Used Cellphones Hold Trove of Secrets That Can Be Hard to Erase

By Ellen Nakashima
Washington Post Staff Writer
Saturday, October 21, 2006

Sam Bachman is a frequent upgrader. Not of cars or homes, but of his "smart phone." Hooked on the convenience of a cellphone that's also a mini PC, calendar and address book, the Virginia social worker just bought his sixth Treo smart phone. And before advertising his old model for sale online, he took what he thought was a savvy step: He "reset" the device to wipe it free of data.

Or so he thought.

It turns out that hackers or sleuths armed with commercially available software can fairly easily resurrect erased data on cellphones, including address books and calendar contacts, photos, videos and e-mails, turning used phones into a treasure trove for identity thieves and allowing them in effect to buy personal data off the Internet, security experts say.

"You could recreate someone's entire life from the data you recover from these devices," said Norm Laudermilch, chief technology officer for Trust Digital, a McLean security company that helps companies and government agencies protect data.

Cellphones with lots of memory are essentially little computers that people carry around and, like laptops and PCs, are at risk of a data breach. Cellphones pose a special risk because of two converging trends: their size and portability, making them easier to lose, and the fact that increasingly, we are documenting our lives through our phones.

"It is amazing how a couple of megabytes of data on a cellphone can reveal so much about you -- the last place you were, the last person you talked to," said Amber Schroader, chief executive of Paraben Corp., a forensic software firm that teaches law enforcement agents how to get cellphones to spill secrets.

Bachman, 43, said he carries his Treo everywhere and loves the feeling of not being "tethered to my home and my computer." In stores, if he wants to comparison-shop, he can go online to check a price. At Starbucks, he can track his caloric intake after ordering that venti latte -- about 400 calories. He snaps pictures and shoots video of his three children. On his new Treo 700, he can listen to Internet radio as he trains for the Marine Corps Marathon.

But until a reporter called to ask how he had erased the data on the used phone he was selling on Craigslist, Bachman said he never realized how vulnerable his data was to theft or resurrection.

"And I consider myself a pretty savvy smart-phone user," he said.

His 143 passwords and PINs for various check-cashing cards, online bank accounts and e-mail services were stored on the phone in an encrypted form, which would have made it almost impossible for a hacker to access them. But the other data he thought he had erased -- personal contacts, pictures and Web search terms -- were recoverable, experts said.

Cellphones store data on a type of chip known as flash memory. The phone operating system never actually erases data, though. It "dereferences" it, or deletes pointers to where the data is located, so the phone essentially "forgets that it's there," said Bruce Schneier, a security technologist in Mountain View, Calif. That is similar to what happens on personal computers -- the files remain on the hard drive; only the references are deleted.

There are 220 million cellphone subscribers in the United States. Typically, cellphones are used for 1 1/2 years before they are replaced, providing ample opportunity for data breaches through lost, stolen, sold or recycled models.

Trust Digital recently bought from the eBay online auction site 10 used smart phones, each with at least 40 megabytes of memory, for an experiment in data recovery. Using simple software created in-house, the firm's technicians retrieved an astonishing variety of information -- one company's plans to win a multimillion-dollar federal transportation contract, e-mails about another firm's $50,000 payment for a software license, bank accounts and passwords, medical prescriptions, and receipts for utility payments.

Then there was the text-message exchange between a man and his paramour, who Trust Digital determined was not his wife from the thousands of pages of personal data on his phone.

"So," the woman typed, "I'll talk to u next week."

"You want a break from me?" the man messaged back. "Then fine."

Paraben, of Pleasant Grove, Utah, buys about 300 used cellphones each year from eBay and other sites for training sessions. Though the sellers think they have wiped the devices clean, 80 to 85 percent of the devices still have data intact, Schroader said.

"We've recovered everything from complete address books . . . to pictures taken in intimate moments. It's like, well, I didn't need to see that," Schroader said.

The fact that cellphones can give up secrets makes them as valuable to law enforcement as to criminals.

Lee Reiber, a Boise, Idaho, police detective specializing in cellphone forensics, has used recovered phone data to crack homicide, child abuse, domestic abuse cases. This year alone he has examined more than 100 phones in criminal and civil investigations and recovered data from 90 percent of them, he said. A man suspected of being a pedophile was undone by his phone. "We had all his pictures," Reiber said.

Besides the Treo, made by Palm Inc., there are other smart-phone makers, including Nokia Corp. and Siemens AG.

BlackBerry devices are in theory among the most secure of smart phones, Schroader said. However, those used by consumers lack the same security features as those used by government and private companies, Laudermilch said. "Even though there may be some security features on the device, most people don't know how or when to use them," he said.

As more people sell their old phones and upgrade to fancier models, Palm has developed a method that not only erases, but also overwrites the data with 1's and 0's, sometimes called the "zero-out" method. Instructions can be found on the Web site by searching "zero-out reset" or "factory reset."

Trust Digital recommends that cellphone owners seek advice from device manufacturers, carriers that sold them their phones or their companies' information technology administrators. The Web site provides directions for erasing data from many models.

Alerted to the security vulnerability, Bachman pulled his Treo 650 off the market and performed an advanced factory reset by following instructions on the Palm Web site. He said he plans to put the Treo 650 up for sale again. Meanwhile, he is already eyeing the Treo 750, not yet available in the United States.

View all comments that have been posted about this article.

© 2006 The Washington Post Company