• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

This doesn`t look good :(

Android_Astronaut said:
And here i was about to donate my S3, don`t think i will now....

http://arstechnica.com/security/201...eaves-crypto-and-login-keys-ripe-for-picking/
Click to expand...
My gosh, yet another slow news day for the Chicken Littles at ars technica (a once fine site who hasn't seen a sky not falling in years).

First - the assertion that this is a first study.

False. This is a continuation of studies done in the past on this very subject. Don't bet cash money that you won't find similar past ars technica articles by looking.

Second - add ons don't do a great job wiping data.

True. And why give an app that trust in the first place?

Third - the money quote, right at the end of the article -

"We conclude the only viable solutions are those driven by vendors themselves," they wrote.

True.

Samsung has included a very nice factory data reset on your phone. So has HTC and nearly everyone else.

You can typically get to it through settings but if your phone is bad off, you can usually get to by booting into the stock recovery with a Vulcan nerve pinch on some buttons.

So that makes our top story today -

Researchers conclude that the vendor provided method for wiping your phone is viable.

In other news -

The sky! Still not falling, ars technica unsure, quotes a study!
 
Flash memory can and does retain data, hard drives do as well, even though the OS might be commanded to delete it. Only way to ensure a complete and secure erase is to a multi-pass data write with truly random bits, Department of Defense, DoD secure erasing I believe it's sometimes known as. Hard drives can be bulk erased as well, or just physically smashed or shredded. Phones can also be shredded or smashed as well.

There are people in "tech recycling" e-waste hell-holes like Guyana, Africa and Guiyu, China who's entire business is to find data on discarded PCs, laptops, phones, tablets, etc, and to sell what they find.
 
Last edited:
mikedt said:
Flash memory can and does retain data, hard drives do as well, even though the OS might be commanded to delete it. Only way to ensure a complete and secure erase is to a multi-pass data write with truly random bits, Department of Defense, DoD secure erasing I believe it's sometimes known as.
Click to expand...
Uh huh.

Is this the point where I dig up the study done on that with a cell phone?

Because it exists.

Conclusion - due to the extraordinary difficulty of bringing such forensic tools to bear on a mobile device not intended to give easy direct access - unlike a USB stick or a disk drive - access to the methods is out of reach to all except those with advanced laboratory setups.

And even then, full recovery did not occur consistently.

No criminal or criminal organization is going to destroy phone motherboards to get to data that they otherwise often do get - because some people don't wipe out their phones before selling or after stolen.

Pretty sure that they just flash a stolen IMEI/MEID over those that aren't easy pickings and just sell them hot.

I claim again:

The sky - still not falling.
 
Yeh, I know the sky is not falling, except at ars technica. :D

But it has been a long standing and documented problem with storage devices, both solid state and mechanical, they can and do retain data even if the OS or an app states it's erased. If someone is desperate enough, is their livelihood and has the equipment, they'll pull the device apart and read the flash chips directly, and they're destroying these devices anyway in order to "recycle" the gold, copper, tin, and other metals. There's plenty of that sort of equipment available in China, JTAG and things.

Much of the world's e-waste that's sent for recycling, is containered up and goes right back to where it started from, Guangdong Province.
 
Last edited:
99.995% of the phones that have the FDR performed on them, are indeed safe from future spies trying to get into them....

As EarlyMon says, unless you have a Forensic Laboratory, it ain't going to happen.
And yes, the FDR is just a Quick Format not unlike Windows does a QF on their OS hard drives... the data is still there, but the directory index is destroyed, and the way Android works, getting access to that low of a level is darn near impossible.

For me, I don't need to worry, I have never turned loose of any phone I have unless it is totally broken.... it goes in the cabinet for future possible "save my ass" days when something happens to the phone I am using..... like a water dunking about 5 years ago, or the niece loosing her phone altogether last month.... she used my spare until she could buy a new one again.
 
