Erased, Discarded Mobile Phones Still Pose Security Risk

Even discarded mobile phones threaten data leaks.

Smartphones and other mobile devices used in the workplace can pose a security threat that remains even when the device itself is no longer in use.

Forensic examination of 32 mobile phones issued to employees by a Fortune 500 company (and eventually returned to it) showed it’s possible to retrieve sensitive personal and corporate data even from devices that users or IT managers tried to wipe clean.

Misuse or lax attention to security procedures by end users is blamed for much of the reputation mobile devices have for being insecure, according to William Bradley Glisson and Tim Storer, researchers at the University of Glasgow in a paper published Oct. 29.

This isn’t the first time researchers have come to a similar conclusion. In a Ponemon Institute study published in 2011, nearly two thirds of mobile-device users admitted storing sensitive corporate data on their devices; eighty-four percent admitted using the same device for both business and personal functions.

That makes managing the security of mobile devices difficult for any IT organization, but makes devices introduced by employees under BYOD programs even more of a problem, according to a Sept. 18 report from the Information Security Forum.

Because they’re owned by employees, IT security staff have less control over either the device itself or the security procedures followed by the employee than devices chosen, purchased, configured, tested and managed by the employer, the study found.

Even mobile devices most closely controlled by the corporation are far more insecure than they should be, Glisson and Storer suggested. The two used the XRY Complete Forensic Examiners Kit to examine data from 32 mobile phones issued to employees by an unnamed Fortune 500 company, eventually retrieved and decommissioned as employees upgraded. They found more than seven thousand individual bits of data still stored in the phones’ memory, ranging from text messages to photos, contact lists, documents, audio (voice mail) files, calendars and other potentially problematic information.

The undeleted text messages contained passwords, indications that sensitive documents had been sent over wireless networks unencrypted as well as records of “inappropriate” conversations between co-workers and a number of inappropriate photos or sexual references.

Sending email or VPN passwords via text message is an obvious violation of security procedures, but even attempts to ameliorate the offense by deleting the record didn’t reduce the risk.

Securely deleting data from flash memory is far less certain than the same procedure for standard disk drives, partly due to the physical design of flash-memory chips, and partly to the software delete methods developed by their manufacturers, according to a 2011 study from the University of California-San Diego – cited by security analyst Bruce Schneier as an illustration of security issues in solid-state disk drives.

Overwrite-based erasure techniques that work well for hard drives are unreliable on flash drives, making it almost impossible to securely scrub flash memory, the paper concluded.

That difficulty, combined with the sloppy security practices of end users, turn security-controlled mobile devices into data-breaches-in-waiting even after they’re no longer in use, according to Glisson and Storer. “The amount of corporate information involved is potentially substantial considering that the study targeted low end phones” rather than smartphones, tablets or other, more data-capable devices, the two wrote.

It might be necessary to use full-time device-monitoring software to keep users from discussing or storing sensitive data using corporate devices, the two suggested. Other alternatives include developing anti-forensic software that could securely delete data on discarded phones and heavier security training and enforcement aimed at end users themselves.

“This exploratory case study clearly demonstrates the need for appropriate policies and guidelines governing use, security and investigation of these devices as part of an overall business model,” researchers concluded.

 

Image: Shutterstock.com/ Andrea Danti