Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos 231
An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."
Where the fault lies? (Score:3, Insightful)
What kind of people sell sd cards along with phone. I thought everyone are misers.
Am tempted to know what kind of nudie pics where available
Re: (Score:2)
But how many people actually reset phone and reset data? I'd imagine a lot of people simply manually delete their photos and unhook their Internet accounts from the phone. Hardly a wipe.
Re:Where the fault lies? (Score:5, Insightful)
But it's so easy to do on iOS. You can do it on the phone - Settings->General->Reset
And it wipes the phone - the flash storage is encrypted. Resetting it wipes the key and generates a new one. It then reboots and reformats the user storage using the new key and mounts it. The old data is irrecoverable because the key is lost, and the new data is written using a new key.
Even prior to encrypted storage, iOS3 created the option to do it where it erases and wipes the storage - anything 3GS and newer wipes keys (so wiping takes a couple of minutes), older ones took a couple of hours.
No reason Android can't do the same - either by sending TRIM commands to the entire user storage area and then forcing a write-all-with-zeroes to be doubly sure.
Re:Where the fault lies? (Score:5, Insightful)
Re: (Score:2)
Well how are you using the phone otherwise? Do you keep it locked in some booby-trapped safe? Otherwise you can still lose it and it'll be in a much worse shape than it is when you sell it with keys wiped and storage formatted (even if technically not fully wiped even if still encrypted). It might be unlock-able, it might have some SD-card you regularly keep in it (but you wouldn't leave there if you sell the phone). etc.
Re:Where the fault lies? (Score:5, Insightful)
Re:Where the fault lies? (Score:5, Interesting)
Because throwing the keys away on an encrypted drive is more secure than overwriting an unencrypted drive with zeros, as the data recovery experts will be glad to tell you.
Re: (Score:3)
Because throwing the keys away on an encrypted drive is more secure than overwriting an unencrypted drive with zeros, as the data recovery experts will be glad to tell you.
But that's a false choice. There is a 3rd option... do both.
Take your most private information, encrypt it, and put it on a flash drive.
Then go and sell or give that flash drive away to someone else.
Are you really going to say... well they don't have the keys, so we're good. Here you go. And hand them all your data intact (but encrypted).
Re: (Score:3)
Not remotely. If you find 256 bit AES broken in a year, let us know.
Re: (Score:2)
How do they throw away the keys? If they're just zeroing the area with the identity/security info it might not be that much more secure.
It's hardware decryption. The key only ever exist within the SOC. Throwing away the decryption key means overwriting it with a new one. There is no possibility of recovery.
"Zeroing the storage space" probably does not overwrite anything on flash storage. Flash is very resistant to writing anything to a block unless it has to, as there are limited numbers of writes before the the block becomes unusable. Writing random data will, but at a cost of significant time. And it's still less secure than deleting the
Re: (Score:3)
He has a special edition otterbox case that is filled with C4 explosives. if the phone gets more than 6 feet from him it detonates. sadly he goes through about 40 phones a year.
Re: (Score:2)
I would not trust an encryption method as a replacement for permanent data destruction, but I may be more paranoid than most.
More paranoid than computer scientists, for sure.
Android already does? (Score:3)
Re: (Score:2)
But it's so easy to do on iOS. You can do it on the phone - Settings->General->Reset
And it wipes the phone - the flash storage is encrypted. Resetting it wipes the key and generates a new one. It then reboots and reformats the user storage using the new key and mounts it. The old data is irrecoverable because the key is lost, and the new data is written using a new key.
Even prior to encrypted storage, iOS3 created the option to do it where it erases and wipes the storage - anything 3GS and newer wipes keys (so wiping takes a couple of minutes), older ones took a couple of hours.
No reason Android can't do the same - either by sending TRIM commands to the entire user storage area and then forcing a write-all-with-zeroes to be doubly sure.
Android CAN do the same by simply performing a factory reset.. apple hardly had a fucking monopoly on factory reset functions in phones.
it's just that most normal users haven't a fucking clue and thus don't reset their phones to factory state and that's where the problem lies.
Re: (Score:2)
With iOS, it's a simple option to securely delete everything. And it takes no time.
With Android it's not a one step operation and it's full of ifs and buts. And it will take some time. See for example:
http://lifehacker.com/5808280/... [lifehacker.com]
Re: (Score:2)
i am very happy with my S5 thanks, and was happy with my S3,S2 and my htc desire before that.
Re: (Score:2)
Your personal phone preferences are irrelevant. This is a discussion of a specific feature of iOS and a weakness of Android.
Re: (Score:2)
Your personal phone preferences are irrelevant. This is a discussion of a specific feature of iOS and a weakness of Android.
it must've really made you weed when the saviour.. the lord jobs kacked it eh? i bet you wept onto your wee i-devices.... shame that's not covered under waranty eh? LOL. :)
however it's hilariously funnyh that MY preference and experience with android devices somehow negates what i say but your blatant fucking fanboism driven bollocks is fine?
now THAT is fucking funny
Re: (Score:2)
You're a great advert for the IQ level of Android users.
Re: (Score:2)
good day sir.. i am off to do some work
Re: (Score:3)
Re: (Score:2)
True, it doesn't, but it does delete the key which is used to encrypt everything. With no key, it's gibberish, indistinguishable from random data. Or so claims Apple, anyway. If you have better data, I'd be most interested to see it (and freely admit it's possible ANY vendor is lying about their security precautions).
Personally, I find it quite possible that Joe RandomUser would "delete" pictures, etc, and not know how to do a proper wipe. Heck, I had to look it up, but it took knowing that in general "
That doesn't work (Score:2)
"resetting" your phone to manufacturer settings doesn't wipe any data. Even manually "deleting" it and then "resetting" the phone doesn't do that. It merely marks the flash memory in the phone to be "reusable".
The only way to make sure the data is gone is to fill the phone up with garbage data after you've done a factory reset so there is something else written to the flash memory. After you've filled it up to the last bit, do another factory reset and you will be as close as you can get without destroyin
Re: (Score:2)
But you wouldn't need to re-write all of the flash memory if it is encrypted and the key is properly wiped. Without the key it might as well be random data. The trick would be to make sure that the original key isn't still lurking on one of the chips, but I'd like to think that people far smarter than me worked that part out.
And they would like to think (Score:2)
that you knew enough to wipe those copies of the keys yourself. I mean, EVERYONE knows that key lives in that directory right? Anyone who really CARED about the product would know enough to learn about it.
Re:Where the fault lies? (Score:4, Funny)
When someone says reset phone and reset data, the OS should ensure a clean wipe not a soft wipe. Should atleast fill it with 0s. And people should try to keep most of their data on sd cards and move those alongs when they get new phones.
There's one phone that just throws away the encryption keys, which are never stored anywhere than on two locations on the hard drive (in encrypted form), so only these two locations need to be wiped. That phone also has the ability to access a small amount of flash memory directly without the firmware interfering, to make sure that no invisible copies of those keys are created. Well, it's not Android...
Re: (Score:2)
It does if you enable security and turn on locking. Betting all those phones never had a lock pin so the data was held in flash without any encryption.
Re: Where the fault lies? (Score:2)
Re:Garbage In (Score:5, Informative)
> Google's Android phones flat out REFUSE to uninstall Facebook, for example.
It uninstalls just fine, thank you very much.
Or are you referring specifically to Nexus devices?
Re: (Score:2)
Re: (Score:3, Insightful)
That's the carrier's doing
Re: (Score:2)
I wonder which direction the money flows in cases like this. Does Facebook pay the carrier, or does the carrier pay Facebook? Seems to me that both parties are equally at fault here. Some suits probably had a meeting about increasing shareholder value and leveraging popular apps and shook hands, then told the dev team to make it happen. Not that I'm thrilled with bundled software being possible on Android... I wish it wasn't... but it's not Android's fault that someone got greedy.
Re: (Score:3)
fb pays the carrier or does some favors.
look into "facebook zero", they do direct collaboration with the operators to enable zero fee(to user) facebook access..
Re: (Score:2)
Unfortunately, not supported by AT&T, Verizon or T-Mobile here in the US.