AZgl1500 said:
99.995% of the phones that have the FDR performed on them, are indeed safe from future spies trying to get into them....

As EarlyMon says, unless you have a Forensic Laboratory, it ain't going to happen.
And yes, the FDR is just a Quick Format not unlike Windows does a QF on their OS hard drives... the data is still there, but the directory index is destroyed, and the way Android works, getting access to that low of a level is darn near impossible.

For me, I don't need to worry, I have never turned loose of any phone I have unless it is totally broken.... it goes in the cabinet for future possible "save my ass" days when something happens to the phone I am using..... like a water dunking about 5 years ago, or the niece loosing her phone altogether last month.... she used my spare until she could buy a new one again.
Click to expand...
Thing is you don't need a full blown forensic lab and and the OS doesn't even have to boot. Just an inexpensive JTAG rig and a PC is all you need to read and dump everything that's stored in the flash memories.

Send your old phone to recycling, it very likely ends up in somewhere like Guiyu, Shantou, China. They're all broken up, parts sorted out and typed. Someone in his shed, has a big pile of Samsung logic boards to go through, plugs them in the JTAG, dumping flash contents, seeing if there's anything useful in the way of valuable data. And the in the next street, they're doing similar things with stacks of hard drives from old PCs and laptops.

This is not a new problem by any means, companies and organizations with confidential data, have been required to securely dispose of their old storage media for years, like degaussing or shredding hard drives. And now it have to include devices with solid state storage media.
 
Last edited:
mikedt said:
Thing is you don't need a full blown forensic lab and and the OS doesn't even have to boot. Just an inexpensive JTAG rig and a PC is all you need to read and dump everything that's stored in the flash memories.

Send your old phone to recycling, it very likely ends up in somewhere like Guiyu, Shantou, China. They're all broken up, parts sorted out and typed. Someone in his shed, has a big pile of Samsung logic boards to go through, plugs them in the JTAG, dumping flash contents, seeing if there's anything useful in the way of valuable data. And the in the next street, they're doing similar things with stacks of hard drives from old PCs and laptops.
Click to expand...
I saw something on TV about this about a year ago or so. I wish I can remember what show it was....
Anyhow.. Pretty I threshing stuff to say the least.
 
MLSS said:
I saw something on TV about this about a year ago or so. I wish I can remember what show it was....
Anyhow.. Pretty I threshing stuff to say the least.
Click to expand...

Sure I saw that myself. They put a satellite tracking device in an old TV set to see where it ended up. Sent it for recycling in the US, a few months later it turned up at some village in Guyana, and there was a dude in a hut, with a stack of hard drives going through them. There was credit card details, social security numbers, passwords, names and addresses, medical records, all sorts of things.

If you do send an old electronics item like a laptop, phone or tablet for recycling, the chances are it's going to end up in some hell-hole village somewhere, where they're doing this stuff in the streets and houses. Not in a properly controlled large recycling plant. The people who are after the data are organized gangs, and going to use it for criminal purposes like phishing. And very likely the very same people who are making all the illegal knock-off Samsungs and iPhones. They certainly know how this stuff works.

The sky is certainly not falling,...LOL ...just have to be aware of what happens to your old stuff and how best to dispose of it, if you're not keeping it that is. :thumbsupdroid:
 
Last edited:
Regarding wiping ... a curious question ...

In Motorola phones a release came out and it no longer did a Wipe Cache Partition when you did a Factory Data Reset. When 4.4.4 came out one of the changes was that it did.

Prior to the time when the Wipe Cache partition was not being done ... it was being done and took about 20sec to complete. After the fix was made a Wipe Cache Partition then took about 6 MINUTES.

No one has ever given an explanation of why it takes so long to do a Wipe Cache Partition.

Could it be that it is addressing the very issue being discussed here?

