back to article Factory settings FAIL: Data easily recovered from eBayed smartphones, disks

Data recovery experts have found a raft personal information from used hard drives and mobile phones purchased from Amazon, eBay and Gazelle in the UK, US and Germany. The research, by Blancco Technology Group and Kroll Ontrack, once again shows that failure to erase data from discarded devices continues to be a problem, …

  1. Little Mouse

    I've always gone for the masonry-chisel-&-lump-hammer approach when disposing of old hard drives.

    I've yet to try this on a smartphone though. The resale value may prove too tempting...

    1. Voland's right hand Silver badge

      I am doing it now after I watched what happened to them

      I took a set of on old SCSI LVD drives which lingered in my loft for 8+ years to the county dump last year. I left them with the other electronics. By the time I went to the car to pick up the next load and dump it they were gone. They were immediately collected for "reuse" by one of the guys at the dump who clearly knew what they were and what he was doing..

      Thankfully, they were properly wiped using a 7 pass. Something you could do once upon a time. Realistically, you can no longer do it in the age of flash. You really have no idea what exactly what done by the storage controller and what can be recovered from the drive after that.

      1. petur

        Re: I am doing it now after I watched what happened to them

        With flash, you just fill them up with random data.... dd to the rescue

        1. Alan W. Rateliff, II

          Re: I am doing it now after I watched what happened to them

          Actually, that is not sufficient for flash storage, in part due to wear leveling algorithms. Not too long back a case study found that around 20% of user data was still recoverable after over-write wipe attempts on flash devices.

          The good news is most SSDs support "secure erase" functionality which actually does wipe the data. I am certain (hopefully) some software supports it, but I know that at least one hardware wiper does and I use it on a regular basis.

          Of course, that is SATA and IDE SSDs, "destruction" is the word of the day for USB thumb drives and such.

          1. Pookietoo

            Re: Actually, that is not sufficient for flash storage

            What doesn't work is trying to wipe individual files, because the obscuring bit pattern won't be written over your data. What you can do is delete your data then fill the device with junk - the only sectors you won't overwrite then are those that have been taken offline due to read/write errors.

          2. petur

            Re: I am doing it now after I watched what happened to them

            "Actually, that is not sufficient for flash storage, in part due to wear leveling algorithms. Not too long back a case study found that around 20% of user data was still recoverable after over-write wipe attempts on flash devices."

            That would mean that on overwriting the complete device, 20% of it suddenly developed bad sectors. Nope, not likely.

            Wearleveling actually has little to do with it, because it just shifts data around during your read-erase-write, to make sure all sectors get their same amount of erase cycles.

            But yes, if the SSD has secure erase, go for it. In other cases, fill it with random. Not the files, the device.

          3. Anonymous Coward
            Anonymous Coward

            Re: I am doing it now after I watched what happened to them

            > "The good news is most SSDs support "secure erase" functionality which actually does wipe the data. I am certain (hopefully) some software supports it"

            Most SSD manufacturers supply a "toolbox" program with the drive that'll do it. Parted Magic will do it, but it's non-free. You can run hdparm (via Linux live disk) with --security-erase, which should issue the ATA secure erase command.

    2. Terry 6 Silver badge

      When I was in public service the recycling centre actually complained once that the PCs had no HDDs in them.

      Well I'd made a point of removing them and doing as much physical damage to them as I could.

      Then putting them into the landfill dustbin, buried.

      Yes, someone could have found one in the sludge. and dismantled it and read data off the (wiped) plates. You can't make anything 100% safe in the real world.

      But I got as close as I could. And it certainly wouldn't have been possible for an ordinary bloke in the street to do.

  2. Anonymous Coward
    Anonymous Coward

    ...its the only way to be sure

    course , as we all know the only safe way to erase data ( a hard drive in this example ) is to:

    delete all the files from the volume

    format the volume

    erase the volume

    erase the other volumes

    run the "military strength" deleter / overwriter thingy of ov a Hirens disk

    remove drive - wave around in front of a strong magnet

    go outside - throw it against the wall a few times

    find a De-Walt with a HSS bit drill through the platters a few times.

