Thousands of pictures including
“naked selfies” have been extracted from factory-wiped phones by a
Czech Republic-based security firm.
The firm, called Avast, used publicly
available forensic security tools to
extract the images from second-hand
phones bought on eBay.
Other data extracted included emails,
text messages and Google searches.
Experts have warned that the only
way to completely delete data is to
“destroy your phone”.
Most smartphones come with a
“factory reset” option, which is
designed to wipe and reset the
device, returning it to its original
system state.
However, Avast has discovered that
some older smartphones only erase
the indexing of the data and not the
data itself, which means pictures,
emails and text messages can be
recovered relatively easily by using
standard forensic tools that anyone
can buy and download.
The company claims that of 40,000
stored photos extracted from 20
phones purchased from eBay, more
than 750 were of women in various
stages of undress, along with 250
selfies of “what appears to be the
previous owner’s manhood”.
There was an additional 1,500 family
photos of children, 1,000 Google
searches, 750 emails and text
messages and 250 contact names and
email addresses.
The company said: “Deleting files
from your Android phone before
selling it or giving it away is not
enough. You need to overwrite your
files, making them irretrievable.”
It was not made clear by Avast
whether they extracted data from all
20 phones.
Destroy the phone
Google responded that Avast used
outdated smartphones and that their
research did not “reflect the security
protections in Android versions that
are used by the vast majority of
users”.
It was recommended by Google that
all users enable encryption on their
devices before applying a factory
reset to ensure files cannot be
accessed.
This feature, said Google, has been
available for three years, although it
is not enabled by default, which
could leave less tech-savvy users
open to attack.
Apple has had built-in encryption for
its hardware and firmware since the
release of the iPhone 3GS.
The hardware encryption is
permanently enabled and users
cannot turn it off.
Additional file data protection is
available, but must be turned on in
the settings menu.
Independent computer security
analyst Graham Cluley said that if a
user is serious about privacy and
security they should make sure their
device is always “protected with a
PIN or passphrase, and that the data
on it is encrypted”.
However, Alan Calder, founder of
cybersecurity and risk management
firm IT Governance, told the BBC that
erasing data, even after it has been
encrypted, will not be enough to
completely protect your device.
“Google’s recommended routine for
protecting the data only makes it
harder for someone to recover the
data – it does not make it
impossible,” he said.
“If you don’t want your data
recovered, destroy the phone – and
that has been standard security
advice, in relation to telephones and
computer drives, for a number of
years. Any other ‘solution’ simply
postpones the point at which
someone is able to access your
confidential data.”
Comments
Post a Comment