2,000 personal photos, emails, and other info found on used smartphones

Men in black pawn shop owner

In a recent experiment, researchers found 2,000 personal photos, email messages, and other information stored on used phones they purchased from pawn shops.

Avast's Deborah Salmi explains in a blog post how the security company's researchers purchased some 20 used phones from pawn shops located in New York, Paris, Barcelona, and Berlin.

Each shop owner assured the researchers that the devices were cleaned of all personal files ahead of time.

As it would turn out, 12 of the devices had not been wiped at all, as Salmi reports:

"Avast retrieved more than 2,000 personal photos, emails, text messages, invoices, and one adult video from the phones that the prior owner assumed was deleted. On two of the phones, the previous owners had forgotten to log out of their Gmail accounts, risking having the new owners read or send emails in their name."

Here is what the researchers recovered off of the 20 phones:

  • More than 1,200 photos
  • More than 200 photos with adult content
  • 149 photos of children
  • More than 300 emails and text messages
  • More than 260 Google searches, including 170 searches for adult content
  • Two previous owners' identities
  • Three invoices
  • One working contract
  • One adult video

Salmi goes on to observe that the researchers were able to recover personal data from 50 percent of the devices partly because they were running Android 4.3 and lower, versions of Google's mobile OS on which the factory reset feature does not function as well as you might wish on some devices.

On some of the phones, however, the previous owners had simply forgotten to execute a factory reset or delete their information.

Experiments such as these bring into focus pawn shop owners' responsibility to make sure each device is wiped of personal information before they are resold to a customer.

Used smartphones

Even so, mobile users should not rely on shop owners alone to make sure their personal information is protected, Avast's Gagan Singh explained in a press release:

"Through our research, we noticed that some people simply forget to delete their personal data and perform the factory reset before selling the device. To ensure that all data is removed, a user needs to overwrite the phone’s files. Without this, a user’s personal data could easily end up in the hands of the next owner of the phone. In the end, users are responsible for cleaning all sensitive and personal data from their devices prior to sale, and they should never rely on a shop owner to remove remaining data prior to reselling the phones."

There is, however, a bright side.

As new smartphones come shipped with stronger and stronger encryption, something which is currently giving the FBI a supreme headache, used phones are coughing up less and less information if personal information is not wiped from a device. Just one year ago, for example, Avast researchers conducted a similar experiment and found 40,000 bits of personal information. That is a huge decrease in the span of one year.

Google has also since fixed the factory reset option on newer Android devices. This feature, when coupled the decision to remove personal information, should be enough to protect most users from the effects of identity theft and/or blackmail.

(Visited 1,908 times, 1 visits today)

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

4 Responses

  1. coyote

    February 26, 2016 at 9:30 pm #

    'Experiments such as these bring into focus pawn shop owners' responsibility to make sure each device is wiped of personal information before they are resold to a customer.'

    Actually I quite disagree. You can't expect them to know how to do this securely any more than the user. If they try good on them but it shouldn't be relied upon. The problem isn't the shop owner not doing enough the problem is the way data is stored and I'm afraid that this storage is also good for those who refuse to backup (although it's still risky not to, obviously, but the way data is stored does allow for recovery in many [but not all] cases). Even more problematic is the lack of awareness and there is very little you can do about that except try to educate as many as you can.

    Unfortunately this will never be resolved completely. Even if people were wise enough to not have sexual content on their phone (unless it's something they download on a website they have e.g. a subscription although even then I'm not sure the phone is the best place – but I won't judge there) the fact remains that people use their phone(s) for a variety of uses and as such the technology is the problem but it also obviously has benefits. This isn't exclusive to technology, either; all good comes with bad and all bad comes with good. This isn't exclusive to people (although it applies just as much).

    The only good thing: researchers bought these phones and they seemingly are going to do the right thing.

  2. Simon

    February 29, 2016 at 11:52 am #

    It wasn't the first time I bought used mobiles back in the day and found texts, contacts and other personal cache.

    It's mind boggling how lazy people were (and still are by the looks of it) not cleanse their devices before sale.

    This also extends to used PC's/laptops. Ie: email clients still configured with years worth of correspondence, what the hell!?!

    • Bob in reply to Simon.

      February 29, 2016 at 12:45 pm #

      You're blaming people when it's not entirely their fault. If you read this article, or look at the linked blog post,

      "Of the phones that were factory reset, 50 percent still contained personal data because the previous owner was running an outdated version of Android that had an improperly functioning factory reset feature. Some of the previous owners only deleted their files without doing a factory reset. However, this doesn’t mean that the files were removed completely – only the reference to the file was deleted. Other phone owners simply forgot to delete their data or do a factory reset. "

      People are resetting their devices but the reset isn't functioning as it should. When these devices are then connected to a system with the correct software the researchers were able to get the data from the device.

  3. Jon

    February 29, 2016 at 7:41 pm #

    Too bad all those previous phone owners didn't have time to wipe their phones before they were stolen and sold to the pawn shops. I like how the author assumes the phones were legitimately sold to the pawn shop by absent-minded owners instead of them possibly being one of the 3+ million phones stolen every year.

Leave a Reply