Second-hand devices – cheaper but risky

The market for used smartphones and tablets offer opportunities for both buyers and sellers. But there are risks as well, both to individuals and the enterprise

1 2 Page 2
Page 2 of 2

The same risks exist for corporate data that was, presumably, erased. David Lingenfelter, information security officer at MaaS360 by Fiberlink, an IBM company, said the risks have expanded with the expanded use of mobile devices. “It’s not just email any more,” he said. “They’re putting documents on them, to read later when they’re offline. It could be something as sensitive as a board book document.”

jack walsh

Jack Walsh, Mobile Security & Special Projects manager, ICSA Labs

And Jack Walsh, Mobile Security & Special Projects manager at ICSA (International Computer Security Association) Labs, which tests security functions built into mobile devices, said that sometimes those functions may not work.

“One cannot just take the manufacturer’s word for it that they do,” he said, adding that the number of devices his team tested that had problems removing data was “relatively small,” but still significant. Those problems, which again could create security nightmares for both individuals and enterprises, included:

- Remote wipe did not always resume if interrupted by the user. 

- The same problem occurred for a local wipe in some devices.

- While a local wipe may work, it does not wipe the data on the SD card.

- Some devices don't wipe data if that data is encrypted. 

- Other devices don't wipe unencrypted data.

Blake Turrentine, owner of HotWAN and a trainer for BlackHat said another potential problem is that cloud syncs could still be enabled on devices that have otherwise been wiped. Indeed, there are multiple instruction videos on YouTube on how to recover “loss or erased” data through a cloud bypass.

There is plenty of advice online about how to improve your odds of eliminating data and possible malware on used devices. The Federal Trade Commission advises those looking to sell a device to do the factory reset and also to remove or erase SIM and SD cards, and then to run a check to make sure that phone logs, voicemails sent and received, emails, text messages, downloads and other folders, search histories and photos have all been eliminated.

The online auction site eBay also offers advice, which includes finding the electronic serial number (ESN) of a used smartphone, typically underneath the battery, and then contacting the manufacturer to check on its history, including whether it was ever reported stolen.

But experts warn again that the standard protocols may not be sufficient. “In most devices, a simple factory reset will delete all apps, including user level malware,” deBoer said. “However, do not expect a reset to remove root level malware. By flashing the device with clean firmware, a buyer can reset the full system and not just the user apps. This defeats most – even root level – malware, but even then very advanced malware may still persist.”

Another risk, according to the avast! Blog, is that, “some sellers still don’t store their data on removable micro SD cards or internal storage devices. In such cases, an investigator can simply attach the cell phone via USB cable to a computer and it mounts storage as Removable Storage.”

More than one expert has said that enterprises for which security is a major priority should not allow refurbished devices to be used on their networks, since the only way to really eliminate the chance of malicious code lurking in a device is to, “take a hammer to it.”

Walsh said even that might not be enough, agreeing with those who say the only way to make sure data is destroyed is to destroy the device that held it, which could require an incinerator. “If you want to be truly sure you've gotten rid of all the data on your old mobile device, then even a hammer might not be sufficient to stop a determined adversary,” he said.

But Walsh and others say enterprises can minimize their risk with an effective mobile policy that should start with what devices are permitted.

“The enterprise should require that phones and tablets use encryption both for on-device memory and for SD cards,” he added. “In that case the policy should require uses to sign an agreement not to modify the encryption settings.”

Finally, he recommends that a third party (not the manufacturer) test the permitted devices to, “ensure with forensic tools that the device’s built-in local wipe, remote wipe and resetting to factory settings truly removes all traces of data - both with and without encryption.”

“Perhaps as an added measure the enterprise could collect and destroy any removable SD cards,” he said.

Lingenfelter said if IT is buying used devices, it should, “make sure to perform a factory wipe, make sure OS is valid and make sure it is not rooted or jailbroken. There are tools out there to tell you if you’re running factory code. You should also make sure encryption is on, and to replace the SIM and SD cards.”

He added that there are also tools available – some made by his firm – that can encrypt corporate data separate from the OS, and also wipe all the corporate information without affecting anything else.

Before putting a device up for sale, “do an enterprise wipe,” he said.

1 2 Page 2
Page 2 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.