CYFOR Blog

From your bank account to private pictures and even passwords, smart phone data retains your most precious secrets – even when you think it’s been cleared, as Harry Wallop was horrified to discover.

Like thousands of people, I was given a new phone for Christmas. But rather than just recycle my old phone, I thought I would sell it. My device was in good condition — a relatively sophisticated iPhone — and various websites suggested it would fetch £140. I removed the SIM card, the little computer chip which contains my phone number and other key information, because this would go into the new phone, and deleted all the data, such as my photographs and emails, along with social media and messaging applications like WhatsApp and Twitter. Or so I thought. It turns out that buried in my old phone was a raft of personal information — all hugely valuable to any criminal, but catastrophic to me. ‘I could even work out where you live,’ James Smith tells me casually.

He is the man who — with my permission — hacked into my old phone, which I thought I had wiped completely clean. The head of penetration testing at a digital security company, Smith spent a day seeing what he could retrieve from my device. ‘It was relatively simple,’ he explains. ‘It didn’t require any particular bit of kit. This was using readily available tools that are either free or very cheap.’ And, boy, what he found was eye-opening. He was able to obtain the password I used for a chess-playing app, which — embarrassingly for me — is the same password I use for various other, far more important, apps.

‘That’s the jackpot for a hacker. They will go through every online account, Facebook, Twitter, emails and “password spray”, seeing if that password works for any of them.

‘The moment you get access to your email account, you can get hold of all sorts of things, and start phishing your contacts.’ This is when a hacker would pose as me and retrieve, potentially, the bank account details of my friends and family. ‘They’d be very easily able to impersonate you,’ says James. And it would be particularly easy in my case because all my contacts, along with their smart phone data that includes numbers and emails, were accessible. I had sent off my phone after a report published a fortnight ago by The National Cyber Security Centre — part of GCHQ — implored consumers to be aware of how much data was now stored on their phones and the ‘importance of erasing this before selling so that it does not inadvertently fall into the hands of criminals’.

Figures suggest that a vast number of people are failing to adequately wipe their phones before selling them on the second-hand market. Research released yesterday by cyber security firm Kaspersky suggests that there are tens of thousands of phones for sale with private information still on them. Kaspersky surveyed consumers across the UK and Germany. Of those who have bought a second-hand mobile device, 18 per cent said they had found photos, eight per cent had found login details and passwords, and seven per cent had found identification documents such as a driver’s licence.

This was from a survey. It is conceivable that some people were exaggerating. But the security company also bought 185 random devices from the likes of eBay, Facebook Marketplace, and Amazon, all of which are popular places to buy second-hand phones and laptops. It found 16 per cent had ‘in plain sight’ data, such as photos or messages, easily accessible for anyone to see and read. More worryingly, a further 73 per cent had data that was accessible to anyone with a bit of tech know-how. Photographs of people posing with class-A drugs, nude pictures, scans of people’s driving licences and passports, tax documents, bank details and a wealth of incriminating data was buried in these devices — if you knew how to find them. That means a mere 11 per cent were properly wiped clean of all their data.

‘I think the issue is laxity,’ explains David Emm, a principal security researcher at Kaspersky. ‘We still psychologically approach a mobile phone in the same way that we did maybe ten years ago. We call them phones, even though they are actually computers. Although we don’t really use them just for making calls or sending texts — we do all of this other stuff on there — we somehow aren’t as careful when it comes to security.’ Selling unwanted mobile phones has become increasingly common. A decade ago, most old phones were pretty worthless but, as the sophistication and price of smartphones has increased, many consumers have discovered they can make as much as £500 on a phone that is 18 months old if it’s in good condition.

EY-Parthenon, a consultancy firm that is part of Ernst & Young, estimates that 30 per cent of all smartphones are re-sold, totalling 8.1 million phones each year. Also, according to the regulator Ofcom, far more consumers now buy their phones separately from their monthly data contract — on what is known as a SIM-only deal, giving them the freedom to upgrade their phone often and sell their used one. Back in 2014, just 15 per cent of customers did this; in 2019 it was 34 per cent (the most recent year we have figures for; it’s likely to be yet higher now). As a result, a dozen specialist websites have sprung up on which you can sell your phone. The most reputable ones, such as musicMagpie, explain that you should wipe all your data — and explain how to do it. Some sites, however, give no such instructions.

Mark Payton is a former policeman and now forensics manager at CYFOR, a security company which mostly works for criminal defence solicitors. He says, ‘There are lots of people who are not aware that phones have a factory reset button. So they will just go through the photo gallery and delete pictures and go into messages and delete all the messages, as opposed to doing a full factory reset of their phone.’

