Second-hand devices -- cheaper but risky

Recycling is generally a good thing. But it may not be such a good thing when it comes to digital devices -- smartphones, tablets and laptops.

There are security risks -- both to individuals and enterprises -- to buying and selling used devices, even when they have been reset or "wiped," to clear the memory, eliminate apps and return them to original factory settings.

Security experts say buyers should be aware that even doing all the recommended "refurbishing" measures may not eliminate Trojans or malware, which can remain on a device at the root level. And sellers should be aware that their personal or corporate information may remain on devices that they put up for sale on eBay or Craigslist.

Those risks are worth considering at any time of the year, but especially after big product releases, like Apple's recent Special Event 2015, when the company announced the long-anticipated iWatch, a new MacBook and various improvements to other products.

That is when those who must have the latest and greatest tend to flood the second-hand market with their former "must haves" and those who are happy with year-old technology come looking for good deals.

Without some major scrutiny, it could be a bad deal for both. Mario deBoer, research vice president, Security and Risk Management Strategies at Gartner for Technical Professionals, notes that, "wiping data from flash memory is not trivial, and a factory reset does not mean a complete overwrite of all data."

DeBoer said being able to totally clean a device depends in part on who makes it. "Data on mobile devices with always-on encryption can be effectively and efficiently wiped by destroying the key at factory reset," he said. "This holds for Apple devices, but most Android device manufacturers do not enable encryption by default."

That, he said means some data can be recovered by those with the right forensic tools.

Indeed, a post on the avast! Blog reported that, using digital forensics, investigators were able to recover sensitive personal information including, "pictures (even very private ones!), videos, contacts, SMS messages, Facebook chat logs, Google searches, GPS location coordinates, and more," from "supposedly erased" Android devices.

[See tips for buying and selling second-hand devices on page 2]

The same risks exist for corporate data that was, presumably, erased. David Lingenfelter, information security officer at MaaS360 by Fiberlink, said the risks have expanded with the expanded use of mobile devices. "It's not just email any more," he said. "They're putting documents on them, to read later when they're offline. It could be something as sensitive as a board book document."

And Jack Walsh, Mobile Security & Special Projects manager at ICSA (International Computer Security Association) Labs, which tests security functions built into mobile devices, said that sometimes those functions may not work.

"One cannot just take the manufacturer's word for it that they do," he said, adding that the number of devices his team tested that had problems removing data was "relatively small," but still significant. Those problems, which again could create security nightmares for both individuals and enterprises, included:

- Remote wipe did not always resume if interrupted by the user.

- The same problem occurred for a local wipe in some devices.

- While a local wipe may work, it does not wipe the data on the SD card.

- Some devices don't wipe data if that data is encrypted.

- Other devices don't wipe unencrypted data.

Blake Turrentine, owner of HotWAN and a trainer for BlackHat said another potential problem is that cloud syncs could still be enabled on devices that have otherwise been wiped. Indeed, there are multiple instruction videos on YouTube on how to recover "loss or erased" data through a cloud bypass.

There is plenty of advice online about how to improve your odds of eliminating data and possible malware on used devices. The Federal Trade Commission advises those looking to sell a device to do the factory reset and also to remove or erase SIM and SD cards, and then to run a check to make sure that phone logs, voicemails sent and received, emails, text messages, downloads and other folders, search histories and photos have all been eliminated.

The online auction site eBay also offers advice, which includes finding the electronic serial number (ESN) of a used smartphone, typically underneath the battery, and then contacting the manufacturer to check on its history, including whether it was ever reported stolen.

But experts warn again that the standard protocols may not be sufficient. "In most devices, a simple factory reset will delete all apps, including user level malware," deBoer said. "However, do not expect a reset to remove root level malware. By flashing the device with clean firmware, a buyer can reset the full system and not just the user apps. This defeats most -- even root level -- malware, but even then very advanced malware may still persist."

Another risk, according to the avast! Blog, is that, "some sellers still don't store their data on removable micro SD cards or internal storage devices. In such cases, an investigator can simply attach the cell phone via USB cable to a computer and it mounts storage as Removable Storage."

More than one expert has said that enterprises for which security is a major priority should not allow refurbished devices to be used on their networks, since the only way to really eliminate the chance of malicious code lurking in a device is to, "take a hammer to it."

Walsh said even that might not be enough, agreeing with those who say the only way to make sure data is destroyed is to destroy the device that held it, which could require an incinerator. "If you want to be truly sure you've gotten rid of all the data on your old mobile device, then even a hammer might not be sufficient to stop a determined adversary," he said.

But Walsh and others say enterprises can minimize their risk with an effective mobile policy that should start with what devices are permitted.

"The enterprise should require that phones and tablets use encryption both for on-device memory and for SD cards," he added. "In that case the policy should require uses to sign an agreement not to modify the encryption settings."

Finally, he recommends that a third party (not the manufacturer) test the permitted devices to, "ensure with forensic tools that the device's built-in local wipe, remote wipe and resetting to factory settings truly removes all traces of data - both with and without encryption."

"Perhaps as an added measure the enterprise could collect and destroy any removable SD cards," he said.

Lingenfelter said if IT is buying used devices, it should, "make sure to perform a factory wipe, make sure OS is valid and make sure it is not rooted or jailbroken. There are tools out there to tell you if you're running factory code. You should also make sure encryption is on, and to replace the SIM and SD cards."

He added that there are also tools available -- some made by his firm -- that can encrypt corporate data separate from the OS, and also wipe all the corporate information without affecting anything else.

Before putting a device up for sale, "do an enterprise wipe," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags CraigslistAppleapplicationsebaysoftwaredata protection

More about AppleeBayFacebookFederal Trade CommissionGartnerGoogleICSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts