In a recent experiment, researchers found 2,000 personal photos, email messages, and other information stored on used phones they purchased from pawn shops.
Avast’s Deborah Salmi explains in a blog post how the security company’s researchers purchased some 20 used phones from pawn shops located in New York, Paris, Barcelona, and Berlin.
Each shop owner assured the researchers that the devices were cleaned of all personal files ahead of time.
As it would turn out, 12 of the devices had not been wiped at all, as Salmi reports:
“Avast retrieved more than 2,000 personal photos, emails, text messages, invoices, and one adult video from the phones that the prior owner assumed was deleted. On two of the phones, the previous owners had forgotten to log out of their Gmail accounts, risking having the new owners read or send emails in their name.”
Here is what the researchers recovered off of the 20 phones:
- More than 1,200 photos
- More than 200 photos with adult content
- 149 photos of children
- More than 300 emails and text messages
- More than 260 Google searches, including 170 searches for adult content
- Two previous owners’ identities
- Three invoices
- One working contract
- One adult video
Salmi goes on to observe that the researchers were able to recover personal data from 50 percent of the devices partly because they were running Android 4.3 and lower, versions of Google’s mobile OS on which the factory reset feature does not function as well as you might wish on some devices.
On some of the phones, however, the previous owners had simply forgotten to execute a factory reset or delete their information.
Experiments such as these bring into focus pawn shop owners’ responsibility to make sure each device is wiped of personal information before they are resold to a customer.
Even so, mobile users should not rely on shop owners alone to make sure their personal information is protected, Avast’s Gagan Singh explained in a press release:
“Through our research, we noticed that some people simply forget to delete their personal data and perform the factory reset before selling the device. To ensure that all data is removed, a user needs to overwrite the phone’s files. Without this, a user’s personal data could easily end up in the hands of the next owner of the phone. In the end, users are responsible for cleaning all sensitive and personal data from their devices prior to sale, and they should never rely on a shop owner to remove remaining data prior to reselling the phones.”
There is, however, a bright side.
As new smartphones come shipped with stronger and stronger encryption, something which is currently giving the FBI a supreme headache, used phones are coughing up less and less information if personal information is not wiped from a device. Just one year ago, for example, Avast researchers conducted a similar experiment and found 40,000 bits of personal information. That is a huge decrease in the span of one year.
Google has also since fixed the factory reset option on newer Android devices. This feature, when coupled the decision to remove personal information, should be enough to protect most users from the effects of identity theft and/or blackmail.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.