Re: (Score:2)
Re: (Score:2)
That seems like a non-sequitur. The GGP was saying it's not Android's fault that bundling was abused - I was saying that it was because it was the predictable way, in fact the only predictable way, it would be used. The feature was added to be abused.
That's not saying Android is never to be used, or that there are not better and worse implementations. But it is calling them out that this one feature has no redeeming (to the customer) use.
Re: (Score:2)
Google allows it, which is wrong. Google can easily say, "if you do not provide a clean pure android on your phone you can NOT call it android in any way and you can not even say that it is "compatible" Also it's not just AT&T. HTC bakes in all kinds of complete crap that ruins the phone.
That would stop it instantly.
Re: (Score:3)
Re: (Score:2)
Not if you buy a phone from AT&T or Verizon. They pile so much crap into the locked storage it's not funny.
Re: (Score:2)
You may have uninstalled the app, but did you also freeze the in-ROM Facebook SNS service? Not likely, and it will bridge (eg: phone home) to other apps that integrate with and talk to Facebook.
Get Titanium Backup and freeze SNS, or use Root App Delete (for rooted Android phones) and get rid of that bugger. It eats data, leaks your location every 60s, and does all sorts of things you don't need or want it doing.
Re: (Score:3)
My phone didn't even have the Facebook app installed when I bought it.
It still doesn't.
Re: (Score:2)
Re: (Score:2)
If it was installed before you got it you can usually only force it to stop, uninstall updates and turn it off. That is as close as you can get to uninstalling any apps that came with your phone.
Unless you install a different ROM. Then it's unlikely to be included.
Google is playing a very dangerous game. (Score:2)
If Google is suddenly perceived as untrustworthy, there will be great market pressure for Android without Play, or any other Google products. For Google's balance sheet, I hope they have not been foolish.
Re: (Score:2)
"Users do not have control because we're experiencing what Oligarchy feels like."
no Users do not have control because they refuse to learn. Cyanogenmod is your path to bliss and control for Android. If you "cant be bothered" with learning how to install it, then privacy and control are really not that important to you.
Re: (Score:2)
Re: (Score:2)
You realize how long this takes? You think anyone is going to wait until it would complete?
Writing zeros to every byte of a 32GB flash drive takes less than an hour, even with very slow flash (10 MB/sec write speed).
Who's at fault for this? (Score:4, Insightful)
Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger.
How many people actually have the ability to securely wipe data on their phone to start with, without rooting it? For lots of folks, the "factory reset" option is the only thing they can do on their own, and that likely only deletes prefs and network settings and erases file system directory info. It does not overwrite the bits in the phone's storage to make them unrecoverable.
Re:Who's at fault for this? (Score:5, Insightful)
As stated above this really should be an inbuilt OS feature - "Reset for resale"
It shouldn't take an understanding or knowledge of the intricacies of how the device works or how to properly erase data. It should be automatically done by the OS since most phone users do not know how to do it properly.
Re: (Score:2)
Yes true, there is that disincentive there.
Re: (Score:3)
I would wager that the real impact is the opposite. It is like used games, on the surface it looks like a "lost sale" but in reality it provides liquidity. The used phone market then fuels the new pone market, since those that sell the phone do not have / don't want to spend the money on their yearly upgrade cycle. On the other hand those that buy the used phones don't have the money to spend on a new phone. Even though they may have spent the money on a lower end device, it is not a lost sale, since as men
Re: (Score:2)
That's a good start, but I doubt it over writes any data - this *seems* like a soft delete and I'd expect one could still get the original data (??)
It'd also be nice if Android had such a feature built in.
Re:"What to do before selling or giving away your. (Score:5, Informative)
Nope... Apple iPhones actually securely erases the encryption keys which renders the contents of the storage useless.
It's a big button called "Erase All Contents and Settings". It does precisely that.
Re: (Score:2)
Seems Apple have done it right, thanks for the heads up.
Obviously I'm rather ignorant regarding storage on iOS devices - I didn't realise that all data was encrypted by default (does that include images etc?).
Re: (Score:2)
Seriously - you're a tosser and a coward.
But thanks for pointing out what I missed.
Tosser.
