If you forget to WIPE your old phone, your data is a sitting duck

BYOD_connectivity_S.jpg

Over the last year, The big 4 US mobile carriers — Verizon, AT&T, T-Mobile, and Sprint — all have introduced shiny new programs allowing users to upgrade their cell phones far mmuch sooner than the standard two-year cycle, and do it quite affordably. 

The biggest takeaway of these programs? More new phones = more old phones. The EPA estimated that in 2010, 152 million mobile phones were thrown away, with only 17.4 million being recycled. Since then, the secondary market for used cell phones has boomed, with big-box stores offering buy-back programs and a multitude of online options luring those looking to cash in.

Whether an old phone is donated, sold or recycled, one crucial step of this process is often overlooked: securely “wiping,” or deleting, the personal data contained on the old device. Most phones have a 'Factory Reset' option that allows the phone to be reset to it's original factory settings —however, as a recent experiment by security software company Avast demonstrated, that doesn’t always do the trick. 

Avast purchased 20 different phones on eBay and put some of their off-the-shelf data recovery and forensics tools to work to see what they could dig up. From those 20 phones, Avast recovered 40,000 photos — including 1,500 family photos with children and hundreds of embarrassing pornographic images — 750 emails, 250 contacts with names and addresses, SMS and chat messages, and even private financial and legal documents.

How was this possible? Wiping a device often means only cleaning a device at the application layer, or rearranging where the data is stored, not necessarily deleting it. Apple was quick to point out that all of the phones in the Avast study were Android devices (iPhones overwrite encryption keys, not just data, when wiped and reset), and BlackBerry has relied on its own trusty secure wipe tool for years. But many of the secure-wipe apps offered through Google Play for the Android platform come with “we cannot guarantee that all free space will be sanitized” disclaimers. However, there has been software available for public purchase for several years that allows recovery of images and data from iPhone even when the passcode is not known and the iPhone has been reset. 

So how can you more vigilantly delete data on an old device?

• Pursue all channels of smartphone security while you’re using it so they will be in place when you decide to get rid of it. In May, a Consumer Reports study revealed that 36% of users set a screen lock with a 4-digit PIN; 29% backed up their data; 22% installed phone-location software; 14% installed a mobile security or antivirus app; 8% installed software that could erase their phone’s content; 7% used security features other than screen lock — and 34% took none of those security measures. Almost all of these options are free and easy to implement, but if you need help, call in a trusted IT service provider.

• Once you’re ready to sell, recycle, or donate, remove your SIM card (and micro SD card, if your phone has one). Most data is kept in internal storage, but some contacts or call logs can end up on these cards. It’s common practice for anyone buying or refurbishing a used cell phone to supply their own new SIM or micro SD cards before using, so there’s no need to risk the security of your data by leaving the old one in.

• On iPhones, use the Default Erase Setting — on Androids, encrypt your phone manually, and then erase. Apple’s Default Erase setting uses hardware encryption to scramble your phone’s specific key, while on the Android platform, this step must be done manually. This Lifehacker story from October 2013 explains both processes in great detail.

• Rely on a trusted IT service provider to keep up with evolving best practices and tools for mobile security. The landscape surrounding the privacy of cell phone data keeps shifting; in June, the US Supreme Court ruled that police must get a search warrant before delving into the contents of a person’s phone, so, for all intents and purposes, that data is now considered sacrosanct.

The technology surrounding data encryption will surely continue to evolve — wouldn’t you like to leave your worries about it to someone invested in the industry? Smart business owners concentrate on building their companies and caring for clients — and leaving IT worries to a partner they can trust. 

If you have security questions call us at Rethink Associates in order to leverage our expertise and knowledge to help provide you with solutions for security that won't leave your data "exposed"