Skip to main content

Criminals can recover SMS's, passwords and history from second-hand phones

Ever sold a phone to a second hand shop? Well your sensitive data, including SMS messages, browsing history, email passwords and even medical information could still be lurking inside your cast-off handsets, according to new research.

Many second-hand phone shops tell customers that when they sell their old phones, all of their data will be erased, but analysts working with a Channel 4 investigation found that this might not be the case.

The journalists bought three second-hand mobile phones from the high street second-hand electronics shop CEX, which claims to delete data from phones once they are bought. However, the researchers were able to recover huge amounts of sensitive data from each.

One phone even yielded a total of 5,000 files, including SMS messages exchanged with his girlfriend, and his web browsing history, including visits to porn sites.

Another device coughed up a username and password for a work email account, full name, postal address and medical records. The team "recovered personal data from almost every phone we had been provided with."

Such information could easily be used in a case of identity fraud.

Cookies remaining on the devices could even be used to impersonate users online, something that the researchers refrained from, as they believed it constituted "crossing an ethical line."

A CEX spokesman told the press: "As technology evolves, so do our systems and we are currently rolling out a new procedure that improves on the current erasing technique used in the second hand phone market."

SensePost, the security firm that worked with the journalists to recover the data, wrote in a blog post that it was "trivial" to recover such large amounts of data from smartphones and said that unencrypted handsets were "easy game".

"iPhone devices encrypt their data by default, which makes it hard (almost impossible) to recover data after performing a factory reset," it said.

However, "Android devices by default have no encryption, which means that somebody (like us) could easily recover large amounts of supposedly deleted data."

Other systems have similar weaknesses, according to the firm.

"Both Windows phone 8 and BlackBerry allow optional encryption to be configured," SensePost wrote, "but this is not enabled by default. Windows phone 7 does not support encryption of the core filesystem."

"If you have an existing phone that you're about to sell we'd recommend you encrypt the phone twice after resetting it to factory default (once to destroy your data, the second time to destroy the key used for the first round)."

Image: Flickr (Meanest Indian)