I’ve been researching data wiping and security for several electrical recycling companies in the UK for the last five years, and one of the biggest concerns within the field was when software used by the police called forensic data retrieval was officially made available to the general public.
Software like Oxygen Forensic and AccessData allows anyone to recover data from phones and other mobile devices even after it has been deleted or undergone a factory reset.
For those that are unaware, 99 percent of all handsets sold to recycling companies are reused, not recycled in the “conventional” context, making phone recycling a prime target for hackers using forensic data retrieval software. Here are the more concerning of the things that can be recovered from your phone using FDR software:
1. Images and videos
Even if you take a quick photo and delete it immediately after, along with all your other pictures and videos, it can be recovered.
What most people don’t know is that when you delete information off your phone or undergo a factory reset, the data itself is not being deleted, it still remains in areas of the flash chip called solid state memory. Factory resets only destroy the paths to the data. This obviously allows forensic software users to re-establish their own pathways and retrieve the data.
A YouGov poll showed 26 percent of people (in the UK, at least) believe that manually deleting a piece of data completely removes it from the device, whereas 37 percent believe a factory reset is enough (neither will fully remove personal data).
A full removal of personal data is not possible using a device’s in-built factory reset or by re-flashing the operating system.
2. Bank details on apps
Despite banks doing their best to make smartphone banking as secure as possible, as long as a code or pin is required to access a customer’s details, they are susceptible to forensic recovery.
The flat information that can be retrieved from the solid state memory also includes passwords and cryptograms that have been used within the phone’s apps.
This actually applies to any app that has ever been uploaded on a mobile device, which is a worrying thought for people who have sold their old phones or unwanted upgrades. To make matters worse, recent EU data security regulations have pushed legislation making it the responsibly of the handset owner to wipe all their data, not the recyclers or phone buyers. Despite this possibly being one of the most absurd legislations in history, until it is revisited (which should be March 2014), mobile phone consumers have been forced into a subjugate position.
However, if you happen to live outside of Europe, you aren’t affected by this legislation.
3. SMS and email messages (sent and received)
This could apply to all messages involving SMS, email, Whatsapp, WeChat, instant messaging, Skype, and MMS logs that have ever been used on the phone.
The level of detail a hacker could undelete from your phone depends solely on the level of patience the hacker has. Forensic retrieval and the replacement of data pathways can be a laborious process because there are so many areas within the phone where the solid state memory can hide the flat data.
4. Web browsing history
Over the years, more people have been using their phones to search Google and browse the Internet. To accommodate that, smartphone technology has become more sophisticated. The downside to this is that the more complex and intrinsic something becomes, the more it can be exploited.
5. Geo-positioning and location sensors
If having access to your private photos, messages, and passwords wasn’t enough, another concerning bit of information a potential hacker can get their hands on is the smartphone’s position sensor history.
So whenever a smartphone user has gone to lunch with their friends and tagged them all in a Facebook status update, all this logged information can be salvaged.
This could lead to a hacker being able to discover a former phone owner’s home address or hangout spots.
Can it be avoided?
A military-standard data wipe is the only known way to properly erase not just the data paths but the data itself. There are many different terms for this kind of wipe, but it essentially works in a similar way to forensic retrieval software itself: it reforms the deleted pathways, but instead of recovering the data, it deletes it.
In the UK, where I’m based, companies like Cashinyourgadgets, Bozowi Sell My Mobile, and Money4urmobile offer this level of permanent data removal. [Disclosure: I am currently doing consulting work for Bozowi.] In the U.S., cell recycling companies like Cellularreturns, Celltradein, and Gadgetgobbler offer military-standard wipes.
Costs for this service vary significantly, but the price is usually about 5 percent to 15 percent of the phone’s recycle value. So if your handset could be recycled for $150, the cost to have it properly wiped would be somewhere around $15. However, the more aware the world is of forensic data retrieval software, the quicker companies like these will begin offering such a service for free (because they will have no choice).
A word of warning: If you are going to use an external company to perform a permanent wipe on your phone, always make sure they provide you with both a tracking number and a certificate of destruction. Companies like these will almost always arrange for a delivery service to pick up your phone from your home and drop it off afterwards, so a tracking number is important to monitor the process and make sure you are getting the full data removal. A certificate of destruction is useful because it means the company is accepting full responsibility for the data, so if your phone still manages to get hacked after the service, they will be legally accountable.
There have been some studies suggesting that multiple factory resets could also deleted the flat data due to it slowly wearing down the solid state memory, but the results were inconclusive.
One piece of good news: It’s likely this threat won’t be a permanent issue. The major mobile device developers will eventually find ways to bypass it altogether. Already we’re hearing about the upcoming Blackphone, which is apparently NSA-proof and allegedly impossible to hack. However, until it’s released, we won’t know for sure.
It’s unlikely forensic software will ever be outlawed, and even if developers fully bypass the threats it poses, another more advanced incarnation will be conjured up (the police still need to recover data, remember). What’s important is that mobile phone users are aware of the threat and begin to pressure electrical recyclers to do everything they can to prevent it.
Matt Carter is part of the research and communications team for UK-based technology company ECD Ltd. He is currently working with ECD’s sister company, Bozowi, on an awareness campaign to eliminate the increasing security risks within mobile electrical recycling.
More: MobileBeat 2016 is focused on the paradigm shift from apps to AI, messaging, and chatbots. Don't miss this opportunity: July 12 and 13 in San Francisco.