Re: (Score:2)
No, I just didn't like his pompous righteous attitude and unnecessary insults.
There's more than one way to point out that someone overlooked a detail (or failed at reading comprehension) without being an arse about it.
Re:"What to do before selling or giving away your. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
The data is still entirely intact; Just really, really hard to recover :)
unless you are the NSA that is
Re: (Score:3)
I can go in to the settings menu and select encrypt device.
Not sure if that's new for Android 4.4 or if it came earlier.
Re: Who's at fault for this? (Score:5, Funny)
Copy goatse, not music.
Give them a surprise if they try and snoop your old data.
Only Android? (Score:4, Interesting)
Re: (Score:2)
If you don't wipe your phone this can happen with anything (including an iPhone)...
However, if you reset an iPhone there is NO way to recover anything. Everything written on an iPhone is encrypted... when you reset an iPhone it securely wipes the key and then nothing is retrievable.
Re:Only Android? (Score:4, Insightful)
Re: (Score:2)
Reading between the lines, the data was recovered with recovery tools, because standard delete on a flash drive just marks a block as reusable, it doesn't actually overwrite the data.
Re: (Score:2)
Except for all of the copies in the iCloud.
Re: (Score:2)
Indeed, you do have all the data on iCloud still safe. It's not on the phone though, and neither is any username or password, so it's irrelevant to selling the phone.
Factory reset. (Score:5, Interesting)
So taking out the SD card and a factory reset is not enough anymore? But how do you run DOD quality data wiping software on a phones built-in memory anyway? Most people hock phones and they are re-sold with phone numbers still on them. That should not happen. Let alone personal photos.
Re: (Score:2)
Five to ten seconds in a microwave oven should do the trick. A good physical smashing is probably effective. Or just bury the damn thing. But don't sell it and have any expectation of privacy.
GNU shred on the device file. (Score:2)
... and the water is wet (Score:4, Interesting)
Yes, most devices we use don't actually wipe the data when you "reset to factory settings". Even desktop OSes don't do it (either by default, either at all, need special tools, etc). I bet this feature is really low on the "to do" list for most manufacturers of not only phones but also wifi routers, TVs, wireless cameras, you name it. We didn't (or maybe barely) manage to educate them not to put trivial backdoors, secure wipe is a long way out.
Re: (Score:2)
Samsung market their secure wipe software as a feature, so apparently there is market demand for it.
Re: (Score:2)
Funny thing is that they messed up the command(s) to the flash memory and created a super-brick bug that would terminate your phone if the great "wipe" feature was used (for reference google MMC_CAP_ERASE).
Re: (Score:2)
Can't we just say people took naked pics? (Score:5, Insightful)
Why do we still talk like we're in middle school? Why the code talking? "personal pictures", "manhood"? Can't we just say they found pictures of guys penises, and nude to semi-nude women?
People take nude photos of themselves, don't realize it's still on the phone, and sell the thing. The fault lies with the cell phone makers who aren't actually doing real deletes of pictures. That's just dumb. Back when storage medium was on a hard drive, and computers do a LOT of IO, deleting the reference to the file made sense to improve performance. But all phones use flash as storage, and there's simply not a lot of IO that's going on in your typical phone usage. The OS should be wiping the file, or at the very least remove the reference, and wipe the file at a later (but soon) time after (like perhaps while the user is typing something and is otherwise idle).
The reality is phones get stolen, and the data is far less secure than on a PC. The OS needs to keep up with that. Deleting data for good should mean actually deleting the data. The shortcuts that've been done in the past should be a thing of the past.
Re: (Score:2)
Re: (Score:2)
All those erase cycles would wear out the flash memory much faster. Flash can generally only erase blocks, so to remove part of a block the entire thing has to be read, erased and re-written.
The simple solution is just to enable encryption. Android has supported it for years. Then a wipe destroys the key, and all the data is gone.
Re: (Score:2)
All those erase cycles would wear out the flash memory much faster.
The wear limits, and wear leveling on flash memory are such that even with heavy usage you'd still outlive the lifetime of the phone by an order of magnitude at least. (on the order of 1,000,000 erases). A phone is never even going to approach heavy usage. So I reject the idea that we can't erase because it'll wear out the flash memory prematurely.