... Thom
 
6 minutes, it sounds like it could be doing a proper secure, overwrite the data erase, rather than just deleting directories and filenames, which would only take a few seconds usually. That's what mobile devices with confidential data should be doing anyway, when instructed to factory reset and forget everything.

With physically pulling phones apart and directly connecting with the flash ships, JTAG. It's like why bother trying to defeat the front-end security, messing around booting the OS, the locks and passwords, etc. when you can just literally pull the roof and walls from the vault, and just walk straight in there, and help yourself to everything. It's very likely forensic labs will have equipment for directly reading these things as well.
 
Last edited:
mikedt said:
6 minutes, it sounds like it could be doing a proper secure, overwrite the data erase, rather than just deleting directories and filenames, which would only take a few seconds usually. That's what mobile devices with confidential data should be doing anyway, when instructed to factory reset and forget everything.
Click to expand...

My point exactly. Perhaps the problem of being able to read the data is actually solved.

... Thom
 
mikedt said:
Sure I saw that myself. They put a satellite tracking device in an old TV set to see where it ended up. Sent it for recycling in the US, a few months later it turned up at some village in Guyana, and there was a dude in a hut, with a stack of hard drives going through them. There was credit card details, social security numbers, passwords, names and addresses, medical records, all sorts of things.

If you do send an old electronics item like a laptop, phone or tablet for recycling, the chances are it's going to end up in some hell-hole village somewhere, where they're doing this stuff in the streets and houses. Not in a properly controlled large recycling plant. The people who are after the data are organized gangs, and going to use it for criminal purposes like phishing. And very likely the very same people who are making all the illegal knock-off Samsungs and iPhones. They certainly know how this stuff works.

The sky is certainly not falling,...LOL ...just have to be aware of what happens to your old stuff and how best to dispose of it, if you're not keeping it that is. :thumbsupdroid:
Click to expand...

Clear something up for me.

What percentage of the more than one billion smartphones discarded every year end up in villages and back alleys being treated as if in a forensics lab, disassembled successfully to directly access memory chips, where researchers have been able to only recover fragments with the best tools known?
 
EarlyMon said:
Clear something up for me.

What percentage of the more than one billion smartphones discarded every year end up in villages and back alleys being treated as if in a forensics lab, disassembled successfully to directly access memory chips, where researchers have been able to only recover fragments with the best tools known?
Click to expand...

I'm just thinking of all the millions of disused smart-phones that are put in these things...
cell_phone.jpg


All shoved in containers and shipped back to China, where they originally come from, to the recycling villages.

The phone you discarded six months previously, and suddenly your bank is reporting suspicious transactions on your credit card. And you tell them, you never filled up at a gas station in Guangzhou.
 
I've never seen such a container but I'm sure that the path exists as you say.

I still assert that that's the last and smallest stop in the chain, with only chances for partial success.

Long before that threat comes people not practicing safe browsing, accepting email scams, and then recycling or selling phones without even trying to reset them.

No amount of secure wiping can cure those habits.

My objection remains - that was not first research and this is not news, and it's not even close to the top in normal security threats.

Google recently implemented full encryption for the Nexus.

Now there's a good answer.

But because they didn't use the faster Qualcomm methods, their software version caused lag.

So the first thing that people did was disable the encryption.

Secure wiping is just another habit to avoid, it's not the answer.

And your pc example is solid proof of that.

And for my final trick - a show of hands please -

1. How many here have encrypted their sd cards (or ever did if not using one now)?

2. How many are using an encrypted credentials locker, here and on the pc?

3. How many have always used a secure wipe for an old hard drive?

4. How many times have you said, I can't, it's crashed?

5. How many have turned on the option, or looked for one, to turn on hard drive encryption before the fact?
 
Good old Arse Technica.

EM, I've spoken to the media and the chairs of the DNC and RNC. I've arranged for you to be added to all presidential debates going forward as a no-BS fact checker. :D
 
You must log in or register to reply here.
Back
Top Bottom