    THEN it starts costing....

    Have a Certified (read "licence to print money" ) data disposal company come round and:

    put the item through their "special" data destroying coffee grinder

    sweep up the bits into a lead lined box

    have a swat team escort the box to morder

    empty fragments into fires of mount doom.

    Nuke the site from orbit

    This will of course , significantly effect the resale value of your iphone

    1. Allan George Dyer
      Headmaster

      Re: ...its the only way to be sure

      That's Mordor.

      One does not simply mis-spell Mordor.

    2. Robert Helpmann??
      Childcatcher

      Re: ...its the only way to be sure

      I think you left of at least one intermediate step: throw in a box with a grenade chaser. Other than that, it looks pretty good.

      1. Anonymous Coward
        Anonymous Coward

        Re: ...its the only way to be sure

        Thanks Rob & Allan. I'll update the documentation , the map , and the armoury!

    3. Stoneshop
      Boffin

      Re: ...its the only way to be sure

      find a De-Walt with a HSS bit drill through the platters a few times.

      Even better, if you have access to a CNC router, is to program it so that it eats away the disk from one side. Soon the router bit will hit the platters, which will start to spin ... If things go well, you'll be left with just platter dust.

      (wear safety glasses)

  3. Anonymous Coward
    Anonymous Coward

    "still readily recoverable for those with access to specialised software."

    Ha ha! A lot of the time, simply plugging in a USB cable and having a dig about using "File Mangler" in Windows is enough to find that your data is still sitting on the phone's "disk" after a so called Factory Reset. I've reloaded the O/S onto my phone, asked it wipe the SD cards and still the data is there!

    Want to remove it completely? Use a claw hammer, a breeze block and a bucket of sulphuric acid!!

    1. Anonymous Coward
      Anonymous Coward

      bucket of H2SO4?

      That had better not be a steeol/iron one then....

      According to GCHQ you need to take the platters/chips, melt them into a mess and escort it with armed guard to somewhere secure such as the Radioactive ponds at Sellafield and leave for 1,000 years.

      A bit extreeme but it does ensure that no one can read your Facebork entries until long after it matters.

      1. Hero Protagonist

        Re: bucket of H2SO4?

        "A bit extreeme but it does ensure that no one can read your Facebork entries until long after it matters."

        No, those are on Facebork's disks shurely?

  4. Tom Chiverton 1

    "But Android devices, on the other hand, do not use this method and rely upon a user overwriting data "

    Umm. Hasn't Android had file system encryption since 4.x ? Or earlier ?

    1. thesykes

      It may be included in later versions of Android, but, isn't enabled by default, at least not when upgrading from older versions.

      Not sure if new phones with newer versions have it turned on by default.

      One day I'll get round to encrypting mine, maybe.

      1. dotdavid

        "Not sure if new phones with newer versions have it turned on by default."

        There were rumours that Lollipop would have it on by default, but presumably due to performance it wasn't. Some of the high-end smartphones have dedicated silicon that aids with the disk encryption/decryption process so the performance impact is lessened; I suspect until these devices are more common the encryption will remain optional.

        A several-pass random wipe as part of the factory reset process would be welcome however.

    2. Anonymous Coward
      Anonymous Coward

      "Umm. Hasn't Android had file system encryption since 4.x ? Or earlier ?"

      Not by default, as has already been mentioned, and on my particular Kit Kat device, under a year old, it's recommended that you don't use encryption at all because it's so buggy.

      There have been reports that it slows the device to a crawl and in the worst case leads to an unrecoverable corrupted filesystem. I guess it's just one of the drawbacks of not being in control of both software AND hardware, like Apple.

      1. Anonymous Coward
        Anonymous Coward

        "There have been reports that it slows the device to a crawl and in the worst case leads to an unrecoverable corrupted filesystem."

        Have there, some links please, or is that what they want us to believe?

