Skip to main content

Criminals can recover SMS's, passwords and history from second-hand phones

Ever sold a phone to a second hand shop? Well your sensitive data, including SMS messages, browsing history, email passwords and even medical information could still be lurking inside your cast-off handsets, according to new research.

Many second-hand phone shops tell customers that when they sell their old phones, all of their data will be erased, but analysts working with a Channel 4 investigation (opens in new tab) found that this might not be the case.

The journalists bought three second-hand mobile phones from the high street second-hand electronics shop CEX, which claims to delete data from phones once they are bought. However, the researchers were able to recover huge amounts of sensitive data from each.

One phone even yielded a total of 5,000 files, including SMS messages exchanged with his girlfriend, and his web browsing history, including visits to porn sites.

Another device coughed up a username and password for a work email account, full name, postal address and medical records. The team "recovered personal data from almost every phone we had been provided with."

Such information could easily be used in a case of identity fraud (opens in new tab).

Cookies remaining on the devices could even be used to impersonate users online, something that the researchers refrained from, as they believed it constituted "crossing an ethical line."

A CEX spokesman told the press: "As technology evolves, so do our systems and we are currently rolling out a new procedure that improves on the current erasing technique used in the second hand phone market."

SensePost, the security firm that worked with the journalists to recover the data, wrote in a blog post (opens in new tab) that it was "trivial" to recover such large amounts of data from smartphones and said that unencrypted handsets were "easy game".

"iPhone devices encrypt their data by default, which makes it hard (almost impossible) to recover data after performing a factory reset," it said.

However, "Android devices by default have no encryption, which means that somebody (like us) could easily recover large amounts of supposedly deleted data."

Other systems have similar weaknesses, according to the firm.

"Both Windows phone 8 and BlackBerry allow optional encryption to be configured," SensePost wrote, "but this is not enabled by default. Windows phone 7 does not support encryption of the core filesystem."

"If you have an existing phone that you're about to sell we'd recommend you encrypt the phone twice after resetting it to factory default (once to destroy your data, the second time to destroy the key used for the first round)."

Image: Flickr (Meanest Indian)

Paul has worked as an archivist, editor and journalist, and has a PhD in the cultural and literary significance of ruins. His writing has appeared in the New York Times, The BBC, The Atlantic, National Geographic, and Discover Magazine, and he was previously Staff Writer and Journalist at ITProPortal.