Privacy Risks of Used Cell Phones

Ignore the corporate sleaziness by Cingular for the moment -- they sold used cell phones meant for charity -- and focus on the privacy implications. Cingular didn't erase any of the personal information on the used phones they sold.

This reminds me of Simson Garfinkel's analysis of used hard drives. He found that 90% of them contained old data, some of it very private and interesting.

Erasing data is one of the big problems of the information age. We know how to do it, but it takes time and we mostly don't bother. And sadly, these kinds of privacy violations are more the norm than the exception. I don't think it will get better unless Cingular becomes liable for violating its customers' privacy like that.

EDITED TO ADD: I already wrote about the risks of losing small portable devices.

Posted on August 26, 2005 at 2:58 PM • 45 Comments

Comments

KirbyAugust 26, 2005 3:51 PM

Why should Cingular be responsible for not erasing the phones? I think the owners of the phones bear some responsibility for securing or erasing their personal data. If it was important to them at least.

Davi OttenheimerAugust 26, 2005 3:55 PM

"Erasing data is one of the big problems of the information age. We know how to do it, but it takes time and we mostly don't bother."

Agreed, although modern degaussing and drive-wipe utilities are becoming extremely cheap and convenient. Moreover, the popularity of arrays for data storage has made erasing/scrambling data easier as well (it's non-trivial to reassemble an array).

But this goes back to the discussion of whether users are provided the tools they need to adequately protect their assets (laptops, PDAs, phones, etc.) on their own, rather than trust someone else to do it for them. I'll never forget when, many years ago, a friend brought a "brand new" laptop to me and asked for help configuring it. "Who's Bob?" I asked when I noticed the hardrive was labelled "Bob's Drive". "I don't know," he said "I assume it was the guy in the back of the truck who sold me the laptop" he said.

If these phones were locked with a pin code and had to be reset to be used...

In this case I think we also should note that phone-books are generally not included in "privacy" regulations (yet). Cingular would be out of compliance under PCI Security Standards, HIPPA, and other regulations if there was evidence that sensitive information was exposed, but "my office as well as my personal contacts" is a real minefield when it comes to defining asset value.

ZwackAugust 26, 2005 3:56 PM

It doesn't look like Cingular as a company sold the phones, rather that some individuals who worked for Cingular sold the phones.

Given that the owners of the phones were donating their phones to charity shouldn't it have been their responsibility to delete the contents of the phones first?

If they had given them to a thrift store, or gone directly to the women's shelter then would they have wiped the phones before giving them away? If not, why not?

People need to take more responsibility for erasing their own data when they can.

Z.

Luke GilliamAugust 26, 2005 4:02 PM

Erasing data on phones is difficult. I purchased a used Nokia 6820 from a friend. He ran the factory reset before selling, and I ran it again after buying, but many items of personal information and configuration settings were left intact, including AIM login information. In addition, determining whether data is stored on the phone, the SIM chip, or both is not easy.
I am an avid recycler and re-user, but because I cannot be certain of removing all personal data from a used mobile phone, I destroy them instead.

Bruce SchneierAugust 26, 2005 5:23 PM

"Given that the owners of the phones were donating their phones to charity shouldn't it have been their responsibility to delete the contents of the phones first?"

No. It's easy for us techies to say things like that, but have you ever met the average cellphone user? He doesn't know how to delete the contents of his phone. And honestly, we as an industry are doing him a disservice if we expect him to. Putting the onus on him is a form of blaming the victim.

If we as a society expect to solve this problem, we have to give the party who has the capbility to solve the problem the incentive to solve the problem.

Leonardo AlcantaraAugust 26, 2005 5:33 PM

There same problem happens with stolen phones. But in that situation it is worst because you can be sure that the new "owner" is not someone with the noble objectives.

FrancoisAugust 26, 2005 6:06 PM

@Bruce:
That's an excellent point, and you've made that one before. Security has to be accessible and usable to the average person. Cell phones don't have much in the way of security - except where it hits the company in the pocketbook. It may not be easy for the average person to clear their personal data, but it's illegal and difficult to change the unique phone identifier (and therefore steal service). As you say, the companies only care about security when it causes them to lose money.

