back to article Factory reset memory wipe FAILS in 500 MEELLION Android mobes

Half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed. The gaffe apparently allows tokens for Google and Facebook, among others, to be recovered in 80 per cent of …

  1. Lostintranslation

    Knock Knock

    And so another back door becomes a front door.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Knock Knock

      Another reason for corporates to use Windows Phone...

      1. fruitoftheloon
        Joke

        @AC Re: Knock Knock

        Ac,

        didn't you mean THE reason.

        Or the relevant techies could remove the SD cards too, I always have whenever I have flogged off/re-used a phone...

        J

      2. Antonymous Coward
        FAIL

        Re: Knock Knock

        @AC

        Not sure I follow your logic. Seemed to be:

        "The boffins only spent their time scrutinising what is BY FAR the market leader, ignoring all the others. Therefore we should all pretend that NSA's Redmond's obscure little offering is secure"

        Did I get that about right?

        A sort of obscurity is security argument?

        Tit.

    3. JamesTQuirk

      Re: Knock Knock

      Who would have have thought, a Secure OS, Re-written in JAVA, could have gone "tit's up", I Don't know, maybe

      the Linux people who warned you ????

  2. Anonymous Coward
    Meh

    I think I can answer a question

    "It is unknown how Android versions above 4.3 are affected. Google has been contacted for comment."

    I think it will go along with the lines:

    "It's fixed in the latest version. We are not going to fix any phones prior to this version"

    Granted it will be about 200 words longer, but that will be the general line.

    1. Anonymous Coward
      Anonymous Coward

      Re: I think I can answer a question

      "It's fixed in the latest version. We are not going to fix any phones prior to this version"

      Granted it will be about 200 words longer, but that will be the general line.

      I'd be very careful with that, this involves Ross Anderson. The almost immediate response could be "no it isn't, here is evidence". If Ross Anderson tells you you have a problem, you first best check exactly how deep you're in it with Ross before you make any public statements, the man has an almost pathological aversion to bullshit.

      Which is why I like him.

      1. Michael Habel

        Re: I think I can answer a question

        Bullshi-- here, bullsh-- there, bullsh-- EVERYWHERE bullsh--! 'Ol McDonald had a Server Farm e-i-e-i-o....

        And, this will get Google to change its mind, and suddenly go 'round digging in the Vaults to fix this? lol I don't believe it.... You know what I believe EVEN LESS?! Assuming for just One second your Guy actually WAS that good... And, Google actually wanted to do something to fix this... (They won't BTW!), But, in an otherwise 'finite Universe, had they actually wanted too... And, had fixed this.... The OEMs will have been to busy flogging their M9's, S6's, Nexus 6 etc... etc... to care.

        This said, when I picked up a second hand Galaxy Tab a few years ago. It was literately filled with all kinds of nasty... If slightly arousing tings on it. Sadly before I thought to back any of it up I had performed a complete Device wipe, before installing what was CM9 at that time, on it.

        I was under, the understanding that the last owner had enough sense to perform a Factory Reset, if only to protect his Accounts.

        But, I really do NOT expect this is something that's ever gonna change ever!

        1. Michael Habel

          Re: I think I can answer a question

          *To clarify that last statement... When I said I had done a complete Device wipe... I was referring to the Format functions under Samsungs Odin Flasher, and not the One inside the 3e Recovery. Which on that note... Why the HELL doesn't Google buy up TWRP, and make that the mandatory recovery?!

      2. Anonymous Coward
        Anonymous Coward

        I like Anderson (and team) too, very much.

        It's especially pleasant to see him moving his work outside the financial sector again. Further reading:

        https://www.lightbluetouchpaper.org/

        I do hope he (his department?) has good lawyers.

        Meanwhile, safety critical aircraft systems on your list, please sir, when you have a moment.

    2. Anonymous Coward
      Anonymous Coward

      Re: I think I can answer a question

      "It's fixed in the latest version. We are not going to fix any phones prior to this version"

      But to be fair, is there much point in fixing it in the old versions? It isn't like an OTA could be sent out to all phones to update it so the manufacturers and carriers would need to do the update and if they were going to go to all that trouble of writing the core files into their customised version, testing and delivering it then they would just update to the latest version anyway which is designed to work better on older devices (although that's debatable).

      The main way to get a security fix it to get the latest version installed, it's the same with pretty much every system we run outside of Windows and Linux (e.g. all our phone systems, copiers, embedded systems, switches, routers etc).

      Unless a way is found to upgrade the core Android OS directly from Google without requiring the handset or carriers to get involved - which I can't ever see happening, then updating older versions is not effective. You just need to flash a custom rom with the latest version.

