Used Cellphones Hold Trove of Secrets That Can Be Hard to Erase

By Ellen Nakashima
Washington Post Staff Writer
Saturday, October 21, 2006

Sam Bachman is a frequent upgrader. Not of cars or homes, but of his "smart phone." Hooked on the convenience of a cellphone that's also a mini PC, calendar and address book, the Virginia social worker just bought his sixth Treo smart phone. And before advertising his old model for sale online, he took what he thought was a savvy step: He "reset" the device to wipe it free of data.

Or so he thought.

It turns out that hackers or sleuths armed with commercially available software can fairly easily resurrect erased data on cellphones, including address books and calendar contacts, photos, videos and e-mails, turning used phones into a treasure trove for identity thieves and allowing them in effect to buy personal data off the Internet, security experts say.

"You could recreate someone's entire life from the data you recover from these devices," said Norm Laudermilch, chief technology officer for Trust Digital, a McLean security company that helps companies and government agencies protect data.

Cellphones with lots of memory are essentially little computers that people carry around and, like laptops and PCs, are at risk of a data breach. Cellphones pose a special risk because of two converging trends: their size and portability, making them easier to lose, and the fact that increasingly, we are documenting our lives through our phones.

"It is amazing how a couple of megabytes of data on a cellphone can reveal so much about you -- the last place you were, the last person you talked to," said Amber Schroader, chief executive of Paraben Corp., a forensic software firm that teaches law enforcement agents how to get cellphones to spill secrets.

Bachman, 43, said he carries his Treo everywhere and loves the feeling of not being "tethered to my home and my computer." In stores, if he wants to comparison-shop, he can go online to check a price. At Starbucks, he can track his caloric intake after ordering that venti latte -- about 400 calories. He snaps pictures and shoots video of his three children. On his new Treo 700, he can listen to Internet radio as he trains for the Marine Corps Marathon.

But until a reporter called to ask how he had erased the data on the used phone he was selling on Craigslist, Bachman said he never realized how vulnerable his data was to theft or resurrection.

"And I consider myself a pretty savvy smart-phone user," he said.

His 143 passwords and PINs for various check-cashing cards, online bank accounts and e-mail services were stored on the phone in an encrypted form, which would have made it almost impossible for a hacker to access them. But the other data he thought he had erased -- personal contacts, pictures and Web search terms -- were recoverable, experts said.

Cellphones store data on a type of chip known as flash memory. The phone operating system never actually erases data, though. It "dereferences" it, or deletes pointers to where the data is located, so the phone essentially "forgets that it's there," said Bruce Schneier, a security technologist in Mountain View, Calif. That is similar to what happens on personal computers -- the files remain on the hard drive; only the references are deleted.

There are 220 million cellphone subscribers in the United States. Typically, cellphones are used for 1 1/2 years before they are replaced, providing ample opportunity for data breaches through lost, stolen, sold or recycled models.

CONTINUED     1        >

© 2006 The Washington Post Company