Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/15/2011
07:59 PM
50%
50%

Old Smartphones Leave Tons Of Data For Digital Dumpster Divers

A recent forensics examination shows how much information is left behind after smartphones are tossed in the discard pile

A recent exploration made by a digital forensics company into a handful of phones found in the smartphone secondary market showed how easy it is to glean information from old or lost phones, even if a factory reset has been committed. Today an expert from Access Data gave Dark Reading the skinny on his findings from his informal research and explained some of the repercussions for both corporations and consumers who don't pick, manage, or dispose of their phones wisely.

"I buy a lot of recycled phones and there is tons of data still on them," says Lee Reiber, director of mobile forensics for AccessData. "I'd guess if you went and grabbed 10 phones [from recycling companies], 60 percent of those are going to contain data still."

Reiber says that at the behest of a customer interested in the data lingering on phones sold by used phone resellers and consumers using Craigslist and eBay, he used AccessData's tools to do an in-depth forensics dive into five handsets acquired from this secondary market. The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero. Of those five, the iPhone and the old Sanyo had not been reset and contained what Reiber called logical data -- things like active account sign-ons, contacts, and calendar information easily usable by any person who turns on the phone.

Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations.

"All five of them had some way to identify at least the location where the device came from, whether that was the phone serial number and the old phone number," he says. "Four of the five when we started looking at them further could actually identify a person or a location. The only phone we could tie to a person or account information would be the LG Optimus."

Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume.

"For one of the Android devices we looked at, because everything is location-based right now, I could find where they were while surfing through the browser," he says. "So I could plug the latitude and longitude I found on the phone into the browser and pull up a street view of someone's house."

Even the old clamshell Sanyo, a phone that Reiber believes most people wouldn't think twice about containing too much sensitive information, had account log-in information for Yahoo that was still defaulted within the forms and which Reiber used to log into Yahoo as the former phone's owner.

[ Debate whirls around the hype of mobile malware and the solutions we have to fight it. See Rethinking Mobile Security. ]

The digital dumpster-dive Reiber was able to successfully complete highlights the challenge many organizations face today as smartphones access more and more sensitive corporate data.

"Smartphones and, increasingly, tablets are high on the list of problem devices for businesses concerned about exposures. These devices are now capable of storing very large amounts of sensitive data, yet security often lags a long way behind widespread adoption in businesses," says Geoff Webb, senior product marketing manager for Credant Technologies. "This is especially complicated for many organizations as the phones and tablets may actually belong to the end user as more and more people bring their own devices to work. As a result, enforcement of security policies, and keeping track of sensitive data, is becoming complex and fraught with potential legal pitfalls."

One of the most obvious issues that this study points out is the difficulty organizations might face in ensuring data on their smartphones is completely destroyed upon retirement of the device, whether it is owned by the consumer or the organization. It isn't a problem with an easy solution, and it is complicated by the fast rate of obsolescence in this market compared to PCs and laptops.

"The rapid churn of these devices, along with lack of uniform standards to secure and manage devices belonging to different ecosystems, can quickly become an IT and compliance nightmare for enterprises," says Amit Sinha, CTO at Zscaler.

Just as any good digital forensics guy would tell you, Reiber warns that the only reliable method of destroying smartphone data is with a hammer. That makes it a potential goldmine for those looking to snoop on users or steal information.

"I would rather have someone's mobile device than their PC or their laptop if I wanted to find out anything and everything about that person. Because what don't you do on your mobile device?" he says. "You would text things and you would take pictures of things that you wouldn't want your mother to see, but you have it on your mobile device. You do all of your banking , you send information, you log into accounts much more frequently on a mobile device than you would on a laptop."

Because a hammer may not be feasible within the typical corporate asset management program, some methods of risk mitigation are in order. First order of business, he says, is to really take a look at which devices they're using. Organizations would do well to test how thoroughly factory resets and remote wipes destroy data on potential phone models before giving the rubber stamp of approval.

"It's really dependent on the make and model of the phone. I think they need to be much more diligent on the devices they are selecting to bring into the corporate environment," he says. "And I think in the corporate world we're kind of running a risk of allowing users to connect to our sensitive information with personal devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sabrina
50%
50%
Sabrina,
User Rank: Apprentice
2/7/2012 | 10:31:35 AM
re: Old Smartphones Leave Tons Of Data For Digital Dumpster Divers
Dumpster Drive is a file-sharing application that recycles digital files.-
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/22/2012 | 6:33:58 PM
re: Old Smartphones Leave Tons Of Data For Digital Dumpster Divers
Underscores the importance of paying attention to the data life cycle. If your organization gets rid of the phone, make sure it's wiped.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13295
PUBLISHED: 2020-08-10
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
CVE-2020-6070
PUBLISHED: 2020-08-10
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerabilit...
CVE-2020-6145
PUBLISHED: 2020-08-10
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-8224
PUBLISHED: 2020-08-10
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
CVE-2020-8229
PUBLISHED: 2020-08-10
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.