A significant number of consumers and businesses are putting themselves at risk by not using effective methods to protect their information before reselling mobile devices and drives, according to a report from Blancco Technology Group (BTG) and Kroll Ontrack, both vendors in the data erasure and recovery business.
The vendors’ report is based on an examination of 122 various components, including pieces of mobile devices, hard disk drives and solid state drives purchased from the U.S., Germany and U.K. They found a deletion attempt had been made on 57 percent of the mobile devices and 75 percent of the drives that contained residual data.
Even more worrying was the discovery that those deletion attempts had been unsuccessful due to common, but the unreliable methods used, leaving sensitive information exposed and potentially accessible to cyber-criminals. Another distressing finding was that the residual data left on two of the second-hand mobile devices were significant enough to discern the original users’ identities, the report said.
"I’ve noticed that people tend to assume their mobile data is safe and this has a lot to do with the fact that they tend to use a one-size-fits-all approach. So more often than not, they default to using a factory reset to wipe their data, regardless of their device’s operating system, manufacturer and model," Paul Henry, IT Security Consultant for Blancco Technology Group, told eWEEK. "That’s usually where they fall into problems because not all mobile deleting methods are creating equal."
Henry said in truth, the proper erasure method on iOS devices is not the same as it is for Android devices.
"Apple devices use encrypted storage so deletion of the encryption key makes recovery impossible," he explained. "But Android devices, on the other hand, do not use this method and rely upon a user overwriting data to erase it and prevent it from being recoverable."
A total of 2,153 emails and 10,838 texts/SMS/instant messages were retrieved from the mobile devices analyzed.
On four of the drives containing residual data, or 11 percent, only a basic delete was performed, meaning that the user simply deleted the file or sent it to the recycle bin, leaving 444,000 files exposed.
"If you look at our study’s findings and what so many other researchers have found in the last few years, you know that it’s not always easy to erase data completely from Android devices," Henry said. "Given that we found leftover data on 35 percent of the used mobile devices we examined across multiple manufacturers and models, I would say that OEMs aren’t doing enough to tackle the security problem. But to me, this is happening because they’re not baking security into the initial design and development of these products. It’s more of an after-thought and until that changes, we’re going to keep seeing these kinds of problems."