Cell phones should have more, easier and better security features - at least a reset to clear memory and restore defaults.

Davi OttenheimerAugust 26, 2005 6:19 PM

"we have to give the party who has the capbility to solve the problem the incentive to solve the problem"

Incentive? Interesting choice of words. It sounds like consumers somehow would have to "incent" the party with the capability to give them the solution, but that takes us right back to the dilemma of savvy consumers. Who else would provide incentives? Perhaps you mean dis-incentives (i.e. penalties) for not adequately protecting consumer data?

Tim VailAugust 26, 2005 7:54 PM

@Davi

Somehow, I think you are reading a bit too deeply into what Bruce is saying. Incentive is the motivation to do something dis-incentive is the motivation to not do something. Security requires action, so in order to get those people to provide adequate security, they need incentive to do it.

As for the other part about savvy customers. Nobody can be savvy if they don't have sufficient input on which to make reasonable decisions. And ultimately, lot of security is out of our control and not dependent on which specific agency we go with.

SamAugust 27, 2005 1:08 AM

I knew a girl who's summer internship consisted of dismantling hard drives with a screwdriver and then venting her frustrations on the platters with a hammer. At least some government agencies take these things seriously.

Mark J.August 27, 2005 8:54 AM

I bought a used BMW that came with a phone. All the previous owner's contacts were in there. I don't understand why it's supposedly difficult to clear info from your phone. You enter the info in the first place, right? So clearing it is just a matter of going through it deleting the contacts. Time consuming, yes. But difficult? Maybe not so much.

At our university we have to zero-write hard drives 10 times before we can surplus PCs. I use a great (but dangerous) product called KillDisk. (In the hands of a naive user, it could permanently wipe a hard drive that was not intended to be wiped.) Maybe we need something like that for phones and PDAs.

Bill McGonigleAugust 27, 2005 11:47 AM

It's OK to blame the manufacturers here. They could put a button underneath the battery that when held down for 10 seconds would wipe the flash chip, or whatever kind of NV storage they're using.

Granted that would add $0.05 to the cost of each phone, so maybe blame customers who want free phones. Or the regulatory regime that does not permit free competition in the cell phone market.

People employ easy security and really screw up hard security.

Luke GilliamAugust 28, 2005 12:56 AM

Mark J., I agree that deleting contacts is straightforward although tedious. However, the average phone stores much more information including voice mail password, instant messenger login, text messages, call logs, contacts, calendar info, and various multimedia files, and the factory reset option often does not affect any of these.
Given that the average consumer has no idea such information has value to someone else, they cannot be expected to perceive the need for clearing such data, and even if they did, most devices provide no way to easily erase ALL personal data short of navigating every menu option to find which contain private information.

SteveAugust 28, 2005 8:50 AM

@Tim
Talking about savvy users - I personally don't know of any software to wipe (or at least overwrite with zeros) a SIM-card or the memory of my phone.

Has anyone here heard of such a program?

Or, more generally, is there any Gutmann-like paper for these types of memory?

Bruce SchneierAugust 28, 2005 10:15 AM

"Or, more generally, is there any Gutmann-like paper for these types of memory?"

I haven't seen any. But honestly, most of us would be happy with basic data deletion procedures that would work against non-military adversaries.

Bruce SchneierAugust 28, 2005 10:17 AM

"Ah yes, but remember, the vast majority of the information a cell phone is about someone else!"

My cellphone is my Treo. It contains my calendar, my address book, a bunch of text files filled with personal information, some old moldy to-do lists, SMS messages, e-mail messages, and the number of Mille Borne games I've won. Sounds pretty personal to me.

Bruce SchneierAugust 28, 2005 10:19 AM

"There same problem happens with stolen phones. But in that situation it is worst because you can be sure that the new 'owner' is not someone with the noble objectives."

Some devices are now being built with remote-data-erase features to deal with device theft. I think that's a great idea.

