Recently, a digital forensics company did an investigation and found that it is very easy to obtain sensitive information from old smartphones that are either sold as used or thrown away. This was also true even if the previous owner had utilized the factory reset.
The forensics company, Access Data, provided more details on what they found in an interview. In their estimate, 1 out of every 10 phones that have either been recycled, resold or thrown away still contain data. The company did an in-depth digital forensics review of 5 randomly selected smartphones that were purchased on the secondary or used market. The phones varied by manufacturer and included an iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus and an HTC Hero. Of the 5 that were reviewed, 2 had not been reset to the default factory settings. These two phones contain information on active account ids and passwords, contacts, and calendar information, all very easy to locate.
All of the Android phones had been wiped, but four of the five phones included information that was still extractable with the right knowledge and tools. The company noted that all 5 of the used phones had some way to identify the location where the device came from either via the serial number or the old telephone number. Four of the five could easily identify the previous owner. Some of the data that was extracted included user account information, Social Security numbers, geo-location tags, deleted text messages and even a resume.
The forensic experts were able to use the geo-tags to get an exact latitude and longitude for the previous owner and find the street view of their home. Another phone revealed a Yahoo email account that the experts were able to use preset ids and passwords to log into via the handset.
Access Data noted that smartphones and tables have fast become a nightmare for both individuals, but also for businesses that are concerned about data breaches. Even though these devices cannot store a great deal of information, they still contain very sensitive data that can be used to access more and more data and information. Especially since the public at large and the business community have not adopted security measures for their mobile devices.
This is particularly troublesome for a business that has employees who use their own personal mobile devices to access the company’s network. It is one thing for a company to attempt to wipe a company owned asset of all data. However, it is very difficult for a company to ensure that an employee has wiped their mobile device before disposing it whether via the trash, resale or recycle. As well, this is coupled with the rapid churn of devices via incentives from the carriers or the advancement of technology that lures individuals to upgrade their device to the next best thing.
Organizations need to put a plan in place to address the best way to delete data before a device is replaced and to work with their employees to have their old devices wiped before they are disposed of in the secondary market. Utilizing aspects like usb encryption will help to deter data breaches.