        My Android phone is encrypted simply because data protection, device loss and not wanting to be that bothered about if it happens. I mislaid a Blackberry once (slipped silently under a desk draw set while working on a PC) the feeling of wondering what I might have left on there over the last few months by mistake is unpleasant, what's worse is I have an almost OCD tick to check my phone keys etc. when leaving a building and often entering another so I knew it had "gone from my pocket in the last ten minutes", knowing I had enough time to reset some passwords would have been nice but it was so quick I wasn't even sure it would be locked. Yes I did call it and yes people did hear it go off but because it was "not their phone they didn't bother to do anything about the phone ringing under the desk" (people wonder how BOFH got like that).

  5. Anonymous South African Coward Bronze badge

    If somebody can market an app that can securely wipe *all* data from your droids...

    1. Mpeler
      Paris Hilton

      These are not the 'droids you are looking for

      Obi when?

      (Paris can't find them either)...

    2. Due4AChange

      Wipe App

      That's what Blancco sells: Erasure tools for phones & disk drives...Hence their publication of this study

      .

      1. Haku

        Re: Wipe App

        I installed an Erasure app once, the phone then started wanting a little respect...

      2. Vic

        Re: Wipe App

        That's what Blancco sells: Erasure tools for phones & disk drives

        I used to be associated with a charity that refurbished & re-sold PCs. We originally set up a dban station for wiping drives. Management then decided that we would have to use Blancco instead,

        I don't know if they've changed their model, but back then, the software had an initial cost, *plus* a cost for each use. And this charity was particularly cash-strapped.

        I have nothing to do with them any more.

        Vic.

    3. MacGyver

      Easy.

      Factory erase all your data (reset), then take enough HD pictures of the desk to FILL the rest of the storage area. Delete the pictures. Done. (a 3gb video of your pocket would work the same)

      The easiest way to clean a flash storage device is to overwrite the location where the data was held with new data.

      1. Yet Another Anonymous coward Silver badge

        Re: Easy.

        And find that your nude selfies from the UKIP Christmas orgy were in a block that the auto wear leveller had marked as too old to use and so the new data wasn't written to it. Upto 20% on some flash drives is used as reserve like this.

        1. Mike Bell

          Re: Easy.

          Indeed. The only viable secure option with Flash is to encrypt on-the-fly in hardware like the iPhone does (and always has done). That ain't gonna happen with cheap handsets.

  6. a_mu

    Shops even worse

    My daughters phone suffered a few problems, so it was taken back to the shop, who lent her a unit whilst hers was being repaired.

    she used the phone for a few days, then returned it to shop when her phone returned.

    Months after, her friends still get txts from that loan unit, despite the shops promise to reset the phone...

    1. Anonymous Coward
      Facepalm

      Re: Shops even worse

      Unfortunately phone shops are full of the sort of people who truly believe that if they say something repeatedly with enough bravado it becomes true. Unfortunately they're all just very, very stupid rather than being masters of reality.

      1. Anonymous Coward
        Happy

        Re: Shops even worse

        > Unfortunately phone shops are full of the sort of people who truly believe that if they say something repeatedly with enough bravado it becomes true. Unfortunately they're all just very, very stupid rather than being masters of reality.

        Back when Microsoft had just taken over Nokia and the first Microsoft Lumia's were in the shops, I went in to fondle one. Immediately a young lady came over and started her sales pitch. I told her I was concerned about storing my contacts in the cloud to which she replied: "It's alright, you can have as many clouds as you want."

        1. Steven Roper

          Re: Shops even worse

          I told her I was concerned about storing my contacts in the cloud to which she replied: "It's alright, you can have as many clouds as you want."

          Holy shit. I think my response to that would have been something like a moment of stunned incredulity, followed immediately by my putting the phone smartly down and marching stiffly out the door without a word.

    2. Tom 13

      Re: Shops even worse

      Well you know, there's reset, there's wipe, there's reset and wipe. It all gets so confusing.

      Always remember: If you want something done right, do it yourself.

  7. This post has been deleted by its author

  8. asdf

    Android FDE a joke

    Android's full disk encryption (almost always software only and usually doesn't allow SD card encryption either) is garbage full stop. Having dedicated hardware for FDE is a big edge Apple has over the vast majority of Android hand sets.

  9. Anonymous Coward
    Anonymous Coward

    A droid 5 does both internal and external devices just fine. I much prefer using EDS for external SD and USB connected storage as it affords portability with my other devices and wherever else I've got anything stored.