Re: (Score:3)
Avast is a corporation. Corporations tend to be conservative in their use of language (outside of the porn industry, at least). Using the term "penis" in a press release isn't going to happen.
This post is an advert (Score:3, Insightful)
This article is good reading in itself but it wound up being an advert for the poster's product. I wonder how much Dice got paid to post this "story"? Is it any wonder I spend more time over at soylentnews.org, the name of which I was going to bury in a link but couldn't because the link gets replaced with "slashdot.org"?
Re:This post is an advert (Score:4, Informative)
I don't know what you're doing. I tried several times without success. soylentnews.com was always replaced with slashdot.org.
D'oh! I'm an idiot. It helps if the href contains an "http://" as part of the URL. Ok. No more conspiracy theories now, at least not on this issue.
Re: (Score:2)
Never explain by malice that which can be explained by stupidity.
Really? (Score:2)
Re:Really? (Score:5, Informative)
Why not just destroy your old phone? (Score:2)
By the time it is old it is worthless. Just smash it up and throw it in the river.
Re: (Score:2)
By the time it is old it is worthless. Just smash it up and throw it in the river.
Because, when I am done with it, it is essentially an wifi enabled mp3 player with browser that I can take and use in situations where I might fear getting my new phone broke, lost, or wet.
Terrorists! (Score:3)
They have circumvented a protection measure, that is wiping the phone- a faulty protection measure, but that doesn't matter, as history taught us if you find holes and publicize them, no matter the responsibility of the manufacturer, you are terrorist!
Moreover, it is clear they have an interest in selling their own protection products, and that they have given bad ideas to people who normally would have started using the second hand phone and overwriting the crap with their own crap.
So why doesn't avast end up in trouble like $RANDOM_HACKER ? Huh?
phones? (Score:2)
I was wondering why someone would buy 20 crappy phones from me on eBay.
Just kidding. I take all my dirty pictures with a Polaroid. :)
Isn't this illegal? (Score:3)
How is this not a violation of the Computer Fraud and Abuse Act (CFAA)? They bypassed security measures (deletion) to access someone else's personal information without authorization. Given how broadly this has been interpreted in the past (Andrew Auernheimer was prosecuted for visiting public URLs on the Internet), Avast's act clearly should be considered a violation. Or is this a case of "if a corporation does it, it is not illegal"?
Re: (Score:3)
Simple solution (Score:2)
Simple (only tens of thousands of lines code needed, hehheh). You program a Full Secure Erase feature in the phone. It wipes all personal data, resets all the settings, removes user-installed apps, deletes caches and erases the memory card. All the jazz. Filling with zeroes is used where appropriate. Then the phone is put into OOBE (out-of-box experience) mode, which means that on next startup it says "Hey, I see you are using the phone for the first time, let's set up a couple of things."
Make this a de-fac
Re: (Score:2)
... by the time I am ready to get a new phone, its not worth the time to even post on ebay, toss that shit in the wood chipper (minus battery)...
You could do something [nnedv.org] more worthwhile [americance...edrive.org] with it, too. [911cellphonebank.org]
Re: (Score:2)
Uninstall flash.
Re: (Score:3)
So no one knows you had the Grinder app installed?
Re: (Score:2)
I bought 40~ used iphones off ebay and at least 12 of them were still logged into social media accounts (facebook, twitter, instagram, snapchat) and had thousands of photos and videos. i did not see any nudes but i did have fun with some of their profiles.
If you have burglars who are caught by logging into facebook at a victim's home computer and not logging out before they are leaving, what can you expect?
Re: (Score:2)
s/used/stolen/
Good for you for kicking those users while they were down.
Re: (Score:3)
You mean like an iPhone? (as stated several times elsewhere on this thread).
Re: (Score:2)
This article motivated me to take a picture of my manhood, just in case i decide to sell my phone some day.
What makes you think anybody would be interested in either?
Re: (Score:2)
I would hope the probability of randomly selecting a pedophile is less than 1 in 20. Still 1000 adult nudie pictures from 20 random phones is more than I'd have guessed.
Re: (Score:2)