Android Factory reset fails to wipe sensitive user data, million devices at risk

Two security researchers demonstrated that the Android Factory Reset process fails to wipe private data from Android mobile devices.

Researchers at Cambridge University, Laurent Simon and Ross Anderson, revealed that half a billion Android devices could have data recovered and Google accounts took over due to flaws in the default wiping process.

The experts have analyzed Android 21 devices from 5 different vendors, including Samsung, HTC, and Nexus running Android versions 2.3 to 4.3. The researchers discovered that more than 500 Million Android devices fail to completely wipe data after the factory reset. The researchers demonstrated that it is possible to retrieve encryption keys and master tokens for Google and Facebook in 80 percent of cases. User data, including SMS, photos, and videos, can be recovered because the factory reset process in Android 4.3 Jellybean and below versions is affected by flaws. The researchers published a paper titled Security Analysis of Android Factory Resets (PDF) that includes the detailed results of the study.

“After the reboot, the phone successfully re-synchronised contacts, emails, and so on,” researchers reported. “We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone’s account.”  states the paper.

After running factory reset on every Android device, the researchers were able to retain at least some piece of data previous stored in the Smarphone, Google account credentials, including text messages, conversations on apps such as WhatsApp and Facebook.

a5

Below the five critical Reset failures discovered during the study:

  1. The lack of Android support for the proper deletion of the disk partition in devices running versions 2.3.x of the mobile operating system.
  2. The incomplete upgrades pushed to flawed devices by smartphone vendors.
  3. The lack of driver support for proper deletion shipped by vendors in newer devices such as versions 4.1, 4.2 and 4.3.
  4. The lack of Android support for the proper deletion of the internal and external SD card in all versions of mobile operating systems.
  5. The fragility of full-disk encryption to mitigate those problems up to Android version 4.4 KitKat.

“We estimate that up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630 million may not properly sanitise the internal SD card where multimedia files are generally saved.We found we could recover Google credentials on all devices presenting a flawed factory reset. Full-disk encryption has the potential to mitigate the problem, but we found that a flawed factory reset leaves behind enough data for the encryption key to be recovered.” explained the duo.

The experts already have reported the flaw to Google, the duo says also highlighted that remote wiping features for lost and stolen Android devices are affected by the same flaws.

Everyone that has sold used Android devices could be exposed to risk of disclosure for their data, the problem is serious if we consider devices that are put aside by private firms.

Cyber spies and thieves can buy or steal the mobile devices and obtain user sensitive data, including bank account information.

An attacker can obtain the list of installed apps and use it to profile the previous Android owner, for example discovering if he is a corporate executive or simple a school kid.

Google has yet to comment the factory reset issue, it suggests Android users to:

  • Remotely wiping the smartphone by hitting “factory reset” as if the phone were stolen
  • Updating the phone to a new version of Android OS that allows for encryption with a passcode

but researchers explained that this solution is not 100 percent reliable.

Lets me suggest enabling full disk encryption and used strong passwords to make hard brute forcing of master keys.

Pierluigi Paganini

May 26, 2015

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X