Warning: Factory reset does basically nothing to erase your data
Deleting data from an Android device with a factory reset does virtually nothing to delete users' sensitive information, according to new research
Have you ever sold a second-hand phone? What about given an old tablet away to a charity shop? Like any sensible tech-savvy user, you probably ran a factory reset on your device, and thought no more about it. But new research has shown that deleting data from an Android device with a factory reset does virtually nothing to delete users' sensitive information.
Three separate investigations of Android's data deleting systems found it was possible to recover information in almost every instance. In some cases, the reset simply removed the archive entry for the data, but didn't delete it – the equivalent of removing all links to a webpage, but leaving it online.
Tesco's Hudl tablet was singled out as a particularly egregious offender, having been found to contain a flaw that let attackers get at data saved to onboard memory. That's because of a a known bug in the Rockchip processor that powers the Hudl.
The research was carried out on second-hand devices sold via auction sites such as eBay. Ken Munro from security firm Pen Test Partners was part of the research team.
"There's a flaw in the firmware, which allows you to read from it as well as write," he explained. All modern devices can be flipped into a "flash mode" so the onboard firmware can be updated and data written to memory.
Using a freely available software tool, Mr Munro was able to easily read data from Hudl tablets to which the factory reset facility had been applied.
In response, a Tesco spokesperson said: "Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The spokesperson added that any tablets returned to Tesco had all personal data wiped.
Google, who develops the Android operating system, said anyone selling a used gadget should follow several steps to protect information.
"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand," said a spokesman.
The case brings to mind another experiment conducted earlier this year, in which analysts working with a Channel 4 investigation bought three second-hand mobile phones from the high street second-hand electronics shop CEX, which claims to delete data from phones once they are bought. However, the researchers were able to recover huge amounts of sensitive data from each.
One phone even yielded a total of 5,000 files, including SMS messages exchanged with his girlfriend, and his web browsing history, including visits to adult sites.
Paul has worked as an archivist, editor and journalist, and has a PhD in the cultural and literary significance of ruins. His writing has appeared in the New York Times, The BBC, The Atlantic, National Geographic, and Discover Magazine. His first novel, River of Ink, was published in January 2016, and his second novel, All Our Broken Idols was released in May 2020. He writes, produces and hosts the Fall of Civilizations podcast, which has charted in the top ten British podcasts, and gained upwards of 40 million listens since it launched in 2019.