A recent Channel 4 investigation into the used phone trade in the UK has exposed some worrying privacy concerns. An investigation into two of the largest pawn brokers that are selling second-hand phones, CEX and Cash Converters, revealed that many phones still have recoverable details on them once sold. Some of the data that is left behind on the devices, or is recoverable, includes photos, text messages, passwords, credit card information and internet history. This comes despite Cash Converters and CEX telling customers that their devices will be wiped clean of all personal data before they are sold.
The issue arises from the assumption by these companies that a “factory reset”, or something of that equivalence, is enough to wipe all personal data from the device. The reality is a factory reset doesn’t completely eradicate all personal data as it is still recoverable from the memory. One security expert that Channel 4 spoke to claims that data can be easily recovered using freely available software and about 10 minutes of your time.
“The phones look like they’re completely blank, but the data is still there in the memory,” said Glenn Wilkinson of SensePost. “You can use software to find it, and that software is freely available for download. I can teach you how to access the data in 10 minutes.”
The extent of information that people store on their phones means that for criminals and fraudsters second hand phones are a goldmine of valuable and sensitive private information.
The Chief Executive of one of the major pawn brokers, Cash Converters, stated that:
“All phones are wiped to a standard level and full factory restores are carried out,” said Mr Patrick. “It is our understanding that specialist software may still be able to recover certain information stored on the phone, but we do everything in our power to ensure all personal data is removed from the device.”
However, the clear moral of the story is that if you’re selling your phone make sure you have securely removed all your data to the best of your ability. In some cases the manufacturer reset function will be enough but in others it may not and specialist data removal software may be needed.
Image courtesy of the Guardian