Don't keep secrets on cell phones

Don't keep secrets on cell phones
(AP)
Updated: 2006-08-31 10:04

Flash memory is inexpensive and durable. But it is slow to erase information in ways that make it impossible to recover. So manufacturers compensate with methods that erase data less completely but don't make a phone seem sluggish.

Phone manufacturers usually provide instructions for safely deleting a customer's information, but it's not always convenient or easy to find. Research in Motion Ltd. has built into newer Blackberry phones an easy-to-use wipe program.

Palm Inc., which makes the popular Treo phones, puts directions deep within its Web site for what it calls a "zero out reset." It involves holding down three buttons simultaneously while pressing a fourth tiny button on the back of the phone.

But it's so awkward to do that even Palm says it may take two people. A Palm executive, Joe Fabris, said the company made the process deliberately clumsy because it doesn't want customers accidentally erasing their information.

Trust Digital resurrected erased e-mails and other information from a used Treo phone provided by The Associated Press after it was reset and appeared empty. The AP ordinarily purges its phones the correct way, but for demonstration purposes turned over a reporter's phone that had been simply reset to see whether Trust Digital could recover the information. It did.

Once the AP phone was properly wiped using Palm's awkward zero-out technique, no information could be recovered.

"The tools are out there" for hackers and thieves to rummage through deleted data on used phones, Trust Digital's chief technology officer, Norm Laudermilch, said. "It definitely does not take a Ph.D."

Fabris, Palm's director of wireless solutions, said after AP's inquiries that the company may warn customers in an upcoming newsletter about the risks of selling their used phones. "It might behoove us to raise this issue," Fabris said.

Dean Olmstead of Fresno, Calif., sold his Treo phone on eBay after using it six months. He didn't know about Palm's instructions to delete safely all his personal information. Now he's worried.

"I probably should have done that," Olmstead said. "Folks need to know this. I'm hoping my phone goes to a nice person."

Guy Martin of Albuquerque, N.M., wasn't as concerned someone will snoop on his secrets. He also sold his Treo phone on eBay and didn't delete his information completely.

"I'm not that kind of valuable person, so I'm not really worried," said Martin, who runs the http://www.imusteat.com Web site. "I guarantee that three-quarters of the people who buy these phones don't think about this."

Trust Digital found no evidence that thieves or corporate spies are routinely buying used phones to mine them for secrets, Magliato said. "I don't think the bad guys have figured this out yet."

President Bush's former cybersecurity adviser, Howard Schmidt, carried up to four phones and e-mail devices and said he was always careful with them. To sanitize his older Blackberry devices, Schmidt would deliberately type his password incorrectly 11 times, which caused data on them to self-destruct.

"People are just not aware how much they're exposing themselves," Schmidt said. "This is more than something you pick up and talk on. This is your identity. There are people really looking to exploit this."

Executives at Trust Digital agreed to review with the AP the information extracted from the used phones on the condition the AP would not identify the sellers or their employers. They also showed the AP receipts from the Internet auctions in which they bought the 10 phones over the summer for $192 to $400 each.

Trust Digital said it intends to return all the phones to their original owners and said it kept the recovered personal information on a single computer under lock and disconnected from its corporate network at its headquarters in northern Virginia.

Peiter "Mudge" Zatko, a computer security expert, said phone owners should decide whether to auction their used equipment for a few hundred dollars and risk revealing their secrets or effectively toss their old phones under a large truck to dispose of them.

What about a case like the Lothario whose affair Trust Digital discovered?

"I'd run over the phone," Zatko said. "Maybe give it an acid bath."