Laurent Simon, University of Cambridge
Listen Now Download as mp3 from the show Your Smartphone: What's it Saying to Cyber-Criminals?
Often when upgrading our smart phones, weíre given the option to recycle our old ones and why not? Itís better for the environment and you might even walk away with some extra cash in your wallet. So you delete everything on your phone and hand it overÖ End of story.. right? Last year, Laurent Simon bought some second-hand Android phones from eBay - all were advertised as Ďwipedí of all personal data. But, when Laurent plugged them into his laptop, he could recover almost everything. He told Chris Smith how he looked through old photos, text messages and even passwords...
Laurent - Well, more and more phones are actually being sold online and the market is actually booming. We expect I think, more than a hundred million phones being traded by 2018. So, we thought it would be a good idea to figure out whether data was still available after you wipe it.
Chris - Are the majority of them sold as wiped?
Laurent - Most of them were wiped, yes.
Chris - When someone defines their phone as wiped, does that mean they've sort of gone into the settings because there's a button you can sort of select on the phone that says, reset to factory, isnít it? That it sort of resets it to how the phone apparently was when it came out of the box. Is that actually what happens?
Laurent - Most people actually use this setting on the phone. And that's what the vendors suggest you to do before you sell your phones. It doesnít always delete the data and why this data is not properly deleted, you first have to understand how the data is stored on your phones. So, phones basically store the data the same way a library would store books. So essentially, you have books on your shelf and every time you want to access a book, you have to look up its location in a search index table. Now, some phones, when they wipe the data, they will actually delete both this index table and remove the books from the shelves. But some phones will actually only remove the index table. So, it appears to you as if your data has vanished, but if you look directly at the shelf, the data is still present.
Chris - The books are all still standing there. So, if you just wander along the shelves, you could potentially retrieve a book.
Laurent - Exactly.
Chris - And is that what you did with your project?
Laurent - Yes, exactly. We looked at the shelves directly and looked at the data rather than relying on the index table. Well, we found actually quite a lot of data. So, on some phones, we were not able to recover data but on some other phones, it was possible. This depends on versions and models.
Chris - What's sorts of juicy things were coming up?
Laurent - So basically everything that you can think of. So, most phones will have...
Chris - I don't know Iíve got quite an imagination Laurent so...
Laurent - Yeah. So pictures basically. There are dozens or even thousands of pictures on the phones. So, you'd find selfies, you'd find family pictures, pictures of kids and babies. You might also find conversations either these could be emails, chats or text messages. You'd be able to find out which websites people have visited and which apps they have installed. And also, their contact list.
Chris - So, itís all potentially quite sensitive stuff.
Laurent - Yeah, exactly. Well, more importantly, you can also recover passwords. For example, passwords from third party apps that you install on your phone or password that is used by the phone in order to backup your data online.
Chris - Because people tend to use the same password many times in many places, itís possible also that could be a bigger breach than just for that thing that's on the phone. Is this something that happens on all kinds of mobile devices or are some more vulnerable to this?
Laurent - The market is sort of split between the Apple phone and the android smartphones.
Chris - Itís about 50/50, isnít it?
Laurent - Yeah. I haven't personally looked into the IOS devices so I can't really comment on that.
Chris - This is Apple?
Laurent - Yeah, Apple. I haven't heard reports of data being recovered from those phones.
Chris - But what about android?
Laurent - Itís more on a case to case basis. There isnít really a magic version that is vulnerable and another one that isnít. There are versions sold about 2 or 3 years ago that are more vulnerable and these are often the ones that people are actually selling online.
Chris - So, what can someone do about this? If you're someone whoís about to flog an old phone or give it away to your kids or something, what can you do to make sure you're not a victim of something like this happening?
Laurent - Okay, so that's a difficult question because as I said, all phones are different and it depends on the model. But there are some steps that we can take to try to improve the situations. One of the things you can do before you resell your phone is to enable the encryption option in your settings. This basically scrambles your data to make it difficult to retrieve by someone. This technique essentially is often as reliable as the strength of your passphrase. So you're better off with a really long passphrase. Once you've enabled this option, you restart your phone, you ask for the passphrase and you can wipe your phone. For multimedia files, itís a little bit different especially on the android platform. So, if you actually want to get rid of this data, you have various possibilities, none of them are fully reliable but they will improve the situation. So, one of them is to use an external memory card to save your pictures instead of the default one on the phone. A second option is to connect your phone to your computer via a USB cable and delete manually the files on your phone and copy large files on the phone into your...
Chris - Basically, just fill up your phone with stuff and itís a bit like shoving new stuff onto the shelves of your library. Itís going to push out all the old stuff so the fingerprint of it being there is gone. So, even though you're giving some data away, itís still stuff you don't care about because itís just random rubbish.
Laurent - Exactly. So, as I said, this is not fully reliable but this will help. Another way you can do this is also by trying to record a really large video until some of the memory is full.