A paper entitled 'Security Analysis of Android Factory Resets' published by Cambridge University reveals that the factory reset process fails to wipe user data completely from the device. The authors claim that many devices are sold with the incorrect device drivers which do not allow for effective device data deletion.
500 million devices fail to 'sanitize' user data partition where much of the sensitive data is located - this is especially troubling when one considers the prominence of mobile banking and other quasi-banking apps such as Paypal.
Second hand devices may have a secondary, hidden value as a result of this problem with criminals able to extract the information for nefarious purposes. Thus adding to the pool of data used by 'carders' and other fraudsters.
There is an expectation that phone vendors and manufacturers may eventually be held to account for this issue once consumers become more alert to the reality. In the meantime those selling their used handsets are inadvertently providing data to be harnessed by cyber-criminals.
Paper by Laurent Simon and Ross Anderson
0 comments:
Post a Comment