This is exactly what I did before sending my phone off to James Smith and explains why he found it relatively easy to find a lot of my personal information, even though I thought I’d deleted it. Admittedly, much of what he found was fairly mundane: old shopping lists, photos of my children, and a list of all the websites I had visited. But some was deeply alarming — not just my most used password. Even though my SIM had been removed, my phone number was visible. All my contacts were accessible along with their emails and phone numbers. Distressingly, there was also an old message I’d sent to someone that included my bank account details so that they could pay me. Most worrying of all, perhaps, he could work out where I lived. ‘You can do this from exif data.’

Smith explains: ‘This is now on all cameras, tagging the photograph with what device it was taken on, the mode it was in, along with the longitude and latitude of where you were. This is designed to help you find all the photos, for instance, you took in France.’ But you can also zoom into where you most often take photographs — invariably your home address. Smith tells me he can work out within about three houses my address on a row of terrace houses in London, just by using this exif data on my photographs. Then, by cross-referencing these houses to all the Wi-Fi addresses I had connected to, he could pinpoint an exact address. ‘I can put two and two together and work out where you live. It is easy to find out where a Wi-Fi address is registered to.’ But how could he do this, even though I thought I had deleted all the apps, photos, and information from my phone?

Mark Payton explains why deleting apps is not good enough — even when they invariably flash up a warning saying, ‘deleting this app will also delete its data’. ‘An app is often the front-end to the data that is stored in the phone,’ he says. ‘If you take WhatsApp, for instance, it has a back-end database within the phone where all messages are stored. If you delete the app, most of the time the back-end database doesn’t get deleted off the phone.’

David Emm says that deleting photos or messages does not mean they have left your phone. He explains that when you delete something, ‘all that the system does is to flag up in the index this area is available for new files. The deleted message just sits in the background, still able to be retrieved, until you run out of space and need to write over the top of it. He compares it to old VHS tapes of TV shows — deleting them just means you move the tape into the ‘ready to be reused pile’. The data isn’t gone until you use the tape to record a new show. Smith says hacking into my phone and recovering passwords that I had used was relatively simple. First of all, he plugged my phone into his computer and then downloaded a piece of software called Dr.Fone.

The premium version costs £72 and helps crack open the ‘backend’ of the phone. This popular piece of software is used to help people recover data they have lost or deleted by accident. It can even unlock a phone if you have forgotten the screen lock code. ‘It’s really pretty simple to find all the deleted stuff,’ Smith says. The next step, however, required a bit more know-how. ‘All the data I collected, I put into a tool called Autopsy. This is free software. It indexes every bit of information into a database, then you search for strings [of code]. The first thing I searched for was strings containing the word “password”. ‘And it wasn’t too long before I found one. A hacker could spend hours and probably find far more passwords.’ When he reads back to me over the phone the password he’s found, I’m ashen faced at how many things he could have unlocked with it.

Payton adds that, even if you weren’t a tech expert, you could probably find some old passwords or deleted data from a second-hand phone that hadn’t been wiped properly. ‘On the internet there are plenty of forums, such as on Reddit, where people can talk you through how to do this.’ All the experts point out that more recent phones that have been launched within the past couple of years, tend to be more secure. So, too, are the most recent apps — which sometimes require what’s known as two-factor authentication. This is when you are sent a code to your phone or email to gain access to Facebook, for instance. But if you have skilfully cracked into someone’s email, that may be of little use. There is another concern with second-hand phones. And that is for the buyer, not the seller. If you purchase an older model, there is a strong chance that it will no longer be supported by the manufacturer. This is important because if a model is no longer supported, it means the likes of Apple or Samsung no longer send security updates — potentially leaving the new owner of the phone vulnerable to being hacked.

Which? — the consumer organisation — investigated this issue last summer and discovered that 31 per cent of phones on sale at the leading second-hand sites were no longer supported by the manufacturer. Anything older than an iPhone 6, for instance, is now obsolete and would leave any user vulnerable to being hacked. On Facebook Marketplace this week, there were still plenty of iPhone 5s for sale. Kate Bevan, editor of Which? Computing, says: ‘As the secondary and refurbished market continues to grow for tech products, manufacturers must be more transparent about the lifespan of devices and how long they’ll provide security updates for, so people can make clear decisions and aren’t at risk of buying unsupported devices.’

Facebook did not want to comment directly, but said it supplied tips to consumers buying from and selling on its marketplace. These tips amount to, ‘If possible, make sure to thoroughly inspect or test the item before buying it’. eBay says: ‘When selling a mobile phone, whether online or offline, sellers are advised to take the responsible steps to protect their own data by wiping all content and settings and securing their devices.’ Of course, if I had sold my ‘wiped’ phone on the internet and it had fallen into the wrong hands, I possibly wouldn’t know, until some money mysteriously left my account, or someone posted pictures of me and my children on the internet.

Payton urges the hundreds of thousands of people who will be selling their phones in a New Year clear out to wipe them properly. ‘Doing a factory reset is the gold standard. It makes it very difficult — and sometimes impossible — to extract any smart phone data once that has happened. But a lot of people don’t know that is possible to do. It’s buried in about four different menu options.’