Second-hand devices -- cheaper but risky

13.04.2015
Recycling is generally a good thing. But it may not be such a good thing when it comes to digital devices -- smartphones, tablets and laptops.

There are security risks -- both to individuals and enterprises -- to buying and selling used devices, even when they have been reset or "wiped," to clear the memory, eliminate apps and return them to original factory settings.

Security experts say buyers should be aware that even doing all the recommended "refurbishing" measures may not eliminate Trojans or malware, which can remain on a device at the root level. And sellers should be aware that their personal or corporate information may remain on devices that they put up for sale on eBay or Craigslist.

Those risks are worth considering at any time of the year, but especially after big product releases, like Apple's recent Special Event 2015, when the company announced the long-anticipated iWatch, a new MacBook and various improvements to other products.

That is when those who must have the latest and greatest tend to flood the second-hand market with their former "must haves" and those who are happy with year-old technology come looking for good deals.

Without some major scrutiny, it could be a bad deal for both. Mario deBoer, research vice president, Security and Risk Management Strategies at Gartner for Technical Professionals, notes that, "wiping data from flash memory is not trivial, and a factory reset does not mean a complete overwrite of all data."

DeBoer said being able to totally clean a device depends in part on who makes it. "Data on mobile devices with always-on encryption can be effectively and efficiently wiped by destroying the key at factory reset," he said. "This holds for Apple devices, but most Android device manufacturers do not enable encryption by default."

That, he said means some data can be recovered by those with the right forensic tools.

Indeed, a post on the avast! Blog reported that, using digital forensics, investigators were able to recover sensitive personal information including, "pictures (even very private ones!), videos, contacts, SMS messages, Facebook chat logs, Google searches, GPS location coordinates, and more," from "supposedly erased" Android devices.

[See tips for buying and selling second-hand devices on page 2]

The same risks exist for corporate data that was, presumably, erased. David Lingenfelter, information security officer at MaaS360 by Fiberlink, said the risks have expanded with the expanded use of mobile devices. "It's not just email any more," he said. "They're putting documents on them, to read later when they're offline. It could be something as sensitive as a board book document."

And Jack Walsh, Mobile Security & Special Projects manager at ICSA (International Computer Security Association) Labs, which tests security functions built into mobile devices, said that sometimes those functions may not work.

"One cannot just take the manufacturer's word for it that they do," he said, adding that the number of devices his team tested that had problems removing data was "relatively small," but still significant. Those problems, which again could create security nightmares for both individuals and enterprises, included:

- Remote wipe did not always resume if interrupted by the user. 

- The same problem occurred for a local wipe in some devices.

- While a local wipe may work, it does not wipe the data on the SD card.

- Some devices don't wipe data if that data is encrypted. 

- Other devices don't wipe unencrypted data.

Blake Turrentine, owner of HotWAN and a trainer for BlackHat said another potential problem is that cloud syncs could still be enabled on devices that have otherwise been wiped. Indeed, there are multiple instruction videos on YouTube on how to recover "loss or erased" data through a cloud bypass.

There is plenty of advice online about how to improve your odds of eliminating data and possible malware on used devices. The Federal Trade Commission advises those looking to sell a device to do the factory reset and also to remove or erase SIM and SD cards, and then to run a check to make sure that phone logs, voicemails sent and received, emails, text messages, downloads and other folders, search histories and photos have all been eliminated.

The online auction site eBay also offers advice, which includes finding the electronic serial number (ESN) of a used smartphone, typically underneath the battery, and then contacting the manufacturer to check on its history, including whether it was ever reported stolen.

But experts warn again that the standard protocols may not be sufficient. "In most devices, a simple factory reset will delete all apps, including user level malware," deBoer said. "However, do not expect a reset to remove root level malware. By flashing the device with clean firmware, a buyer can reset the full system and not just the user apps. This defeats most -- even root level -- malware, but even then very advanced malware may still persist."

Another risk, according to the avast! Blog, is that, "some sellers still don't store their data on removable micro SD cards or internal storage devices. In such cases, an investigator can simply attach the cell phone via USB cable to a computer and it mounts storage as Removable Storage."

More than one expert has said that enterprises for which security is a major priority should not allow refurbished devices to be used on their networks, since the only way to really eliminate the chance of malicious code lurking in a device is to, "take a hammer to it."

Walsh said even that might not be enough, agreeing with those who say the only way to make sure data is destroyed is to destroy the device that held it, which could require an incinerator. "If you want to be truly sure you've gotten rid of all the data on your old mobile device, then even a hammer might not be sufficient to stop a determined adversary," he said.

But Walsh and others say enterprises can minimize their risk with an effective mobile policy that should start with what devices are permitted.

"The enterprise should require that phones and tablets use encryption both for on-device memory and for SD cards," he added. "In that case the policy should require uses to sign an agreement not to modify the encryption settings."

Finally, he recommends that a third party (not the manufacturer) test the permitted devices to, "ensure with forensic tools that the device's built-in local wipe, remote wipe and resetting to factory settings truly removes all traces of data - both with and without encryption."

"Perhaps as an added measure the enterprise could collect and destroy any removable SD cards," he said.

Lingenfelter said if IT is buying used devices, it should, "make sure to perform a factory wipe, make sure OS is valid and make sure it is not rooted or jailbroken. There are tools out there to tell you if you're running factory code. You should also make sure encryption is on, and to replace the SIM and SD cards."

He added that there are also tools available -- some made by his firm -- that can encrypt corporate data separate from the OS, and also wipe all the corporate information without affecting anything else.

Before putting a device up for sale, "do an enterprise wipe," he said.

(www.csoonline.com)

Taylor Armerding