T. HudsonAugust 28, 2005 12:08 PM

I've always thought the risk of potable devices was getting them stuck in your throat when you drink them.

SteveAugust 28, 2005 12:52 PM

"most of us would be happy with basic data deletion procedures that would work against non-military adversaries"

I certainly agree with you, but that leads us to the main question:
how do we get such software features?

Lobbying and begging the cellphone manufacturers? I think a 2-megapixel-cam or a mp3-player sells much better than a "delete all your private data"-menu entry.
Write it yourself? Depending on the platform perhaps a possibility (I don't know enough about these phones to estimate this solution) - time consuming, but perhaps the fastest way to get such a tool...
Or perhaps some day buy a carefree-package with a virus-scanner, a personal (bluetooth-)firewall and a flash memory wipe utility?

B-ConAugust 28, 2005 5:42 PM

In all honesty, how hard could it have been for Cingular to wipe the data off of the cell phones? Failing to do so was just lazyness on their part.

As a company that (hopefully) is interested in their customer's privacy and well-being, they have no excuse for failing to wipe the phones -- if Cingular were truly concerned about looking out for their customers, wiping the phones clean would have been the first thing done after they were collected. I mean, seriously, how hard could it have been for them to do?

Chung LeongAugust 28, 2005 8:13 PM

Disinformation is a bigger problem in the information age, if you ask me. From the original story it is pretty clear that it was a rouge employee who sold the phone on eBay and not the company itself.

The lesson here is to take anything you read on a blog with a huge grain of salt. Even a reputable security expert could be out to fool you.

Clive RobinsonAugust 29, 2005 2:11 AM

Ignoring for the moment if it was Cingular or one of their employees on the make (the later does sound rather more plausable though).

The problem with deleating information on cell phones is a difficult one for a number of reasons, but the primary ones are as follows,

First off the so called "factory reset" was never designed for use in the factory, it was meant for regeional repair centers and such like. In practice it's a bit like a reset button that makes minimal changes to get the phone to a state where it can be tested and repaired.

Imagine you are a non technical customer who sends in a phone for repair. you are not going to be to happy if the phone does not work when they get it back because the repair center wiped all the bits of info required to connect to the customers network, as well as erasing their phone book that took many hours to put in, and they do not have a copy of...

Now imagine, you manufacture, phones, you put a short cut menu item in that will clear the phone book etc, imagine how many customers will either use it by mistake, or worse accidently due to having the phone in their pocket (how many of you have accidently dialed this way?). Regardless of whos fault it is, your product will start to get a bad name as an "unreliable phone" and customers will not want to have it.

If you are in the business of issuing phones as part of a network contract, you are not going to be too happy if the repair process unlocks the phone, so the user can start using it on a more advantages network.

Then if you a theif who steals phones, imagine your delight at having a function that compleatly clears the phone removing all the phone ID info would be wonderfull, as the tracebility effectivly becomes zero.

Finaly imagine you are a policeman who has pulled up a "suspect" for drugs or other illegle dealing activities. You releive them of their phone before putting them in to a holding cell, you can then look through their phone details to see if you can tie them into other criminals or their activities. You lose this if they have a quick way to deleate the details.

As an asside, it is also quite difficult to securly erase mutable but non volatile memory devices. Even dynamic ram chips have been known to retain usefull and recoverable information some period of time (hours) after all power was removed. Also Static memory sufferes from a modicum of the "burn in" process (similar to that of the old VDU screens).

There are several more reasons why there is not an easy way for a phone to be reliably cleaned of information, however the simple fact is that untill recently nobody wanted it, and even now very few would be prepared to pay for it (untill it's to late).

Security is subject to the laws of the market place just like everything else, you want a feature then you pay for it (one way or another).

Dimitris AndrakakisAugust 29, 2005 2:51 AM

> Then if you a theif who steals phones, imagine your delight at having a function
> that compleatly clears the phone removing all the phone ID info would be
> wonderfull, as the tracebility effectivly becomes zero.

Not really. Phones have a unique machine number (IMEI) which can be used to trace the device.

375575006787August 29, 2005 4:00 AM

"Some devices are now being built with remote-data-erase features to deal with device theft. I think that's a great idea."

Unless someone else erases my data remotely? Do I have to start backing up my SIM now?

CocoToniAugust 29, 2005 4:30 AM

I bought SonyEricsson T610 long time ago. After a year it was starting to look sluggish, and I knew that there was a new version of firmware, so I took it to my local service to re-flash it.

Luckly I have backed up all of my contacts to the SIM before the operation because the flashing of the phone wiped all of my settings and all of my contacts.

Now it would seem reasonable to me that Cingular has the ability in their shop and that for no other reason than to provide the new owners with most recent firmware they should do this.

Bruce SchneierAugust 29, 2005 4:35 AM

"Unless someone else erases my data remotely? Do I have to start backing up my SIM now?"

Always back up everything, all the time. It is the single most important security defense you have.

RogerAugust 29, 2005 4:41 AM

@B-con:
"In all honesty, how hard could it have been for Cingular to wipe the data off of the cell phones?"

Well, first off it appears the phone was sold illegally before Cingular had a chance to wipe it.

Secondly, "how hard" depends on the phone, and can be a lot harder than it looks.

One of the trickiest ones I've found is if you teach the T9 spelling algorithm new words. On many (not all) phones on which I've tried it, it doesn't seem possible to subsequently erase them, in any way at all. So if you teach your phone to spell, say, 'chlamydia', then forever after it will be easy for someone to confirm that I've sent an SMS about a rather personal illness. (As a non-security aside, it is double-plus ungood if you accidentally teach it a misspelled word, especially one with a common numeric sequence.)

Not as yawning a security hole as some, but interesting that you can't get rid of these words, period.

Other things include WAP access credentials, which may be erasable but are easy to overlook, and are buried as much as 8 or 9 levels down in a clumsy menu system that is slightly different for every model of phone.

Here's another good one: on my phone, in the calendar application, if I make a day memo and don't know about "auto-delete", then the only way to erase it later (if you can't recall the actual date) is to scroll back in time until you find it, open it up, and select "erase". If, like many people, you have thousands of memos dating back several years, then erasing could take many hours and give you RSI of the thumb. Now it happens that if I drill down to the auto-delete menu and set "auto-delete after 1 day" it will immediately start erasing all existing entries older than that -- but this feature is not documented (I had to discover it by experiment), and only works on "single event" memos, repeating ones must be done one by one.

Basically, at the moment this is just far too hard. And as someone else has pointed out, it doesn't need to be. The characteristics of Flash devices are such that it would trivial, and have negligible cost, to include a simple electrical switch that erased all user-programmed Flash memory. It could also been done in software, at negligible cost. Note the "user programmed" part. A key fact is that you need to clearly delineate between stuff entered by the user, and stuff built in at the factory. If you erase the latter, you might turn the phone into a paperweight. However this should not be an especially difficult problem unless the file system design is totally brain dead.


@Clive Robinson:
"Now imagine, you manufacture, phones, you put a short cut menu item in that will clear the phone book etc, imagine how many customers will either use it by mistake, or worse accidently"

This is a valid point, but it is also a fairly well understood one. A variety of methods exist to guard against it. For example, a hardware switch could be hidden in the battery compartment, and need to be depressed by the point of a pen or similar.

"due to having the phone in their pocket (how many of you have accidently dialled this way?)."

My phone has a keypad lock which, to unlock, requires two keys on diagonally opposite sides of the keyboard to be pressed, in the correct order, no more than 2 seconds apart, but not simultaneously. It's very easy to operate intentionally, even without looking at the phone, but it has _never_ operated unintentionally. And yes, I normally carry it loose in my pocket. However I'm inclined to go with the recessed switch beside the battery. Much closer to fool-proof, and also simpler to implement.

"If you are in the business of issuing phones as part of a network contract, you are not going to be too happy if the repair process unlocks the phone, so the user can start using it on a more advantages network."

Yes, you clearly need to delineate between user data (which should be able to be wiped) and "built in" data which includes things like SMS connection string and definitely should not be erased. But that isn't exactly rocket science.

"Then if you a theif who steals phones, imagine your delight at having a function that compleatly clears the phone removing all the phone ID info would be wonderfull, as the tracebility effectivly becomes zero."

If it's a GSM phone, it can be traced by the IMEI, which is hard-coded into the phone and used to identify it to the network. In fact the IMEI is the only really useful tracing information. Presumably other cellphone protocols have something similar. (Important security tip: if you haven't already done so, enter *#06# into your phone, and it will display its 15 digit IMEI. Write this down and keep it somewhere separate from the phone. If your phone is lost or stolen, report this number to your phone company, and most ethical telcos [1] will be able to disable the phone over the air.)

"Finaly imagine you are a policeman who has pulled up a "suspect" for drugs or other illegle dealing activities. You releive them of their phone before putting them in to a holding cell, you can then look through their phone details to see if you can tie them into other criminals or their activities. You lose this if they have a quick way to deleate the details."

By this logic we shouldn't sell matches because crooks might burn their evil plans. The fact is, many phones already provide a way to make this information very difficult to access: the PIN code lockout (which however is no use to the honest man selling his phone, because he needs to give the buyer access to all the phone's functions). But if the police are sufficiently interested, they can take the phone back to their forensic labs and have the PIN overridden. And if they are sufficiently interested, they can also extract quite a lot of information from a Flash chip which has been "erased". If you want additional protection, you can make the "erase all" function quite slow, with an ability to abort by, say, pulling the battery out. That would be no inconvenience to the typical user (who probably knows at least days in advance that he plans to sell the phone) but would enable phones seized under warrant to have their information retrieved. Meanwhile, for an honest user who has the phone stolen, PIN lockout is sufficient.

"As an asside, it is also quite difficult to securly erase mutable but non volatile memory devices. Even dynamic ram chips have been known to retain usefull and recoverable information some period of time (hours) after all power was removed. Also Static memory sufferes from a modicum of the "burn in" process (similar to that of the old VDU screens)."

Quite true. But I don't think anyone is demanding that protection from this kind of attack. Just something slightly better than we have at the moment, where it is all too easy to given up massive amounts of extremely personal information to even a casual snoop.

"Security is subject to the laws of the market place just like everything else, you want a feature then you pay for it (one way or another)."

The problem is, what a lot of people don't know or else forget, the laws of market forces provide for reaching market equilibrium only under the assumption of perfect information, whereas security problems are often difficult for the layman to see or understand (ie. people aren't demanding these sorts of features because they don't even realise that the problem exists). Consequently, we find in many security applications that people fall into two categories, those who have been fscked in the past and want steel bars over everything, and those who haven't (yet) and think only a paranoid changes the PIN on his phone. As security professionals, part of our job is to realistically evaluate the relative risks and costs to help people make these decisions better. In this case, the risk is moderately high and the cost is very slight, so if we do our job people should soon be demanding such features.


----
Note 1: Yes, this is an oxymoron.

HugeAugust 29, 2005 7:17 AM

I recently bought a second-hand car, which has sat-nav. The handbook says "Do not store the location of your home address under the name 'Home' lest whoever steals your car then burgles your house." Good advice, although the complexity of the sat-nav UI is such that it's unlikely your average car thief would be able to work it out!

Bruce SchneierAugust 29, 2005 7:45 AM

@ Huge

I'm not sure that makes much sense. Why would someone who steals your car be more likely to rob your house than some other random house? I suppose if your car were nowhere near your house he might think it unoccupied, but that seems rather unlikely. It's not like someone who steals your housekeys and your wallet.

DLAugust 29, 2005 8:22 AM

"Why would someone who steals your car be more likely to rob your house than some other random house?"

Because the thief only has to press a button on your garage door opener to get in. It is as good as a set of keys. But, the advice about the nav system is still lame. The insurance and registration paperwork in your glovebox will probably have your home address anyway.

