"I buy a lot of recycled phones and there is tons of data still on them," says Lee Reiber, director of mobile forensics for AccessData. "I'd guess if you went and grabbed 10 phones [from recycling companies], 60 percent of those are going to contain data still."
Reiber says that at the behest of a customer interested in the data lingering on phones sold by used phone resellers and consumers using Craigslist and eBay, he used AccessData's tools to do an in-depth forensics dive into five handsets acquired from this secondary market. The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero. Of those five, the iPhone and the old Sanyo had not been reset and contained what Reiber called logical data -- things like active account sign-ons, contacts, and calendar information easily usable by any person who turns on the phone.
Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations.
"All five of them had some way to identify at least the location where the device came from, whether that was the phone serial number and the old phone number," he says. "Four of the five when we started looking at them further could actually identify a person or a location. The only phone we could tie to a person or account information would be the LG Optimus."
Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume.
"For one of the Android devices we looked at, because everything is location-based right now, I could find where they were while surfing through the browser," he says. "So I could plug the latitude and longitude I found on the phone into the browser and pull up a street view of someone's house."
Even the old clamshell Sanyo, a phone that Reiber believes most people wouldn't think twice about containing too much sensitive information, had account log-in information for Yahoo that was still defaulted within the forms and which Reiber used to log into Yahoo as the former phone's owner.
[ Debate whirls around the hype of mobile malware and the solutions we have to fight it. See Rethinking Mobile Security. ]
The digital dumpster-dive Reiber was able to successfully complete highlights the challenge many organizations face today as smartphones access more and more sensitive corporate data.
"Smartphones and, increasingly, tablets are high on the list of problem devices for businesses concerned about exposures. These devices are now capable of storing very large amounts of sensitive data, yet security often lags a long way behind widespread adoption in businesses," says Geoff Webb, senior product marketing manager for Credant Technologies. "This is especially complicated for many organizations as the phones and tablets may actually belong to the end user as more and more people bring their own devices to work. As a result, enforcement of security policies, and keeping track of sensitive data, is becoming complex and fraught with potential legal pitfalls."
One of the most obvious issues that this study points out is the difficulty organizations might face in ensuring data on their smartphones is completely destroyed upon retirement of the device, whether it is owned by the consumer or the organization. It isn't a problem with an easy solution, and it is complicated by the fast rate of obsolescence in this market compared to PCs and laptops.
"The rapid churn of these devices, along with lack of uniform standards to secure and manage devices belonging to different ecosystems, can quickly become an IT and compliance nightmare for enterprises," says Amit Sinha, CTO at Zscaler.
Just as any good digital forensics guy would tell you, Reiber warns that the only reliable method of destroying smartphone data is with a hammer. That makes it a potential goldmine for those looking to snoop on users or steal information.
"I would rather have someone's mobile device than their PC or their laptop if I wanted to find out anything and everything about that person. Because what don't you do on your mobile device?" he says. "You would text things and you would take pictures of things that you wouldn't want your mother to see, but you have it on your mobile device. You do all of your banking , you send information, you log into accounts much more frequently on a mobile device than you would on a laptop."
Because a hammer may not be feasible within the typical corporate asset management program, some methods of risk mitigation are in order. First order of business, he says, is to really take a look at which devices they're using. Organizations would do well to test how thoroughly factory resets and remote wipes destroy data on potential phone models before giving the rubber stamp of approval.
"It's really dependent on the make and model of the phone. I think they need to be much more diligent on the devices they are selecting to bring into the corporate environment," he says. "And I think in the corporate world we're kind of running a risk of allowing users to connect to our sensitive information with personal devices."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.