Cisco Learning Network Store Promotions Page

7.30.2014

Android's factory data reset comes up short

Resetting an Android device using the factory data reset is supposed to remove the owner's data. According to AVAST researchers it does not. Find out what they learned and a possible solution.  

Image: AVAST Software
Security pundits (including me) have pontificated on the importance of resetting a smartphone to factory-default condition before selling it, giving it away, or even recycling the device. Why the reset? To make sure all personal and financial information is removed from the phone's storage.

Resetting may not remove personal data

There are experts who now say resetting an Android smartphone does not necessarily remove the owner's data, something commonly believed to happen since the process is called "Factory Data Reset." The Android smartphone may look like it was reset. However, those having expertise in digital forensics and the right software tools are finding bits and pieces of personal information -- important remnants people more than likely rather not see publicized. Case in point, AVAST randomly purchased 20 Android smartphones from eBay. Here's what they found on the phones:
  • 40,000 photos of which 1,500 were family photos including children
  • 750 email and text messages
  • 250 names and associated email addresses
  • Identifiable information from four owners
  • 1 completed loan application

Deleted or reset makes a difference

As for the data found by AVAST, the press release said, "All 20 sellers had reset their phones to factory settings or had deleted all their files."
 
That "or" statement immediately begs the question: did the data come from phones reset to factory default, phones where owners just deleted the files, or both? Let's break it down and see why that is important -- first file deletion. As with Windows, the term delete is a misnomer. Files are never actually deleted.

Simply put, hitting the "Delete" key tells the Android device's processing system to no longer reserve the memory space allocated for the deleted file's digital information -- meaning it can be overwritten. However, until the overwrite happens the data is there for anyone to access and read. When and if the memory space is overwritten is anyone's guess.
 
Next is factory reset. A simple process, just go into Settings, the Accounts tab, and tap the "Backup and
 
 
Reset" option when it appears. Within a few minutes, the Android device is back to factory default.

The screenshot to the right gives one the impression that personal data should be gone. However, AVAST found that was not the case. AVAST claiming that factory resetting does not work is a bit unsettling to one who wrote how important it was to reset Android devices. Wanting to be absolutely sure, I contacted AVAST.

What AVAST really found

Caroline James, AVAST public relations manager, provided hard copy from a question and answer session with Jaromir Horejsi. Horejsi and David Fiser, Android forensic-analysis researchers for AVAST, were the two who determined factory resets did not remove (overwrite) the owner's data. Here are the relevant questions:

How did Avast confirm that these phones were indeed wiped or restored using the factory-reset function?
 
Horejsi: The majority of the phones were factory reset, however there were some cases when the phone was started by our virus lab, it initiated the default setup.
 
Did the techs try a controlled study, in which they reset a phone themselves and forensically tested it afterwards?
 
Horejsi: Yes, we did a proper factory reset on some phones (in case, the owner had not done this) and we were still able to find data (meaning we were able to replicate our experiments).
 
What versions of Android did you find?
 
Horejsi: Several different Android versions were present, most of the phones were using an Android 4.x.x version.
 
What were the brands/models of the smartphones? 
  • HTC: EVO V 4G, One X, Thunderbolt ADR6400L Verizon 4G, and Sensation 4G Pyramid
  • Motorola: Droid RAZR (4 phones), Droid Razr MAXX XT912M, and Atrix 4G MB860
  • Samsung: Galaxy S2 (2 phones), Galaxy S3 (3 phones), Galaxy S4 (2 phones), and Galaxy Stratosphere SCH-I405
  • LG: Optimus (2 phones)
For those who are interested in the forensic process, the two researchers supplied details in this blog post.

What is the solution?

There are many apps that claim to overwrite existing data during a reset. However, that requires additional trust on the part of the device's owner who already has serious doubts. I wanted to find a nondestructive way to ensure the data was unreadable. John Lehr is an expert at finding data on mobile devices. He does it for the San Luis Obispo Police Department. He is an evidence technician for the city as well as a mobile-device forensics instructor for Teel Technologies.

Lehr is especially good at retrieving data from phones reset by criminals. His hope is to determine the original owner. Lehr said, "I've seen a trend in recovered stolen devices over the past few years. The bad guys are rapidly restoring devices to factory settings to prevent them from being tracked by the owner or law enforcement."
 
When it comes to resetting the phone and making personal data on the phone unreadable, Lehr mentioned
 

that Google recommends users encrypt their device and then use the factory reset option from recovery mode. 

This is effective because the data is first encrypted and then the data and cache partitions are formatted upon reset. Lehr added a note of caution. He said, "It should be noted that encryption is not available to the user in devices running Gingerbread or older."
 
Lehr, during our conversation, stressed a little known fact. Even in the latest Android releases, device encryption and factory reset do not necessarily apply to SD-card partitions. The SD-card partitions can be securely written in some Android implementations, but must be done separately in the settings as shown in the screenshot at the right.

Something else important to understand is that a factory reset will not wipe, delete, or reformat SD-card partitions. Lehr mentioned, "It is here that I find user data in restored devices or devices that I cannot root or JTAG."
 
Lehr then cautioned users to remove, wipe (overwrite), or destroy the MicroSD card if one is installed and wipe the internal SD card if possible. There was something else that concerned Lehr. He said:

There may be apps to assist with this, but the term 'wipe' is used very loosely in both apps and the stock recovery. Wipe should mean -- always -- the overwriting of data. It can be done with a pattern, zeroes, or random data, it really doesn't matter. More often, however, the term is used incorrectly and means something else entirely.

Last thought

The question now becomes what of those applications advertising the ability to remotely wipe an Android device if it is stolen?
 
~ Michael Kassner

Related Posts

0 comments: