Cell Phone Insecurity
Forget about your personal information being retrieved from a stolen laptop. The real danger? Your discarded cell phone.
A popular practice among sellers, resetting the phone, often means sensitive information appears to have been erased. But it can be resurrected using specialized yet inexpensive software found on the Internet.
A company, Trust Digital of McLean, Va., bought 10 different phones on eBay this summer to test phone-security tools it sells for businesses. The phones all were fairly sophisticated models capable of working with corporate e-mail systems.
The problem? A common shortcut taken by every cell phone manufacturer.
The 10 phones Trust Digital studied represented popular models from leading manufacturers. All the phones stored information on “flash” memory chips, the same technology found in digital cameras and some music players.
Flash memory is inexpensive and durable. But it is slow to erase information in ways that make it impossible to recover. So manufacturers compensate with methods that erase data less completely but don’t make a phone seem sluggish.
Worse, they were stupid and careless about including the logical “full erasure option.”
Palm Inc., which makes the popular Treo phones, puts directions deep within its Web site for what it calls a “zero out reset.” It involves holding down three buttons simultaneously while pressing a fourth tiny button on the back of the phone.
But it’s so awkward to do that even Palm says it may take two people.
Seriously, how damn difficult is it to program the phone to respond:
“WARNING: You are about to erase ALL DATA on your phone, including stored phone numbers, contact lists, e-mails, and ring-tones! If you wish to erase your phone’s memory, enter the following 4 digit number: 1234 followed by *. To cancel, press any other button. Full deletion may take several minutes.”
Trust Digital found no evidence thieves or corporate spies are routinely buying used phones to mine them for secrets, Magliato said. “I don’t think the bad guys have figured this out yet.”
Well, they damn sure know now. At least some folks in the government aren’t stupid, though.
President Bush’s former cybersecurity adviser, Howard Schmidt, carried up to four phones and e-mail devices — and said he was always careful with them. To sanitize his older Blackberry devices, Schmidt would deliberately type his password incorrectly 11 times, which caused data on them to self-destruct.
So what should you do? I’d recommend listening to this guy:
Peiter “Mudge” Zatko, a respected computer security expert, said phone owners should decide whether to auction their used equipment for a few hundred dollars — and risk revealing their secrets — or effectively toss their old phones under a large truck to dispose of them.
Actually, that’s overkill. Just get the flash memory chip out, and smash that little bugger. Or burn it.