Phillip HofmeisterAugust 29, 2005 8:36 AM

It's for exact reasons like this that I use the "wipe" utility under Linux to overwrite my hard disk a rediculous number of times before sending it back to the manufactuer for warrenty replacement. They saw they will do it, but when it comes right down to it, I don't trust them to do so.

jammitAugust 29, 2005 11:11 AM

This has gotten me to think. Sometimes when I get rid of something (hard drive for example), I only wipe the data if I thought important stuff may be on it. If it was my old MP3 drive, I would have either simply formatted it (really recoverable), or do nothing. It's only MP3's, right? But perhaps at one time I did store something important on it. It may have been deleted months ago and more data added, but I can't be sure the data is now truely gone. Now I plan to nuke all media that I own.

Davi OttenheimerAugust 29, 2005 11:36 AM

@ Bruce

"Why would someone who steals your car be more likely to rob your house than some other random house?"

Motive. The same reason that they would study the type/model/capabilities of the car before they attempted to steal it. For example, if they know the garage door opener is integrated into the car's controls, and the house is easily accessible from the garage...

Not to say that this is normal behavior for car thieves, but it is usually the case in corporate espionage.

Carlos GomezAugust 29, 2005 12:53 PM

Advice to the consumer recommending that they delete the entries in their address book would not have worked too well in this case (Cingular). The customers were asked at the store if they wished to donate their phone. Persumably, upon answering yes, they handed over the phone with the expectation that it would be wiped for them. If they were to follow the advice of removing the entries themselves, they would have been stuck in the store for a long time as they painstakingly removed each entry manually.

In my own experience donating an old cell phone, deleting the entries was very tedious. I did it, but it took a lot of repetitive button mashing. I doubt most people would have carried through to the end of their address book.

SteveAugust 29, 2005 4:17 PM

@Davi:

But this kind of thief hardly needs the "home" coordinates in your nav-system... Perhaps this is more interesting if you left your keys in the car and it gets stolen at ramdom.

Davi OttenheimerAugust 29, 2005 5:03 PM

"But this kind of thief hardly needs the 'home' coordinates in your nav-system"

Perhaps, unless your "home" is different from what you have publically listed, or is a remote location that you try to keep isolated enough that you would detect attempts to find it, or if it is not "your" home but the place that you spend most of your time while "on-location"...

SteveAugust 30, 2005 8:21 AM

@Davi

You're right, but if you take these steps to protect your privacy, you shouldn't have your place listed neiter under "home" nor unter any description in your nav-system.

John TannerAugust 30, 2005 10:51 AM

Another version of this is rented handsets. I recently rented a 3G handset for use in Tokyo (Japan not being a GSM market), and used it for sending SMSs, MMSs and taking pics, as well as voice calls. When it was time to return the phone, I knew to clear all my pics off the SD card and messages from the inbox/outbox, but couldn't figure out how to clear the call logs. That worried me because records of all the numbers I'd called or received calls from were still on the handset, and there was no obvious way to clear it.

Luckily, the clerk at my service provider shop knew how to do it and showed me how. But it was clear it hadn't occurred to them to even check for this kind of thing, and it only occurred to me because I found some leftover photos and call records still on the phone from the previous user!

jayhAugust 30, 2005 1:32 PM

I have a company issued Blackberry.

It claims to erase all memory after 10 unsuccessful password attempts to unlock it, and more interestingly, if I lose it, the system administrator can clear it remotely.

上海翻译公�?�September 2, 2005 2:40 AM

"Some devices are now being built with remote-data-erase features to deal with device theft. I think that's a great idea."

Unless someone else erases my data remotely? Do I have to start backing up my SIM now?

GoldieSeptember 4, 2005 9:58 AM

Bruce,
you wrote "Some devices are now being built with remote-data-erase features to deal with device theft. I think that's a great idea."
I would interpret that here you are advocating for treacherous computing, aren't you? Which I think is not that great.
.
I would say that the most Cingular should do is to warn people on the privacy risks and that's all.
If a boy/girl is doing mass destruction during internship, someone has to provide working space at least and this comes as additional expense.

JamesMay 11, 2006 7:58 AM

suscribers of mobile phones should have a free access to destroy their mobile phones incase of theft

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..