Your old cell phone data can reemerge from the past to haunt you. Whether it's because sellers are lazy or naive, cast-off phones still contain troves of information about their former users. And as phones get smarter, they're ever more likely to hold bank account passwords, personal email, or private photographs that anyone with the right kind of motivation could exploit.
PCWorld's previous investigations have shown that people don't properly erase the data on their old computer hard drives before they dispose of their laptops and desktops, even when the data includes their own sensitive information and that of others. And consumers seem to be just as uninformed when it comes to eliminating the data on their old phones.
To see just how critical the problem is, we bought 13 Internet-capable phones from various sellers on eBay, small businesses, and flea-market stands in the San Francisco Bay Area. We found that 5 of the 13 phones still had information on them.
The first incompletely wiped phone we purchased from a reseller had call-duration data still on it--proving that some of your information, however anonymous, will remain on the phone even if you perform a proper factory reset. Another phone we bought from a company that claimed to specialize in cell phone recycling arrived with contact information, voicemail, and text messages on it. Two phones purchased from flea markets in Oakland, California, had considerable amounts of email, text messages, contact information, and photos on them; and one phone we bought from an individual still had email and contact information on it.
Wipe Your Phone and Check It Twice
Smartphones usually have at least two stores of memory: a SIM card, and the phone's internal memory. Many phones also have additional data stored on removable SD Card media. The SIM and SD cards had been removed from all the phones we purchased. But people seem to forget (or not know) about wiping the phone's internal memory. That's where we found data on the five phones that still contained some. Removing the SIM card stops the phone from communicating with the network, but doesn't erase the email and contact lists already on the phone.
One of the phones we acquired for this article was a Samsung BlackJack II purchased off eBay. The seller was Rebecca May-Cole, executive director for the Pennsylvania Behavioral Health and Aging Coalition. The phone had belonged to a temporary employee who worked under May-Cole doing outreach for senior depression and mental-health issues; when the employee's grant ended, May-Cole decided to sell the phone.
The phone arrived at PCWorld's office with the SIM card removed, but its internal memory contained email and contacts from the month before. Worse, the BlackJack II is a Windows-based phone, so when we hooked it up to a computer, we were able to access a few downloaded documents that weren't immediately visible on the phone's interface.
"Oh my gosh, how embarrassing," May-Cole groaned when I contacted her. "I took out the SIM card, which I thought deleted all the information off it, and I didn't even think to check out the phone before we sold it." In May-Cole's defense, that is how older feature phones used to work: The SIM card kept most of the contacts, text messages, and call history that supplied the phone's memory. But phone manufacturers have long been adding more and more internal memory to smartphones--which means that merely removing the SIM card does less and less to protect your information.
Of course, for each of the 13 phones, after we contacted the previous owner or seller, we offered to give the phone back to the original user or destroyed the information.
Don't Count on Companies to Wipe Your Data
One of the phones we bought was a Verizon LG Dare from G0g0gadgets, a subsidiary of a company called Access Computer Products based in Loveland, Colorado. When the phone arrived, it contained considerable amounts of data about the previous user, including several text messages with pictures of a couple kissing, and even one with a toddler and a message underneath that read "cute little baby cuz."
When we checked the phone's Electronic Serial Number with Verizon, the carrier reported that the phone had been listed as lost or stolen, even though G0g0gadgets' eBay listing did not mention a bad ESN. Even with a bad ESN, a cursory factory reset of the phone would have erased the previous owner's information.
Amanda Maes, a representative of G0g0gadgets, responded: "Our phones are supposed to be cleared; I'm not sure how that slipped through the cracks. I can look and see who tested these phones, and we can make sure things are done to our standards in the future." She also said that G0g0gadgets maintained about 600 listings on eBay at any one time and sold about 100 phones a day, and that the company employed two people to clear and refurbish the phones. Those two people were not available for comment, nor has the manager of the company returned our call asking for comment.
