Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/15/2011
07:59 PM
50%
50%

Old Smartphones Leave Tons Of Data For Digital Dumpster Divers

A recent forensics examination shows how much information is left behind after smartphones are tossed in the discard pile

A recent exploration made by a digital forensics company into a handful of phones found in the smartphone secondary market showed how easy it is to glean information from old or lost phones, even if a factory reset has been committed. Today an expert from Access Data gave Dark Reading the skinny on his findings from his informal research and explained some of the repercussions for both corporations and consumers who don't pick, manage, or dispose of their phones wisely.

"I buy a lot of recycled phones and there is tons of data still on them," says Lee Reiber, director of mobile forensics for AccessData. "I'd guess if you went and grabbed 10 phones [from recycling companies], 60 percent of those are going to contain data still."

Reiber says that at the behest of a customer interested in the data lingering on phones sold by used phone resellers and consumers using Craigslist and eBay, he used AccessData's tools to do an in-depth forensics dive into five handsets acquired from this secondary market. The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero. Of those five, the iPhone and the old Sanyo had not been reset and contained what Reiber called logical data -- things like active account sign-ons, contacts, and calendar information easily usable by any person who turns on the phone.

Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations.

"All five of them had some way to identify at least the location where the device came from, whether that was the phone serial number and the old phone number," he says. "Four of the five when we started looking at them further could actually identify a person or a location. The only phone we could tie to a person or account information would be the LG Optimus."

Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume.

"For one of the Android devices we looked at, because everything is location-based right now, I could find where they were while surfing through the browser," he says. "So I could plug the latitude and longitude I found on the phone into the browser and pull up a street view of someone's house."

Even the old clamshell Sanyo, a phone that Reiber believes most people wouldn't think twice about containing too much sensitive information, had account log-in information for Yahoo that was still defaulted within the forms and which Reiber used to log into Yahoo as the former phone's owner.

[ Debate whirls around the hype of mobile malware and the solutions we have to fight it. See Rethinking Mobile Security. ]

The digital dumpster-dive Reiber was able to successfully complete highlights the challenge many organizations face today as smartphones access more and more sensitive corporate data.

"Smartphones and, increasingly, tablets are high on the list of problem devices for businesses concerned about exposures. These devices are now capable of storing very large amounts of sensitive data, yet security often lags a long way behind widespread adoption in businesses," says Geoff Webb, senior product marketing manager for Credant Technologies. "This is especially complicated for many organizations as the phones and tablets may actually belong to the end user as more and more people bring their own devices to work. As a result, enforcement of security policies, and keeping track of sensitive data, is becoming complex and fraught with potential legal pitfalls."

One of the most obvious issues that this study points out is the difficulty organizations might face in ensuring data on their smartphones is completely destroyed upon retirement of the device, whether it is owned by the consumer or the organization. It isn't a problem with an easy solution, and it is complicated by the fast rate of obsolescence in this market compared to PCs and laptops.

"The rapid churn of these devices, along with lack of uniform standards to secure and manage devices belonging to different ecosystems, can quickly become an IT and compliance nightmare for enterprises," says Amit Sinha, CTO at Zscaler.

Just as any good digital forensics guy would tell you, Reiber warns that the only reliable method of destroying smartphone data is with a hammer. That makes it a potential goldmine for those looking to snoop on users or steal information.

"I would rather have someone's mobile device than their PC or their laptop if I wanted to find out anything and everything about that person. Because what don't you do on your mobile device?" he says. "You would text things and you would take pictures of things that you wouldn't want your mother to see, but you have it on your mobile device. You do all of your banking , you send information, you log into accounts much more frequently on a mobile device than you would on a laptop."

Because a hammer may not be feasible within the typical corporate asset management program, some methods of risk mitigation are in order. First order of business, he says, is to really take a look at which devices they're using. Organizations would do well to test how thoroughly factory resets and remote wipes destroy data on potential phone models before giving the rubber stamp of approval.

"It's really dependent on the make and model of the phone. I think they need to be much more diligent on the devices they are selecting to bring into the corporate environment," he says. "And I think in the corporate world we're kind of running a risk of allowing users to connect to our sensitive information with personal devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sabrina
50%
50%
Sabrina,
User Rank: Apprentice
2/7/2012 | 10:31:35 AM
re: Old Smartphones Leave Tons Of Data For Digital Dumpster Divers
Dumpster Drive is a file-sharing application that recycles digital files.-
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/22/2012 | 6:33:58 PM
re: Old Smartphones Leave Tons Of Data For Digital Dumpster Divers
Underscores the importance of paying attention to the data life cycle. If your organization gets rid of the phone, make sure it's wiped.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.