We like to think that doing a factory reset on our old phones and tablets is enough to keep our private data safe before selling them for an upgrade to the latest gadget, but a new survey of phones, tablets and computers purchased from Craigslist proved that a factory reset is essentially worthless on Android phones and tablets.
Just how bad is it?
Security evangelist Robert Siciliano of McAfee told GottaBeMobile, that he wouldn’t, “let a Droid out of my hands,” and recommends turning your old Android smartphone into swiss cheese if you value your privacy.
When it comes to a factory reset, Android phones are the worst. The iPhone and iPad are much better at removing personal information.
Robert purchased 20 laptops, notebooks, tablets and smartphones on Craigslist in the Boston area and sat down with a forensics expert who was able to pull a shocking amount of information off of the old gadgets — even those that had been factory reset.
What’s Left After a Factory Reset?
“lots and lots and lots of porn.”
When it came to mobile phones, Robert told us that the most commonly found information was porn, “lots and lots and lots of porn.”
But, that was hardly all that they found during their search of gadgets purchased on Craigslist. Second hand devices included the following information even after the seller did a factory reset or a reinstall of the operating system.
- Court records
- Social Security Numbers
- College applications
- Child support documents
- Employee records
- Bank statements
- Credit card statements
- Tax returns
- Contact lists
- and more.
All of this information came from devices which had been factory reset or had an operating system reinstalled. Obviously, some of this private data was found on notebooks, but with more and more of our financial, personal and work life taking place on our phones and tablets, you have more than emails, contact lists and photos at stake.
Take a minute to think about your browsing history, any financial PDFs you’ve downloaded to your smartphone or other personal documents you’ve accessed on your smartphone over the last year.
In 5 minutes of searching I was able to find a free tool that recovered photos, the email address from the phone and my Google Book reading history. I also found other Forensics tools which others have used to find email history, contacts, Google search history and text messages.
In the video below, I show how easy it is to recover simple information like photos from a formatted Android phone. This may not seem like a big deal, but if you are anything like me, your photo history will contain photos of documents, phone numbers and other documents which I have saved to Evernote or emailed, but don’t want in the hands of a stranger.
While I wasn’t able to recover as much as the forensics expert, it became clear that there are many tools out there to recover more data.
Why You Should Worry
There’s definitely cause for concern given the 13% rise in identify theft in the last year. It gets even worse, Javelin Strategy & Research found that 7% of smartphone owners were victims of identity theft, higher than the average person.
Javelin Strategy & Research believes that the increase of identity theft among smartphone owners is related to the lax security they use, but the real problem is that 32% of smartphone owners admitted to storing usernames and passwords on their phone. Even improvements to security in future versions of Android operating systems won’t protect everyone. The survey found that nearly a third of smartphone owners don’t upgrade to newer versions.
This information, combined with the information gleaned from any social networks and contact lists left after a factory reset only makes it easier for identity thieves to take over your identity by buying your old Android phone for $50 on Craigslist.
Robert used a forensics expert, but anyone with an Internet connection and the know how to use basic software tools can learn to extract this information with DIY data recovery tools and guides.
Criminals can use this information to steal your identity, your accounts and undertake other nefarious activities. Robert explains that a $20 to $100 Windows PC purchased on Craigslist could result in thousands of dollars of value for identity thieves. The to main attacks are taking your identity to open new accounts in your name and using the information left behind to take over your current accounts to run up charges and drain cash.
If a criminal has your contact list and photos, they could also run a spear phishing scam on your friends and family, asking them to send money to help you out of a jam, even including a photo to sell the story. This might sound far-fetched, but the Grandparent Scam happens with compromised Facebook accounts all the time, and it isn’t limited to grandparents.
If your phone has porn left on it, a Craigslist buyer could even use your browsing history, photos and contact list to blackmail you.
iPhone Factory Reset Is More Secure
When it comes to mobile devices, Android phones are the worst at securing your private date with a factory reset. This is why Robert told GottaBeMobile, “I don’t even know if I’d let a Droid out of my hands.”
While Android devices can’t keep your personal information safe with a factory reset, Blackberry and Apple devices fared better.
Robert tells us that BlackBerry does the best job of deleting information when the phone is factory reset, but Apple isn’t too shabby either.
On an iPhone they tried to access, they found nothing, and on an iPad, they only found an email address and some songs. Good news for iPhone 4S and iPad 2 owners who plan to sell their old Apple gear to pay for the iPhone 5 and iPad 3.
We’ve asked Google for comment on the security of factory resetting Android phones, but have not received a response.
What to Do With Old Phones?
If you have an Android phone you no longer plan to use, your best bet is to stick it in a drawer as a backup device in case your new phone breaks, or you could put it in a vise grip and drill holes through it until it looks like swiss cheese. If you have a gun handy, target practice is another option.
These findings have me rethinking selling any of my old Android phones, like the HTC Thunderbolt, which many of you would line up to shoot.
The only semi-safe option would be to lend or give it to a trusted friend or family member who won’t turn around and sell it in a month.
When it comes to MicroSD cards or SD cards, Robert suggests breaking them to pieces, and never including them with a device you sell to someone on eBay or Craigslist.
As long as you perform a factory reset on your iPhone, iPad or BlackBerry, you should be safe to sell it to a third party, just be careful if you meet a Craigslist seller in a desolate parking lot.
Shhhh! and Bullet Hole images via sxc.hu