      1. Anonymous Coward
        Anonymous Coward

        Re: I think I can answer a question

        " so the manufacturers and carriers would need to do the update"

        Ideally they should be legally required to under consumer protection legislation. For Google it'd be a reminder "don't be incompetent" when coding, and for the carriers it'd be a welcome headache that might eventually persuade them to stop the nonsense of custom skins and bloatware.

        Outside of the warped reality space of the carrier's marketing departments, I don't believe a single person on Planet Earth wants their new phone to be soiled by the carrier's logo, or the memory they've paid for to be filled with unremoveable but often barely functional bloatware, but it is specifically these undesired features that seem to be a barrier to fixing this.

        The obvious solution (short of rooting and SIM free purchase) is for the handset makers to offer their nearest-to-vanilla versions of Android directly to consumers. The carriers could still skin up the phones before sale if they're so desparate, but then they'd have to add some real value with that to keep it on people's phones.

      2. ecarlseen

        Re: I think I can answer a question

        "But to be fair, is there much point in fixing it in the old versions? It isn't like an OTA could be sent out to all phones to update it so the manufacturers and carriers would need to do the update and if they were going to go to all that trouble of writing the core files into their customised version, testing and delivering it then they would just update to the latest version anyway which is designed to work better on older devices (although that's debatable)."

        That doesn't seem to stop Apple, who managed to backport full-disk encryption and make it available for every device sold in the past few years as part of their regular update process. It wasn't *ooh* *whimper* sooo *sniff* haaaaaard *sob* like it was for Google. It's a core OS function that isn't dependent or reliant on manufacturer customizations, and should be updatable.

        1. x 7

          Re: I think I can answer a question

          "That doesn't seem to stop Apple, who managed to backport full-disk encryption and make it available for every device sold in the past few years"

          The Apple iPhone range is tiny compared to the range of Android hardware available. Whats possible for Apple on a small range of standardised is much harder when applied to the full Android range

        2. Gavin Berry

          Re: I think I can answer a question

          "It's a core OS function that isn't dependent or reliant on manufacturer customizations, and should be updatable."

          Not a great comparison really, Apple only have one hardware platform, Android has 1000's

          Also Apple don't allow anyone else to use their OS, so again, its easy for them,

          Google could release an update for 4.3 but the carriers will not spend money on a re-compile and release anyway.

    3. Bloakey1

      Re: I think I can answer a question

      I have been banging on about this for yonks see posts passim. Even if the damn thing is sucessfully wiped it is easy enough to recover the data and just involves playing around with coercivity and drilling down.

      The only person I ever me who understood this fully was an Irish builder. He said to me "I need a new hard drive" I said this one is fine. He then said "I need a new hard drive" at which point I understood and swapped the server drives.

  3. Anonymous Coward
    Anonymous Coward

    What an annoying coincidence..

    In other news, Carl Icahn is urging Apple to do more with its money.

    Personally, I'm OK with them not doing more - it means they're less subject to external pressures to go stupid.

  4. Sealand
    Facepalm

    Waiting for Eric Schmidt to step up and say: "That's because you're not resetting it right!" ...

  5. Anonymous Coward
    Anonymous Coward

    Simple solution

    Factory reset it with a sledge hammer. That might limit the resale value, but it's the best way to be sure.

    Well, it's that or thermite.

    1. Hans 1

      Re: Simple solution

      Make sure you break and disperse the memory chips, otherwise, data can be retrieved ...

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        That's what the thermite option is for...

        1. Unicornpiss

          Re: Simple solution

          You could use the Blendtec (TM) data scrambler. Works on all smart (and not so smart) phones, hard drives, CDs, etc.

  6. tony2heads

    Anyone with experience of these?

    https://f-droid.org/repository/browse/?fdfilter=wipe&fdid=org.safermobile.intheclear

    https://play.google.com/store/apps/details?id=com.pinellascodeworks.securewipe

    https://play.google.com/store/apps/details?id=com.projectstar.ishredder.android.standard

    1. deive

      Re: Anyone with experience of these?

      An app can't wipe any data except it's own (unless you root your phone - which is not an option for most).

      1. Anonymous Coward
        Anonymous Coward

        Re: Anyone with experience of these?

        It's a process....

        If you factory reset your phone, then SIDELOAD one of the above apps (I have used iShredder) then the app can overwrite the freespace on the main partition. Then remove the app, or factory reset again.

        That's what I did with my Nexus 4.

        I also setup Google on my phone via a OTP, Facebook to use 2FA, and logged both devices out/revoked the OTPs when clearing down the phone.