Such an egregious violation of the original owner's privacy is probably not as uncommon as you'd imagine. Negligence in handling old phones is easy to get away with because the barrier to entry in the tech-recycling business is fairly low: The business requires almost no overhead (all you need is a bunch of old phones and an eBay account) and provides relative anonymity, so it's no wonder that incompetent or apathetic resellers might jump on the "recycled phones" bandwagon and compromise your safety and the security of your personal information.
More-reputable companies such as Gazelle.com, a tech reseller based in Boston, know firsthand that people are careless with their information. Kristina Kennedy, a senior manager at Gazelle.com, says that 50 percent to 65 percent of phones that come to Gazelle's warehouse each day have the previous owner's information in them. To deal with that, the company trains its staff to perform a manual factory reset on each device that comes through the door, along with destroying any SIM cards and formatting SD Cards that may arrive with the devices. (For the record, we purchased a phone from Gazelle without the company's knowledge, and found it completely clean of information.)
PCWorld also bought two phones from Jason Mills, who runs a company called SoonerSoft out of his living room in Oklahoma. Mills receives thousands of used phones at a time, shipped to him from phone companies that pass the castoffs to him to wipe and resell. When we asked how many phones come to him with at least some of the previous user's data intact, he answered without hesitation: "Oh, probably 99 percent. People don't wipe their phones and they should--it's not smart. I get business phones with email that competitors would love to get their hands on--oil and gas companies, I got phones with information about lands and mineral rights."
People who don't know how to properly wipe a phone might assume that middlemen like Mills will wipe the phone as part of the reselling process. Clearly, however, not every phone dealer is as honest as Mills. And the fact that so many customers take such a nonchalant attitude toward clearing their phones before selling them to strangers means that there's a lot of low-hanging fruit for identity thieves and other people of dubious motives.
One critical thing to remember is that no regulatory body is forcing used-phone sellers to delete data. The National Institute of Standards and Technology, for instance, has issued only a guideline for wiping used phones. And although the Department of Defense has released a standard to wipe the hard drives of desktop computers, the DoD has no equivalent for smartphones. Unless you do your research, expecting another party to wipe your phone is like playing identity-theft roulette.
Your Smartphone Is an Accident Waiting to Happen
On a hot Saturday in Oakland, California, I wandered around the Coliseum flea market, passing stalls of fake MAC makeup and beat-up power tools, searching for used smartphones.
This particular Saturday I found what I was looking for almost immediately: a small table of BlackBerrys and Razrs of every color and shape, arranged neatly on an orange tablecloth.
As I was paying for a Samsung Rogue, I noticed a battered first-generation Motorola Droid. My heart skipped a beat: Three months before, my own Droid had been stolen, and all of the information with it. What if this phone was mine? Of course it wasn't, but I couldn't be sure until I haggled for it and brought it home. Just like the Rogue, this Droid had a drained battery; I wasn't even sure it would work if I did charge it up.
When I got home and charged the phones, I found so much information on both that I could have constructed an intricate portrait of each former owner's life in the month before the phone left their hands.
I had access to bank email, photos of family and friends, the nicknames the owners used for their parents--all for $60 and an afternoon at the flea market.
When I contacted the original owners of the phones, their stories were similar: The phones had been stolen, the owners desperately tried to get them back, and--not having installed a remote-wiping app--the owners had to accept the fact that their data was out in the wild. The owner of the Motorola Droid, Emily Smith, even remotely accessed her voicemail and found that the thief was using the phone as her own. But that knowledge couldn't help her get the phone back, and when I met up with Smith in San Francisco, she said that she switched from Android to an iPhone, because Apple's MobileMe would allow her to remotely lock her handset should it be stolen in the future. I returned the Droid to Smith. The owner of the Samsung Rogue was not able to meet up with me, and asked that we destroy the information on it.
Smith's story is a familiar one: A lot of people's phones are stolen, but as smartphones get smarter, the loss of data is going to become more disconcerting. When you lose a phone, you don't just lose your own information, but also contact details, photos with other people in them, and the messages that other people have sent you. Installing an app that can remotely lock and erase the information on your phone is a great way to prevent a devastating mistake.
