Few things are more precious, intimate and personal than the data on your smartphone. It tracks your location and logs your calls. It’s your camera and your mobile banking device; in some cases it is a payment system in and of itself that knows what you bought and when and where and for how much.
All of which explains why you wipe it before sending it off to a recycler or selling it on eBay, right? Problem is, even if you do everything right, there can still be lots of personal data left behind.
Simply restoring a phone to its factory settings won’t completely clear it of data. Even if you use the built-in tools to wipe it, when you go to sell your phone on Craigslist you may be selling all sorts of things along with it that are far more valuable — your name, birth date, Social Security number and home address, for example. You may inadvertently sell your old photos, nudes and all. The bottom line is, the stuff you thought you had gotten rid of is still there, if someone knows how to look.
“There are always artifacts left behind,” explains Lee Reiber, who runs mobile forensics for AccessData.
We wanted to see what kind of data was lurking on our devices, so we rounded up every old phone we could scrounge up from around the office and asked the owners to wipe them. Our stash consisted of two iPhone 3G models, two Motorola Droids, an LG Dare and an LG Optimus. (We had hoped for a BlackBerry, but nobody had one.) Then, we shipped the phones to Reiber, who examined them to see what he could salvage from the phones’ memory. Reiber and AccessData use customized hardware and software to retrieve data. But it also sells a rig that will let anyone do the same, and phone forensics are increasingly commonplace. Courts can certainly get the data from your phone, and with the right gear, bad guys can too. So what did we find? The results ranged from not much to quite a lot.
One of the deleted photos recovered from the SD card in the Motorola Droid.
Take the two Motorola devices. Both were wiped, and neither had much to speak of stored in their built-in memory, just some application data with no personally identifiable fingerprints.
But one user left his micro SD card in the phone. Although the contents of the card were deleted, the card had not been formatted. This, apparently, meant the files were recoverable. And because Android cached application data to this SD card, Reiber could recover e-mail data as well — enough that we could positively identify the phone’s owner via his e-mail address. But the real treasure trove was the photos and documents. The photos still had metadata, including the dates, times and locations in which the photos were shot. And while the documents were benign, if the phone’s owner had stored sensitive information on his phone — think a tax return with a Social Security number, or a .pdf bank statement — we would have had that, too.
There were similar discrepancies in what Reiber found on the two iPhones, although both were 3G models running iOS 4. On one, he recovered a few cached website images, some music and media files, application preference files and a phone number in a user library. Overall, there was not much user data, although we could trace the phone to its owner thanks to that number.
On the other, however, Reiber found a large amount of deleted personal data that he recovered because it had not been overwritten. He was able to find hundreds of phone numbers from a contacts database. Worse, he found a list of nearly every Wi-Fi and cellular access point the phone had ever come across — 68,390 Wi-Fi points and 61,202 cell sites. (This was the same location data tracking that landed Apple in a privacy flap a few years ago, and caused it to change its collection methods.) Even if the phone had never connected to any of the Wi-Fi access points, iOS was still logging them, and Reiber was able to grab them and piece together a trail of where the phone had been turned on.
The wiped phones, after being scoured for residual stored data.
Photo: Ariel Zambelich/Wired
“This person travels a bit and probably travels United,” he theorized, based on the number of airports he found where he was able to pin down information on the specific terminal where the phone had connected. “You can watch this person go using the Wi-Fi hotspots.” (Interestingly, many of the locations found in the database were places the phone’s owner had never been — most in southeast Asia. Reiber says this suggests the phone or its memory had been refurbished.)
It’s worth noting that the iPhone 3GS and newer versions use a hardware encryption key which is deleted when the phone is wiped, but data was easily recovered from these older models.
The LG Dare was particularly interesting to us in advance because it’s a feature phone that wasn’t running Android or iOS. Because it didn’t have the wealth of apps to choose from, we had assumed it might have had less data than the other devices. That wasn’t the case. Reiber uncovered text messages, e-mails and lists of websites visited, as well as EXIF data from photos — ghosts of files past that left descriptions, if not the files themselves. There was enough personal information left behind to positively identify the owner’s first and last name, e-mail address and phone number. So not only was the data recoverable, it was connectable. In short, the phone was full of evidence. An investigator would be able to positively establish that its owner had visited certain websites, and had been in certain places at certain times. One could even read the messages that had been sent.
Professional investigators and forensics teams use tablets specially designed to run recovery software by AccessData.
Photo: Ariel Zambelich/Wired
As it turns out, the Dare stored far more data after a wipe than another phone from the company, the LG Optimus, another Android phone.
“If I was a bad guy, I’d use this LG,” says Reiber. “They do a very good job of cleaning up.”
Reiber only managed to recover a few image files from the browser’s cache and the device’s phone number. The phone number is tricky, because it means you can connect the phone with the owner. But even those cached images can be used to compile a data trail. For example, one recovered image was a photo of a woman. We dropped this in Google’s reverse image search, and found a match. Turns out, the photo is someone’s YouTube profile picture. Which means that in a very roundabout way, we were able to learn that the phone’s owner had either seen one of this person’s videos, or had some other sort of interaction online. In this specific case it’s only YouTube. But if it was an image from a jihadist website, or a photo from a dating site, we would have been able to find that out, too, both of which could be trouble in a court case.
So what can you do about all this the next time you’re ready to upgrade phones? The alarming answer is not much. According to Reiber, all of our volunteers did the right thing. They used the software tools available to restore each phone to its factory settings. But that didn’t matter. The data is still there, if you have the means to recover it. In fact, Reiber says there’s only one surefire way to make sure someone isn’t going to come along behind you and scarf up your old bits: Take a hammer to it.
Update : Story updated to note iPhone 3GS and newer models use a hardware encryption key.