip>

          Blackberry are probably the best at this as for the others it is harder to delete data than people think.

          There is a nice PGP version of Blackberry that is nice, everything is encrypted, that is indeed a hard nut to crack and the weak point is getting hold of the person who set the keys up. My favourite tool for data deletion is the hammer but in this scenario we use the data recovery tool the long nose pliers.

          1. BristolBachelor Gold badge

            Re: Factory Reset

            Once worked on an unfortumate investigation after a plane overshot the runway, cut down a mile of forest, and eventually caught fire, minus the wings. Most survived, apart from the pilot, who actually had a lucky escape from questions about his actions.

            Anyway, the aluminium box was crushed and melted. All the PCBs turned to ash and a pile of glass fibres. The flash memory chips were left as just the dies as the glass seal that glued the ceramic top and bottom of the dil package together melted...

            However, it was possible to read all the logs off the dies to reconstruct what had happened.

            And yes, we used long-nosed pliers :)

            1. Sorry that handle is already taken. Silver badge

              Re: BristolBachelor

              More on that story please!

              1. BristolBachelor Gold badge

                Re: BristolBachelor

                "More on that story please!"
                Well let's see. From where I was working at the time, it was sometime in the 90's. Some details are deliberately left out, like the country, airport, aircraft etc. As I understand it, I could use the investigation in general terms as an example when talking about investigations, failures or systems engineering, but certain details that aren't relevant to that use might make people blush. So here is an example of a system level failure and a small part about the investigation that is worth baring in mind when designing equipment that might be expected to undergo post mortem if something goes wrong.

                Pilot flying a small regional jet came in to land and set the engines to idle (oops 1). During final approach, he decided he didn't like something, and decided to do a go-around, so he throttled the engines to 100%. The engines now being below nominal operating temp because of the time spent at idle, throttled up a bit, but not to 100% (if you go from 0% to 100% in a sudden jump, the turbine blades heat-up, expand quicker than the outer of the engine and things get really noisy really quickly).

                Realising that he wasn't getting 100% thrust, the pilot decided that he was going to have to land anyway, so changed his mind in a hurry, and got the plane onto the runway. Sometime around now, with the engines up to nominal temp and with the throttle still at 100% (Oops 2), ramped up the trust to the max. Plane shot down the runway like a bat out of hell, overshot and went into a forest.

                They scrambled a helicopter to locate the plane as it was a bit hard to follow the random path through the trees. The investigation could not interview the flight crew and reconstructed evens from the flight recorders, radar records, positions of controls, etc. We were asked to retrieve whatever we could from the built-in records in our unit. The unit does a built-in-test (BIT) every time at start-up, a fuller BIT when commanded, and some periodic on-going checking during normal use. Also any anomalies are recorded - all done to identify possible faults for maintenance.

                The box was a bit of a mess as I said earlier. The E² (effectively flash that is erased byte at a time instead of page at a time) dies were taken to the manufacturer who had a nice test set-up that could probe directly on the bond-pads. Can't remember which manufacturer it was, but it's likely that they don't exist by that name anymore and have been bought and assimilated so many times it would be difficult to find out. Anyway, the data was read-out of the die, and for speed was copied into a new chip and plugged into an engineering unit to read-out the logs. Separately, a manual search was done through the raw data to confirm that nothing was missed by the log read-out.

            2. Bloakey1

              Re: Factory Reset

              <snip>

              "And yes, we used long-nosed pliers :)"

              A multifunction tool if ever there was one.

              I once worked on a Yugoslavian Airlines crash in Corsica. We had to climb mountains to get to the bodies and then bag up the remains. It was heartbreaking work but fortified by an unlimited supply of wine it was bearable.

        2. Ambivalous Crowboard
          Thumb Up

          Re: Factory Reset (Blackberry)

          Yes, BlackBerry do a secure wipe which takes 15 minutes (and more if you leave the SD card in).

      2. Bloakey1

        Re: Factory Reset

        Jimmy.

