14 DAY TRIAL // An estimated 500 million Android devices have a flawed implementation of the “factory reset” feature, allowing recovery of sensitive private information added by the owner.
Factory reset is designed to restore Android’s system partition to its original state, as intended by the vendor. Its purpose is to completely obliterate any data appended by the user so that the device can be sold or recycled without any privacy risk.
The feature also includes the option to sanitize the external storage drive (if present), where users save camera pictures, multimedia content, documents; but researchers estimate that on up to 630 million devices, the information in this location is not fully cleared either.
Full-disk encryption does not solve the problem
The study was conducted by researchers Laurent Simon and Ross Anderson at the Cambridge University, who tested mobile phones running Android versions 2.2 to 4.3 (purchased between January and May 2014), which are representative for the second-hand market at acquisition time.
Following factory reset procedure on 21 handsets from five different vendors, the researchers were able to retrieve the Google credentials on all devices with a flawed implementation of the feature.
In a report on Thursday disclosing their findings, they say that full disk encryption may solve the issue, meaning that the information left behind would be protected, but the faulty reset process also permits the recovery of the encryption key.
These keys are stored in an encrypted file (called “crypto footer”) on the device, protected with a key derived from a user-defined password which has been salted.
However, since the password is required to unlock the phone, it is likely that the string is a weak one, of four to six characters. If an attacker recovers the crypto footer, they can brute-force the password offline.
Google authentication tokens recovered from all tested devices
Although the information retrieved during the evaluation was not complete, it was sufficient for compromising the privacy of the former owner of the device. On all tested handsets, it was possible to recover emails (only a few per device, in 80% of the cases), text messages and/or chats exchanged via different messaging apps.
However, a more important risk was highlighted by the recovery of authentication tokens used for automatic login after the username and password is entered for the first time. Retrieving them allows hijacking the user accounts.
In an experiment, the researchers managed to recover the authentication token for a Google account, and after creating the relevant files and rebooting the phone, the data was synchronized with no problems.
“We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone’s account,” they informed.
Vendors did not include driver support for correct data wipe
Five causes have been identified to lead to this effect, two of them pointing to vendors, as they failed to implement driver support for proper deletion (on Android 4) or they pushed incomplete updates for the operating system.
Another cause is “lack of Android support for proper deletion of the internal and external SD card in all OS versions,” the report explains.
Also contributing to the insecurity of factory resets is fragility of the full-disk encryption when trying to mitigate the problems on Android versions up to 4.4 (KitKat).
Potential attackers
The second-hand market for these devices is flourishing as people exchange them for newer, better models. They can be easily purchased from online spots such as eBay, but given the time necessary to obtain the data and the tools involved, it is not profitable to online shoppers to take such an endeavor.
On the other hand, retailers with buy-back programs can get them for lower prices and they also have the technology to scan for the data, researchers say. Moreover, they could also screen high-value targets, when talking to customers.
A foolproof solution provided in the report for completely wiping the data post factory reset is to overwrite the system partition “bit-by-bit,” but it is not an approach that can be easily embraced by a regular user because root access is required.
Another method is to run an app, post factory reset, that fills the system partition with random byte data. But researchers dismiss this solution as potentially unreliable because such apps do not have direct access to the storage drive and use the file system, which varies across devices.
