Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:59 PM

Old Smartphones Leave Tons Of Data For Digital Dumpster Divers

A recent forensics examination shows how much information is left behind after smartphones are tossed in the discard pile

A recent exploration made by a digital forensics company into a handful of phones found in the smartphone secondary market showed how easy it is to glean information from old or lost phones, even if a factory reset has been committed. Today an expert from Access Data gave Dark Reading the skinny on his findings from his informal research and explained some of the repercussions for both corporations and consumers who don't pick, manage, or dispose of their phones wisely.

"I buy a lot of recycled phones and there is tons of data still on them," says Lee Reiber, director of mobile forensics for AccessData. "I'd guess if you went and grabbed 10 phones [from recycling companies], 60 percent of those are going to contain data still."

Reiber says that at the behest of a customer interested in the data lingering on phones sold by used phone resellers and consumers using Craigslist and eBay, he used AccessData's tools to do an in-depth forensics dive into five handsets acquired from this secondary market. The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero. Of those five, the iPhone and the old Sanyo had not been reset and contained what Reiber called logical data -- things like active account sign-ons, contacts, and calendar information easily usable by any person who turns on the phone.

Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations.

"All five of them had some way to identify at least the location where the device came from, whether that was the phone serial number and the old phone number," he says. "Four of the five when we started looking at them further could actually identify a person or a location. The only phone we could tie to a person or account information would be the LG Optimus."

Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume.

"For one of the Android devices we looked at, because everything is location-based right now, I could find where they were while surfing through the browser," he says. "So I could plug the latitude and longitude I found on the phone into the browser and pull up a street view of someone's house."

Even the old clamshell Sanyo, a phone that Reiber believes most people wouldn't think twice about containing too much sensitive information, had account log-in information for Yahoo that was still defaulted within the forms and which Reiber used to log into Yahoo as the former phone's owner.

[ Debate whirls around the hype of mobile malware and the solutions we have to fight it. See Rethinking Mobile Security. ]

The digital dumpster-dive Reiber was able to successfully complete highlights the challenge many organizations face today as smartphones access more and more sensitive corporate data.

"Smartphones and, increasingly, tablets are high on the list of problem devices for businesses concerned about exposures. These devices are now capable of storing very large amounts of sensitive data, yet security often lags a long way behind widespread adoption in businesses," says Geoff Webb, senior product marketing manager for Credant Technologies. "This is especially complicated for many organizations as the phones and tablets may actually belong to the end user as more and more people bring their own devices to work. As a result, enforcement of security policies, and keeping track of sensitive data, is becoming complex and fraught with potential legal pitfalls."

One of the most obvious issues that this study points out is the difficulty organizations might face in ensuring data on their smartphones is completely destroyed upon retirement of the device, whether it is owned by the consumer or the organization. It isn't a problem with an easy solution, and it is complicated by the fast rate of obsolescence in this market compared to PCs and laptops.

"The rapid churn of these devices, along with lack of uniform standards to secure and manage devices belonging to different ecosystems, can quickly become an IT and compliance nightmare for enterprises," says Amit Sinha, CTO at Zscaler.

Just as any good digital forensics guy would tell you, Reiber warns that the only reliable method of destroying smartphone data is with a hammer. That makes it a potential goldmine for those looking to snoop on users or steal information.

"I would rather have someone's mobile device than their PC or their laptop if I wanted to find out anything and everything about that person. Because what don't you do on your mobile device?" he says. "You would text things and you would take pictures of things that you wouldn't want your mother to see, but you have it on your mobile device. You do all of your banking , you send information, you log into accounts much more frequently on a mobile device than you would on a laptop."

Because a hammer may not be feasible within the typical corporate asset management program, some methods of risk mitigation are in order. First order of business, he says, is to really take a look at which devices they're using. Organizations would do well to test how thoroughly factory resets and remote wipes destroy data on potential phone models before giving the rubber stamp of approval.

"It's really dependent on the make and model of the phone. I think they need to be much more diligent on the devices they are selecting to bring into the corporate environment," he says. "And I think in the corporate world we're kind of running a risk of allowing users to connect to our sensitive information with personal devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/7/2012 | 10:31:35 AM
re: Old Smartphones Leave Tons Of Data For Digital Dumpster Divers
Dumpster Drive is a file-sharing application that recycles digital files.-
User Rank: Ninja
1/22/2012 | 6:33:58 PM
re: Old Smartphones Leave Tons Of Data For Digital Dumpster Divers
Underscores the importance of paying attention to the data life cycle. If your organization gets rid of the phone, make sure it's wiped.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.