  10. Anonymous Coward
    Big Brother

    BBRY devices?

    Should be OK, except the Priv obviously.

    1. asdf

      Re: BBRY devices?

      Except for the shambling corpse of a corporation to support it. Probably ok this generation but next yeah not so much.

  11. ecarlseen

    Apple did it right.

    Not only do they mandate full encryption of storage on IOS devices (there is no way to shut it off), they backported the feature all way back to the iPhone 3GS and iPad 2 (four years' worth of devices) and forced it on automatically for anyone who ran the normal software updates. And they did it without hurting performance.

    1. Anonymous Coward
      Anonymous Coward

      Re: Apple did it right.

      They've had default encrypted storage on iPhones since the 3gs - back when it was new. It and all subsequent phones have included a dedicated AES encryption block on the SoC (hence no performance drop)

      The change they made a couple years ago was with key management, to insure that the users had the only copy of the key. Previously Apple held a copy of your device key - so they could help out the users who forgot their password (if they could establish they were the phone's owner)

      With the NSA's and FBI's shady activities they felt it was better to leave it totally up to the user, which is why now they can't help you if you forget your password because they no longer have a copy of your device key. If you forget your password, and don't have a backup, you've lost everything and no one can get it back, not Apple, not a data recovery company, (probably) not even the NSA (unless they can crack AES)

  12. Anonymous Coward
    Anonymous Coward

    I admit I'm a little surprised there were ZERO iOS devices recovered

    Surely some people don't bother to do a reset of their phone before selling it? Maybe Gazelle and Amazon do that as part of their normal process of checking out a phone before turning it around and reselling it, but surely there are iPhones available on eBay where the previous owner has stupidly left everything intact?

    1. Ed

      Re: I admit I'm a little surprised there were ZERO iOS devices recovered

      I think you'd have to also leave it without a passcode on as well (which some people do).

  13. Anonymous Coward
    Anonymous Coward

    Never sell, destroy

    [Wear appropriate safety gear]

    1. Break the drive seal/case

    2. Apply lump hammer, liberally.

    3. Place drive in bucket of water from a salt water pool. The water just covering drive body.

    4. Pour in pool acid, liberally.

    5. Leave (in a safe, ventilated, place) to bubble and hiss for one week

    6. Retrieve hardware, rinse thoroughly in salt water

    7. Season with above mentioned lump hammer to taste and dispose of drive in council bin

    Pro tip: Leave the finished drive in the weather for a month for that fully-corroded look.

  14. This post has been deleted by its author

    1. 0765794e08
      Joke

      Re: In the ding

      Indeed. A melted SSD and a Tesco spaghetti bolognaise actually taste quite similar...

  15. Crisp

    Thermite

    It's the most secure (and fun) way to erase data.

    1. Medixstiff

      Re: Thermite

      Thermite

      It's the most secure (and fun) way to erase data

      I disagree, put a few SSD's in a bag and beat your choice of politician around the head with them, much more fun and quite therapeutic too.

      1. Anonymous Coward
        Anonymous Coward

        Re: Thermite

        Yeah bring a building or seven down on them eh! Enron and the other stuff! those were the days, this is a secure line isn't it?

  16. Anonymous Coward
    Anonymous Coward

    Re. Microwave

    An electric oven plate (ghetto reflow) seems to do the job, tried recovering data from a few pendrives thus cooked with just the chip exposed and the rest epoxy encapsulated (250+C) and nothing.

    Chip won't even recognize in low level tools, checked soldering and its not the problem.

    I'd even checked that the chip was a similar manufacturer and size, still didn't work.

    Also works well on microSD cards, evidently at high temperatures the glue that holds the thinned die together degrades and causes all the bond wires to snap.

    I tried this on a few cards and 100% fail at >200C, they really really do *not* like the heat.

    1. Michael H.F. Wilkinson Silver badge
      Mushroom

      Re: Re. Microwave

      Alternatively, when disposing of larger quantities, use a flame thrower, and say:"I love the smell of napalm in the morning" for the sake of style.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like