Second-hand devices – cheaper but risky

The market for used smartphones and tablets offer opportunities for both buyers and sellers. But there are risks as well, both to individuals and the enterprise

ancient phone (CC BY 2.0)

Recycling is generally a good thing. But it may not be such a good thing when it comes to digital devices – smartphones, tablets and laptops.

There are security risks – both to individuals and enterprises – to buying and selling used devices, even when they have been reset or “wiped,” to clear the memory, eliminate apps and return them to original factory settings.

Security experts say buyers should be aware that even doing all the recommended “refurbishing” measures may not eliminate Trojans or malware, which can remain on a device at the root level. And sellers should be aware that their personal or corporate information may remain on devices that they put up for sale on eBay or Craigslist.

Those risks are worth considering at any time of the year, but especially after big product releases, like Apple’s recent Special Event 2015, when the company announced the long-anticipated iWatch, a new MacBook and various improvements to other products.

That is when those who must have the latest and greatest tend to flood the second-hand market with their former “must haves” and those who are happy with year-old technology come looking for good deals.

Without some major scrutiny, it could be a bad deal for both. Mario deBoer, research vice president, Security and Risk Management Strategies at Gartner for Technical Professionals, notes that, “wiping data from flash memory is not trivial, and a factory reset does not mean a complete overwrite of all data.”

david lingenfelter

David Lingenfelter, information security officer, MaaS360 by Fiberlink

DeBoer said being able to totally clean a device depends in part on who makes it. “Data on mobile devices with always-on encryption can be effectively and efficiently wiped by destroying the key at factory reset,” he said. “This holds for Apple devices, but most Android device manufacturers do not enable encryption by default.”

That, he said means some data can be recovered by those with the right forensic tools.

Indeed, a post on the avast! Blog reported that, using digital forensics, investigators were able to recover sensitive personal information including, “pictures (even very private ones!), videos, contacts, SMS messages, Facebook chat logs, Google searches, GPS location coordinates, and more,” from “supposedly erased” Android devices.

[See tips for buying and selling second-hand devices on page 2]

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)