        Admittedly these are things the 'average' user won't do, so the secure wipe should be fixed, but there are things you can do without root to make yourself a bit more secure when handing on a device.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anyone with experience of these?

          If you factory reset your phone, then SIDELOAD one of the above apps (I have used iShredder) then the app can overwrite the freespace on the main partition. Then remove the app, or factory reset again.

          I'm kinda short on downvotes, so I'm going to suggest a quicker alternative: get an iPhone :)

          1. fruitoftheloon
            FAIL

            @ac: Re: Anyone with experience of these?

            Dear AC,

            Maybe I am being a bit more dim than usual (I have just returned from the pub)...

            But I haven't figured out how someone buying an iPhone will help them to scrub their googlephone.

            Have a downvote on me.

            Regards,

            Jay.

            1. Anonymous Coward
              Anonymous Coward

              Re: @ac: Anyone with experience of these?

              But I haven't figured out how someone buying an iPhone will help them to scrub their googlephone.

              By not having the problem in the first place. Later versions of iOS (v7 and later) did a damn good job of creating secure storage in the device and zapping it on delete by using very established and proven cryptographic principles and providing enough hardware support for it to actually be of value.

              I think Google can fix this in newer versions of Android, but it will have to insist on some of that same hardware that's a default part of iPhones to make that secure. After that it's a matter of structure, if the OS can be made clearly independent of the telecomms provider and manufacturer by making that theme layers on top of the OS instead of deep changes inside, you end up with a structure you could actually maintain. However, I have the distinct impression that Google doesn't really want to have that in place, and given what they make money from, that doesn't surprise me in the least.

              I can't really see Google choosing for the customer in the clear conflict of interest here...

    2. Anonymous Coward
      Anonymous Coward

      Re: Anyone with experience of these?

      > https://f-droid.org/repository/browse/?fdfilter=wipe&fdid=org.safermobile.intheclear

      F-Droid is OK for this - provided you have a rooted phone. Don't know about the others.

  7. JP19

    Huh?

    You mean some people trust android devices with sensitive information?

    1. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      Or for that matter, any device in the Android/iOS/WinPhone camps. Blackberry are probably the most secure horse in the race, and they were not absolved from risk with the Heartbleed/Poodle/Freak attacks on crypto.

      1. Anonymous Coward
        Anonymous Coward

        Re: Huh?

        Actually blackberry 10 has a pretty poor security record with about 80 holes so far. Windows Phone is still on zero I think.

        1. Anonymous Coward
          Anonymous Coward

          Re: Huh?

          Windows Phone is still on zero I think.

          I'm glad you Microsoft marketing guys could make it. Be careful that you don't disturb that fact free life by reading any comments, though.

        2. fruitoftheloon
          Happy

          @Ac: Re: Huh?

          Dear Ac,

          Winphone has a zero of a lot of things...

          I rather suspect that major security flaws ain't all of them.

          But hope is good, please keep on keeping on...

          Regards,

          Jay.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Ac: Huh?

            Winphone has a zero of a lot of things...

            Users? :)

      2. Anonymous Coward
        Anonymous Coward

        Re: Huh?

        Blackberry are probably the most secure horse in the race,

        Past tense, I'm afraid, as soon as they decided to allow Android apps to run.

  8. Big_Boomer Silver badge

    So THAT's how WeBuyAnyPhone/Mazuma make their money. They sell your hacked data to scum. :-) Before anyone starts 'avin' a go, it's a JOKE!! They'll sell it to someone who'll hack it and get the data. Glad I still have my old Droids. <LOL>

  9. Badvok

    In other news: Security hole found in all OSes!

    It turns out that the 'format' command just changes a few blocks of data and doesn't overwrite the whole disk/store, thus allowing data to be retrieved afterwards.

    1. Anonymous Coward
      Anonymous Coward

      Re: In other news: Security hole found in all OSes!

      Not sure how serious your statement was, but an OS using full disk encryption, like iOS or Windows with Bitlocker enabled, simply has to dispose of the key and any data written on the partition(s) protected by it is instantly and permanently inaccessible.

      I would assume that while Google probably implemented this in Android, it wasn't the default because in order to support it across a wide range of hardware capabilities they couldn't sure that every device would possess hardware able to support FDE. Whatever Android version made or will make FDE a requirement is the minimum one you'd have to be on to be safe from this, because you can't trust OEMs to care about stuff like this.

  10. Slap

    iOS devices potentially have the a similar problem

    When you delete all content and settings on an iOS device all it does is erase the encryption key - it doesn't actually erase anything. Good enough you might think, but with things as they are in the infosec business I'm sure there are some working on a way of getting around this.