        It does not delete the data, it obfuscates it and it is therefore retrievable.

        You can Fdisk, format and do what you want, I can get to your data!!! It is a question of coercivity and diving into the deeper levels as it were.

        A hammer is the answer.

    2. Christoph
      Holmes

      Re: Phones

      "We do repairs on a large number of phones running all the phone systems, iOS, Android, Windows and Blackberry, almost all have pictures on, I don't think we have found quite the ratio as these researchers though."

      Which directly implies that you search for and examine the photos on any phones which you repair?

      It is of course well known that this happens. What's not so well known is how often other information gets copied off.

      So best to wipe the phone before you get it repaired.

      Oh, the fault that needs repairing prevents you from wiping the phone? Looks like you have problems.

      1. Roger B

        Re: Phones

        Sorry, I should say, the phones we do repairs on are not from the public, these are phones traded in, sold on, so are no longer in use by the original owner.

    3. Bloakey1

      Re: Phones

      <snip>

      "Android has this in the settings menu, under privacy for some older models and under settings, back up and reset on newer kit"

      <snip>

      I am sorry but an Android factory reset does not get rid of all data. It tends to obfuscate most of it and a person with a modicum of recovery knowledge can get the data back.

      The same goes for the other phones, slabs computers etc.

      I am fully conversant with DOD standards for wiping data and have spent many's an amusing hour playing with Encase and the like finding out what certain people were up to and in my considered opinion I would recommend wiping everything with specialised software and once that is done gently place the device on a flat surface and destroy the bugger with a huge big hammer. Extreme prejudice.

      I have recovered all sorts of data from storage devices and have even worked once in a fridge (the temperature difference caused the drive heads to shift a fraction making the drive readable ) on a laptop that had been thrown out of a window.

      Be smart and use your huge big tool (1.), software can't be trusted.

      1. Hammer OD, for the use of.

      1. JLV

        Hammer...

        Errr.... and how do you propose to sell the phone after that?

        I would log off from my email account, do a factory reset. Then, after making sure the memory is almost empty (OS excepted), I would leave it to shoot videos of my wall till it was full again. Could even be bothered to change my email password on my laptop afterwards.

        Since the most sensitive stuff I have on my phone is pretty much my email access, that should be good enough. Even if you got in, you wouldn't see that much more incriminating stuff because I keep it the heck off my easily misplaced/stolen phone. No banking happens on it, for example.

        Now, if I was doing DoD stuff, then that might be different, but I don't have any Bond delusions myself.

        1. Bloakey1

          Re: Hammer...

          <snip>

          "Now, if I was doing DoD stuff, then that might be different, but I don't have any Bond delusions myself."

          Why would one want to sell a phone on? Perhaps I am lucky in that I have never been that short of cash. Any personal data of mine is put beyond recovery or stored under my control. Not Bond delusions but military and I.T. security best practice. In the event that you do not care about your data then pass it on, if you do, be aware that it can be recovered fairly easily and cut your cloth accordingly.

          1. a53

            Re: Hammer...

            Well, my example would be the iPhones I've previously sold when replacing them with a newer version. I generally get between £250 and £325. What better reason for not destroying it ? And yes, I've always used Apple's method of completely clearing the memory first. which is to overwrite several times with 1's and 0's.

          2. JLV
            Boffin

            Re: Hammer...

            Like I said there is very little on that phone that is sensitive in the first place. Which, imho, is best practice. A big chunk of your risk is while you own it, not after disposal. I don't have an overwhelming need to bank on mobile for example. Sexy pics? A rather dumb move regardless of medium.

            Now, your needs may differ but I don't want to landfill mine, more an issue than the $ profit. And, if you pass it on rather than sell it, how does change anything and who's to say it doesn't end up on Craigslist later?

            Hammers? Great for some users but a thorough wipe, not just a reset, will cover 90% of the rest. Research your own recipe, carry it out and rest assured there are plenty of much lower hanging fruits to be picked, as per article.

