Clearing Personal Data Off Smartphones Not So Easy

Used smartphones are 17 billion dollar market. Accounting firm Deloitte Global predicts 120 million devices will be bought and sold in the after-market this year. But if you're selling, the personal data that you leave behind could make that transaction a losing proposition.

The NBC Connecticut Troubleshooters wanted to know just how risky that sale can be. We logged on to Craigslist and found dozens of others for sale at a wide range of prices.

We bought an Android phone from a young father and another from Dariusz, a letter carrier on his route.

We also purchased an iPhone and an Android phone at Silas Deane Pawn in Vernon. Owner Denis Norton says when he agrees to buy a smartphone from someone who walks in off the street, they often do factory reset as a precaution.

"We do the best due diligence possible. If we don't see any red flags, more times than not we are willing to purchase the phone," says Norton.

We brought all four devices to the University of New Haven's Cyber Forensics Research Group to see how much information they could recover. The lab's founder, Abe Baggili says you take a deep dive into someone's life by looking at their phone, but they decided only utilized tools that are free and accessible to the general public.

"We just had to use a computer and the connectors that came with the phones and we were able to gain access to this specific data," says Baggili.

The iPhone 5 was secure because the user had downloaded the latest operating system upgrade, but the three Android devices were a fertile ground for personal data.

On each of the devices, the research team recovered the names and email addresses of the prior owner, plus dozens of deleted text messages and images. On one phone, the team discovered a physical address and Wi-Fi password.

"I know where the person lives, I know what they do, and now I have their Wi-Fi password. What other information can I extract about them? Or can I then use their internet for illegal activities, " says Baggili.

On another Android device, they found even more troubling information. GPS coordinates, URLs and a credit card number with the expiration date and CVV code.

"This is everything we'd need to start making purchases right now," says UNH researcher Devon Clark.

One digital image contained a gem for a would be identity thief: a photo of a college class schedule including a name, address and Social Security number.

"All the information that we would need to, in fact, take over your identity," says Baggili.

We went back to the Dariusz the letter carrier, who'd sold us his daughter's old device. He says he did uninstalled all the apps and did a factory reset. He's frustrated and vows he'll never go down this road again.

"It's not worth it. 50 bucks for the phone and somebody has so much information... It's really not worth it," he says.

Abe Baggili from UNH suggests you take one additional step: encrypt your phone before you do a factory reset. It can add an important layer of security.. whether you're trading in your device or selling it on the after-market.

Contact Us