    1. Anonymous Coward
      Anonymous Coward

      Re: iOS devices potentially have the a similar problem

      There is no conceivable way around this. You either have to be able to perform an attack against the encrypted data, which is a problem for everyone using AES if there is such an attack, or you have to have possession of the device before the key is erased. There are methods to get the key off similar products such as Bitlocker, by booting the device into Linux and dumping the memory contents during early boot. You can't do that against iOS but with enough (read a LOT of) resources you probably could find a way to do something like that.

      But the important thing to note here is that you'd have to have my phone BEFORE I wipe it. Once I wipe it, you can't get squat from it. The article is about weakness in Android's erasure - so everyone who did a factory reset before selling/giving away their old phone potentially gave away their data (to the 0.0001% of people who would care to try this against a random phone they bought second hand)

      1. ecarlseen

        Re: iOS devices potentially have the a similar problem

        Not only that, but on devices with A7 and higher CPUs the encryption keys are held in a special memory block on the CPU die itself with no direct read/write access from outside of the chip. Also, for anything running IOS8+ (iPhone 4S+, iPad 2+) full-disk encryption is mandatory. It's there, and there's no way to disable it.

  11. Mr.Mischief

    In other news. Windows 98 is easily hackable.

    Can we get Microsoft to send out updates to fix all the bugs in Windows 98? Or how about Windows ME?

    1. Nunyabiznes

      Re: In other news. Windows 98 is easily hackable.

      MS has committed to provide free updates for all major software for 10 years. The phone manufacturers haven't been allowing and/or pushing updates for phones past 1-2yrs, even in the rare instances the code has been updated. How is that equivalent to your mind?

      1. Mr.Mischief

        Re: In other news. Windows 98 is easily hackable.

        Windows has committed.

        Google has not. There's nowhere where you buy a phone where people say that they are going to be giving you free software updates. Apple doesnt, Google doesnt, Blackberry doesnt, heck, even Windows Phone doesnt.

        Why the expectation for them to?

        Computers are being used for longer, there are still people using windows 98 and windows XP. Just because their systems are vulnerable should they go screaming at the media? Even after the support window has expired?

        1. Phil Kingston

          Re: In other news. Windows 98 is easily hackable.

          MS have said all WP8 devices will be getting 10.

        2. Anonymous Coward
          Anonymous Coward

          Re: In other news. Windows 98 is easily hackable.

          Windows has committed

          You mean Microsoft. Oh really? Nonsense, they haven't - none of them have. The only commitment you have from Microsoft is that they will SELL you a new version when they get bored with sending updates or it becomes too obvious it really cannot be rescued (Vista immediately comes to mind here, or the upgrade to TIFKAM).

          Google doesn't care one way or the other or they would have modelled the platform in such a way that customisations are layered on top instead of affect core code so that updates and OEM custom layers would not get in each other's way. But Google doesn't care - it goes for volume, and you get to volume by being cheap.

          Apple has a decent update frequency in iOS and OSX, but could do with a lot more transparency. The main gripe I see people have is that new updates don't work on old hardware, but if you didn't expect that from the only IT company that makes a good margin off hardware instead of a waferthin edge over costs you need your head examined.

  12. Anonymous Coward
    Anonymous Coward

    > But the important thing to note here is that you'd have to have my phone BEFORE I wipe it.

    No, I don't. The only thing i need is your key, which I may have obtained already, through various other means, and prior to your phone data scrub.

  13. Wolfclaw

    DOH !

    and still Google and the manufactures refuse to update older phones to a more secure version, using the same old tired and lazy excuses !

  14. Cynic_999

    What should be expected from a factory reset?

    To me, this article is similar to one that says, "File deletion fails in all versions of Windows and Linux because deleted data can still be recovered in 90% of cases." Yes, we knew that. It's because the file delete function was never *intended* to prevent data from being forensically recovered.

    Similarly, unless the manual clearly states otherwise, I have always expected a "factory reset" operation to behave similarly to a "file delete" operation, in that it makes the phone *appear* to the normal user to be the same as when first sold, but I have never assumed that it did so by *wiping* any data, any more that a re-install of the OS will get rid of data you have on your laptop's HDD (which is surely analogous to a "factory reset").

    In fact I would not even assume that data held on a user-supplied SD card will be deleted or made inaccessible, because that card was not a part of the system when it left the factory. (Though I would not assume that it will *not* be deleted either).

    1. JP19

      Re: What should be expected from a factory reset?