    4. YetAnotherLocksmith

      Re: Phones

      Blackberry takes ages because it actually scrubs the data.

      The clue it isn't actually deleting properly is when you kill a gig of data in half a second. It's only changing the index!

      But *we* all knew this already, obs.

  6. Isendel Steel
    Joke

    Photos....

    .....or it didn't happen

    I'll get my coat

  7. Neil Barnes Silver badge
    Coat

    Serendipitous photos

    Isn't that the *reason* for buying a second hand data storage system?

    Just askin...

  8. Smilin' Stan
    Holmes

    Sold by "owners?"

    Not to discount stupidity by the sellers (motto: *never* discount stupidity), but how many of these devices were sold on eBay by the actual owners vs. sold by petty thieves?

  9. Anonymous Coward
    Anonymous Coward

    1000 wobbly bits?

    Unless my math is wrong, 750 women who are equipped with two wobbly bits each, plus 250 men (with one each) makes 1750.

  10. Bloakey1

    Funnily enough I just saw this:

    http://www.cnet.com/news/android-factory-reset-doesnt-delete-all-data/

    They do however have a drum to beat so be aware they are trying to sell a service.

  11. Anonymous Coward
    Anonymous Coward

    Re: Android phones

    I'd do

    Settings: Security: Encrypt Phone

    Factory reset

    Reflash factory image using manufacturers tool or adb/odin

  12. Mitoo Bobsworth

    Or...

    ...practice some selfie-control and don't take stupid or embarrassing pics of yourself.

  13. Jamie Jones Silver badge
    Facepalm

    Huh?

    "Deleting" files doesn't physically delete the data?

    Wow. Who amongst us techies would have known that?

  14. phuzz Silver badge

    Good Idea

    JLV's idea above, about shooting video of a blank wall to quickly fill up the storage and overwrite deleted data is the best idea I've seen so far.

    Unless you're well off enough to destroy every phone you've owned, of course.

    1. Bloakey1

      Re: Good Idea

      "JLV's idea above, about shooting video of a blank wall to quickly fill up the storage and overwrite deleted data is the best idea I've seen so far."

      All well and good but because this is based on coercivity a shadow is left beneath, a ghost as it were and it can be dived for and retrieved, DOD rules demand that it is over written many times by ones and zeros, even then it can still remain as a distant shadow.

      "Unless you're well off enough to destroy every phone you've owned, of course."

      I have never had to sell one.I am in my Southern European lair and have a lot of laptops here that are about a year to 3 years old. In the event someone wants one then they will have to buy a hard drive and can have the laptop for free. All the drives are in the garage in a safe and when I am of a mind to do it they will join Luca Brazi on my next diving trip.

      Not paranoid but have a system and stick by it.

  15. Ken 16

    I'm worried that El Reg readers feel they may be affected

    I may be mistaking the demographic but I'm pretty sure I don't want to see naked selfies from any of you. If I buy a cheap android on eBay, I'm going to make sure it's entry level and in a pink case.

  16. chris lively

    "Put all of these pieces together to complete the puzzle and you have a clear picture of who the former smart phone owner was,"

    Now that's funny.

  17. Ron B

    Not hard to recover pictures...

    Because a "Factory Reset" from the recovery menu skips the camera's default directory.

    I just did a wipe on an Android tablet yesterday. The user had ignored the "memory full" errors and there wasn't enough free memory left for the tablet to start. It wouldn't boot far enough to connect via USB, either. So, I wiped it. The camera pics were still there after rebooting.

    1. Fliohyer

      Re: Not hard to recover pictures...

      As I know MobiKin Doctor for Android has the ability to recover lost data from Android phone and also restore data from SD card. You can google it and have a try, it is easy to recover pictures with it.

  18. JimWin

    Use a computer....

    I use a 3rd party app on my mac (Android File Transfer FWIW) for loading and unloading files. It gives a browser like view of everything on the phone (which, btw is rooted). If I wanted to sell my phone, I'd do a factory reset then check what was left and remove it with AFT.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021