That said, if someone really has it out for you, or is specifically looking to harvest personal data, all they really have to do is grab the phone and put it in a Faraday bag (made of a special material that inhibits all communication from the network to the phone, preventing any remote-wiping tools). Or, easier still, if you have a GSM-based phone that requires a SIM card to communicate with the network (think AT&T and T-Mobile), all the thief needs to do is remove the SIM card to prevent your remote-wiping app from destroying your information.
Information That Won't Come Off a Phone
Some types of phone information can't be wiped off even if you follow the instructions correctly.
The last phone we found information on was an HTC SMT5800 Windows-based smartphone sold to us by Jason Mills's SoonerSoft. Mills had done a complete factory reset of the phone, leaving no email or contacts behind. But deep in the phone's menu we found a 'call duration' option that listed the number of incoming and outgoing calls that the previous user had made in total hours and minutes.
"On some phones, call duration is not wipeable," Mills says. "They'll let you wipe the contacts and everything, but keep a list of call time so if the phone is resold, [a reseller] couldn't say this phone is refurbished or brand-new; they'd have to say it's used."
Admittedly, aggregate call duration isn't enough information to run a successful blackmail campaign, or commit identity theft. Nevertheless, if some trace of the phone's previous data remains visible to the naked eye, a talented forensics expert--or even just a really smart hobby hacker--could certainly retrieve some of the files that used to be on that particular phone. "You'd be shocked," notes Paul Henry, a security and forensics analyst, and owner of vNet Security. "The bottom line is that anything that appears on the phone is written on nonvolatile RAM, and literally, unless it's overwritten, it can exist forever."
Wiping a Phone vs. Forensically Wiping It
Even if you do everything right, and you wipe the phone exactly according to the directions, you might want to reconsider passing the handset along. "A phone is a lot like your PC: When you delete something, it's not actually gone. A skilled investigator can carve out specific items that he or she is looking for," says Christopher Shin, vice president of engineering for Cellebrite, a mobile forensics company.
Cellebrite has developed a vast repertoire of tools for various phone operating systems and hardware. The company's forensic products can retrieve information off of nearly 3500 mobile-device models, from iPhones to Garmin GPS systems.
Of course, Cellebrite offers its equipment only to law enforcement personnel, so it's not as if criminals are running around Smartphone Town with the key to the city. Consider, too, that it's actually considerably harder for a person with no hacking experience to recover deleted data on a phone than it is for that person to recover deleted data on a discarded hard drive, simply because so many different mobile operating systems exist, especially on feature phones from two or three years ago. And many of the phones being discarded today have proprietary operating systems that won't work with the free data-recovery software that you can download off the Internet with the click of a button.
That said, no smartphone--whether it's an Android device, a BlackBerry, or an iPhone--is impossible to forensically analyze, and not all of the experts who are analyzing phones are good guys. Shaun Hipgrave, managing director for Forensic Telecommunications Services, analyzes iPhones, and says that no matter what kinds of security Apple adds to the iPhone, hackers will crack it. "The hacking community doesn't do it for financial gains, they do it for intellectual stimulus," he says.
So how do you make sure your data is for your eyes only? First, always wipe your phone yourself before you sell it to another person or to a company. Every phone has a different process: Most models allow you to restore factory settings through the phone's menu, and many will require you to enter your phone's password once or many times over. To restore the phone correctly, check the manual, or do a Google search for a step-by-step video.
If you're really worried about unauthorized recovery of your data, BlackBerrys are a good choice: If you do a factory reset on the phone and don't touch it for 30 days, the memory will automatically reorganize, making it harder for hackers to carve out pieces of your data in a forensic analysis. iPhone apps such as iErase and Android apps like ShreDroid will write over deleted data on your handset with random 1s and 0s after you've conducted a factory reset.
None of these solutions are perfect, and information might still be available from your used phone regardless. So if you're especially paranoid, do as vNet Security's Paul Henry does with his old phones and those of his family: Take apart the phone, and use a hammer to break the memory chip into bits. Hey, you could probably get some money from the scrap metal.