      The settings option is called and described with :-

      Factory data reset

      Erases all data on phone

      Expecting it to do what it says it will seems reasonable.

  15. Bucky 2
    Facepalm

    It seems simple enough. If you want the new owner of your machine to see all the pictures of your own wang, just do a factory reset.

    Otherwise, use "Shred" or something similar, like a normal person.

  16. Henry Wertz 1 Gold badge

    "It isn't like an OTA could be sent out to all phones to update it so the manufacturers and carriers would need to do the update and if they were going to go to all that trouble of writing the core files into their customised version, testing and delivering it then they would just update to the latest version anyway which is designed to work better on older devices (although that's debatable)."

    Well, maybe, but I've had a few phones that due to the unusual radio files (Samsung Stratosphere for example had a Via -- yes Via, not Qualcomm... Via CDMA/EVDO/GSM chipset and Samsung LTE chipset, so if you evaded Samsung's lame firmware lockdown and put a newer kernel on, the radio files would absolutely not work with it. The Stratosphere II I have now has a more normal radio but a similar situation. It's pretty common to see on Cyanogenmod forums and the like that some devices will run a newer kernel, but with no radios. I doubt Samsung'll update either of these phones at all, but if so I'll be shocked if it gets anything other than a "x.x.(current +1)" update, or a vendor implemented patch.

  17. Henry Wertz 1 Gold badge

    "That doesn't seem to stop Apple, who managed to backport full-disk encryption and make it available for every device sold in the past few years as part of their regular update process. It wasn't *ooh* *whimper* sooo *sniff* haaaaaard *sob* like it was for Google. It's a core OS function that isn't dependent or reliant on manufacturer customizations, and should be updatable."

    Apple didn't backport full-disk encryption to older iOS versions, they made sure iOS was installable on somewhat older devices. Not the same thing at all. Also, Apple only ships a handful of models of phones. For vendors that follow Google's recommendations (i.e. not too many nasty hacks and binary blobs), if the vendor doesn't bother to release updates, CyanogenMod does. I really would prefer if all vendors at least made it so CM could release functional updates. If you do want to make sure to actually get updates, there are several lines of Android devices that do actually receive official updates for a guranteed length of time.

  18. x 7

    So whats the real problem here?

    the stupid yuppie marketing model by which western rich gits treat new-spec phones as having a one-year use period before sending them on for resale / resuse else where.

    Its not a fault with the phones - past experience with computers should be enough to show that anything is potentially recoverable given the right tools. The problem is with the mindset. Anyone with a brain who sends a PC on for resale or scrap shreds the drive - either physically or with a third party electronic tool such as DBAN. Why should a phone be treated any less differently? Especially when solid-state drives are a lot harder to nuke than a "real" hard drive.

    The answer is......stop treating phones as disposable fripperies. Keep them and use them until they're knackered and then take the hammer and shredder to them. Get your moneys worth from them, then destroy them. DON'T sell them on

  19. Barry Rueger

    Lawyers needed

    Given that for many people the phone has become the primary computing device, including banking and other financial type transactions, it's really a pretty serious problem that it can be nearly impossible to get the OS updated.

    My guess is that sooner or later someone - Google, carrier, manufacturer, maybe all three - is going to get clobbered with a massive lawsuit alleging significant negligence in not providing timely and easy security updates.

  20. Zmodem

    its probably nothing todo with andriod, it would be the company that forgets to make the system folder list, and delete folders not listed of the internal memory

    google arn`t going to know if you have some xperia media folders on your phone

  21. hayzoos

    I have seen this first hand on two used phones I purchased. I did not even have to use extensive methods to see the previous owner's content. I tried the factory reset a couple of times and the content remained. Same for my phone I was replacing. I used a custom recovery's wipe function and the content was no longer visible. I do not know if the content was actually removed or not.

    I do know that some older Samsung Galaxy S2's will brick if the eMMC secure erase function is called due to another bug. Other models and makes of the generation may have the same bug.

    Kinda funny, I recently read something about solid state storage can lose data over varying periods of non-powered state. I guess it's a matter of losing data when you want to keep it and data persisting when you want to lose it. Seems normal.

  22. Tannin

    Simple

    It's not hard. Just pretend you are a normal, rational human being and use the phone until it doesn't work anymore. At that point, it's worthless, throw it away. (Or destroy it in any manner you please if the data matters enough.) Along the way, you've saved enough by not buying unnecessary new dorky consumer tech-head gear every few months to treat yourself to a holiday at the destination of your choice.

  23. Machina

    Current Android users should appreciate this

    I see Android's resale value rising.

    ROFL.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like