
"My information could well be of use to you, Stalker"
Also remember to wipe or crush your HDD/SDD before handing in your PC at the recycling center.
It's hard being a security researcher. Several of them just had to view thousands of nude selfies pulled from second-hand phones and tablets for a campaign warning people who sell old devices. The beleaguered infosec bods saw 750 photos of naked women and 250 images of manhood from a pool of 40,000 photos still stored on a …
I have a drawer full of old, never to be used again HDD.
Every now and again, when I feel the need to destroy, I'll take one out of the drawer and pulverise it with hammers, chisels and blow torches. Other times, I will get out my set of speciality screwdrivers and completely dismantle one of them before destroying the platters and throwing everything away.
It's very therapeutic.
So marketing then?
Maybe I'm getting old and a bit too cynical, but every time I read a "report" like this the first thing I think is "what are they trying to sell?". It'd be nice to be wrong every now and then.
Don't get me wrong, I don't doubt they did find all sorts of stuff, and of course you should properly wipe a device before you flog it. It'd just be nice to see something on the subject that doesn't originate from <insert infosec company here> who, coincidentally, just happen to be pushing a product related to that very problem.
Very effective to spend money to promote a free bit of software. Must be a great ROI. /sarcasm
Raising awareness of crap locks on customer doors is something I do. People think they are secure, they aren't. Am I scaremongering? No, I'm telling the truth. Just like these guys I can demonstrate the flaws and fix it. Unlike them, I'll charge for it. In fact, they must have some other service to keep them in money, otherwise they'll need a second job. Are they cross promoting? Probably. But it is a free solution to an obvious issue some may not have thought about.
Once, I bought a Sony UX-180 UMPC.
the owner had thoughtfully left some pictures on it (it has a camera)... oh there are his kids.. looks like maybe Florida or something, there they are having dinner, very nice... WOHO.. there's the wife with a massive dildo up her furry cave.
The next one was a camera from ebay. They'd deleted the photos from internal memory, but the phone had a 'noticeboard' feature (panasonic lumix) which let you store a few photos seperated (for maps, etc) and those were still there... I was treated to 4 photos of close ups of a toilet bowl and the owner's pride in his/her ability to excrete a large shite. lovely.
As for scrubbing phones : can anyone suggest the best way of doing it then ?? Otherwise my own prize collection of my favourite shaped shites will be available to the next owner (obviously the camera triggered me to take up this facinating and valuable passtime)
The only surefire way to erase everything, is to perform multiple overwrites on everything sensitive.
Delete just sets a flag to say "This file is deleted". It's still there! A quick format isn't much better.
A full forensic wipe, featuring multiple flipping of the bits over a long period of time is probably a bit OTT. The main risk you are facing is someone using recovery software against the device, not a forensic scientist removing the chips and going at them that way...
So factory reset the device. Wipe the storage, then fill it up with something innocent.
Then delete all those files/pictures, and fill it up again with something else innocent.
Be warned though, that that will only overwrite your storage partition, not the system partitions (you've relied on the OS reset to do that).
Are you paranoid yet?
Personally, I keep everything on a micro SD card. I do periodically check the folders in main memory to be sure there's nothing there. If I were to sell or give away a device, I would not include the SD card. If I did, I'd erase everything then use my desktop system ant its "Erase Frees Space" feature. If I were paranoid or actually had something of a sensitive nature on it, I'd use one of the slower, but more secure, erasing options such as over write 7 times.
You beat me to it.
"One punter was so keen to get the cash when selling someone else's iPad they did not even turn off the device, let alone wipe photos and emails stored within."
There, that sounds more like it. Behaviour like that would make me, as a buyer, call off the deal instantly.
We do repairs on a large number of phones running all the phone systems, iOS, Android, Windows and Blackberry, almost all have pictures on, I don't think we have found quite the ratio as these researchers though. It's almost tempting to set up a tumblr account and rake in the advertising money. For those asking, the best way to wipe your phone before trading it in, selling it on, disposing of it is a factory reset;
Android has this in the settings menu, under privacy for some older models and under settings, back up and reset on newer kit
Windows phone is under settings and about phone
iOS is under settings, general, reset, erase all content and settings
Blackberry could be anywhere, it seems to change all the time, best to RTFM and be prepared to wait, it can take up to an hour for some to wipe and reset.
It's best to go through the new phone setup procedure at least once, to check everything has gone and then reset one more time. If your phone has been modded from its stock ROM be aware that these steps do not always work and your photos will stay until you manually delete them all.
Hope this helps.
I believe the Blackberry and perhaps iOS phones do the best job of scrubbing the memory,(Don't Blackberry have some sort of security certificate from various government organisations?) not so sure about Android and Windows phones, if you are really worried about the data on the phone, probably best not to sell it on, or manually reset and setup several times taking plenty of pictures or video to write over the older data.
"I believe the Blackberry and perhaps iOS phones do the best job of scrubbing the memory,(Don't Blackberry have some sort of security certificate from various government organisations?"
<snip>
Blackberry are probably the best at this as for the others it is harder to delete data than people think.
There is a nice PGP version of Blackberry that is nice, everything is encrypted, that is indeed a hard nut to crack and the weak point is getting hold of the person who set the keys up. My favourite tool for data deletion is the hammer but in this scenario we use the data recovery tool the long nose pliers.
Once worked on an unfortumate investigation after a plane overshot the runway, cut down a mile of forest, and eventually caught fire, minus the wings. Most survived, apart from the pilot, who actually had a lucky escape from questions about his actions.
Anyway, the aluminium box was crushed and melted. All the PCBs turned to ash and a pile of glass fibres. The flash memory chips were left as just the dies as the glass seal that glued the ceramic top and bottom of the dil package together melted...
However, it was possible to read all the logs off the dies to reconstruct what had happened.
And yes, we used long-nosed pliers :)
"More on that story please!"Well let's see. From where I was working at the time, it was sometime in the 90's. Some details are deliberately left out, like the country, airport, aircraft etc. As I understand it, I could use the investigation in general terms as an example when talking about investigations, failures or systems engineering, but certain details that aren't relevant to that use might make people blush. So here is an example of a system level failure and a small part about the investigation that is worth baring in mind when designing equipment that might be expected to undergo post mortem if something goes wrong.
Pilot flying a small regional jet came in to land and set the engines to idle (oops 1). During final approach, he decided he didn't like something, and decided to do a go-around, so he throttled the engines to 100%. The engines now being below nominal operating temp because of the time spent at idle, throttled up a bit, but not to 100% (if you go from 0% to 100% in a sudden jump, the turbine blades heat-up, expand quicker than the outer of the engine and things get really noisy really quickly).
Realising that he wasn't getting 100% thrust, the pilot decided that he was going to have to land anyway, so changed his mind in a hurry, and got the plane onto the runway. Sometime around now, with the engines up to nominal temp and with the throttle still at 100% (Oops 2), ramped up the trust to the max. Plane shot down the runway like a bat out of hell, overshot and went into a forest.
They scrambled a helicopter to locate the plane as it was a bit hard to follow the random path through the trees. The investigation could not interview the flight crew and reconstructed evens from the flight recorders, radar records, positions of controls, etc. We were asked to retrieve whatever we could from the built-in records in our unit. The unit does a built-in-test (BIT) every time at start-up, a fuller BIT when commanded, and some periodic on-going checking during normal use. Also any anomalies are recorded - all done to identify possible faults for maintenance.
The box was a bit of a mess as I said earlier. The E² (effectively flash that is erased byte at a time instead of page at a time) dies were taken to the manufacturer who had a nice test set-up that could probe directly on the bond-pads. Can't remember which manufacturer it was, but it's likely that they don't exist by that name anymore and have been bought and assimilated so many times it would be difficult to find out. Anyway, the data was read-out of the die, and for speed was copied into a new chip and plugged into an engineering unit to read-out the logs. Separately, a manual search was done through the raw data to confirm that nothing was missed by the log read-out.
<snip>
"And yes, we used long-nosed pliers :)"
A multifunction tool if ever there was one.
I once worked on a Yugoslavian Airlines crash in Corsica. We had to climb mountains to get to the bodies and then bag up the remains. It was heartbreaking work but fortified by an unlimited supply of wine it was bearable.
"We do repairs on a large number of phones running all the phone systems, iOS, Android, Windows and Blackberry, almost all have pictures on, I don't think we have found quite the ratio as these researchers though."
Which directly implies that you search for and examine the photos on any phones which you repair?
It is of course well known that this happens. What's not so well known is how often other information gets copied off.
So best to wipe the phone before you get it repaired.
Oh, the fault that needs repairing prevents you from wiping the phone? Looks like you have problems.
<snip>
"Android has this in the settings menu, under privacy for some older models and under settings, back up and reset on newer kit"
<snip>
I am sorry but an Android factory reset does not get rid of all data. It tends to obfuscate most of it and a person with a modicum of recovery knowledge can get the data back.
The same goes for the other phones, slabs computers etc.
I am fully conversant with DOD standards for wiping data and have spent many's an amusing hour playing with Encase and the like finding out what certain people were up to and in my considered opinion I would recommend wiping everything with specialised software and once that is done gently place the device on a flat surface and destroy the bugger with a huge big hammer. Extreme prejudice.
I have recovered all sorts of data from storage devices and have even worked once in a fridge (the temperature difference caused the drive heads to shift a fraction making the drive readable ) on a laptop that had been thrown out of a window.
Be smart and use your huge big tool (1.), software can't be trusted.
1. Hammer OD, for the use of.
Errr.... and how do you propose to sell the phone after that?
I would log off from my email account, do a factory reset. Then, after making sure the memory is almost empty (OS excepted), I would leave it to shoot videos of my wall till it was full again. Could even be bothered to change my email password on my laptop afterwards.
Since the most sensitive stuff I have on my phone is pretty much my email access, that should be good enough. Even if you got in, you wouldn't see that much more incriminating stuff because I keep it the heck off my easily misplaced/stolen phone. No banking happens on it, for example.
Now, if I was doing DoD stuff, then that might be different, but I don't have any Bond delusions myself.
<snip>
"Now, if I was doing DoD stuff, then that might be different, but I don't have any Bond delusions myself."
Why would one want to sell a phone on? Perhaps I am lucky in that I have never been that short of cash. Any personal data of mine is put beyond recovery or stored under my control. Not Bond delusions but military and I.T. security best practice. In the event that you do not care about your data then pass it on, if you do, be aware that it can be recovered fairly easily and cut your cloth accordingly.
Well, my example would be the iPhones I've previously sold when replacing them with a newer version. I generally get between £250 and £325. What better reason for not destroying it ? And yes, I've always used Apple's method of completely clearing the memory first. which is to overwrite several times with 1's and 0's.
Like I said there is very little on that phone that is sensitive in the first place. Which, imho, is best practice. A big chunk of your risk is while you own it, not after disposal. I don't have an overwhelming need to bank on mobile for example. Sexy pics? A rather dumb move regardless of medium.
Now, your needs may differ but I don't want to landfill mine, more an issue than the $ profit. And, if you pass it on rather than sell it, how does change anything and who's to say it doesn't end up on Craigslist later?
Hammers? Great for some users but a thorough wipe, not just a reset, will cover 90% of the rest. Research your own recipe, carry it out and rest assured there are plenty of much lower hanging fruits to be picked, as per article.
"JLV's idea above, about shooting video of a blank wall to quickly fill up the storage and overwrite deleted data is the best idea I've seen so far."
All well and good but because this is based on coercivity a shadow is left beneath, a ghost as it were and it can be dived for and retrieved, DOD rules demand that it is over written many times by ones and zeros, even then it can still remain as a distant shadow.
"Unless you're well off enough to destroy every phone you've owned, of course."
I have never had to sell one.I am in my Southern European lair and have a lot of laptops here that are about a year to 3 years old. In the event someone wants one then they will have to buy a hard drive and can have the laptop for free. All the drives are in the garage in a safe and when I am of a mind to do it they will join Luca Brazi on my next diving trip.
Not paranoid but have a system and stick by it.
Because a "Factory Reset" from the recovery menu skips the camera's default directory.
I just did a wipe on an Android tablet yesterday. The user had ignored the "memory full" errors and there wasn't enough free memory left for the tablet to start. It wouldn't boot far enough to connect via USB, either. So, I wiped it. The camera pics were still there after rebooting.
I use a 3rd party app on my mac (Android File Transfer FWIW) for loading and unloading files. It gives a browser like view of everything on the phone (which, btw is rooted). If I wanted to sell my phone, I'd do a factory reset then check what was left and remove it with AFT.