Used mobile devices share secrets

Smart phones and PDAs offer the benefit of storing information, but consumers may not wipe the data clean before selling the devices on eBay, according to research results released Wednesday.

Personal banking records, corporate notes on sales activity and product plans were among sensitive data found on PDAs (personal digital assistants) and smart phones sold on eBay, according to a small sampling taken by security software company Trust Digital. The problem is akin to one that plagues used computers that are sold or discarded before the hard drive is wiped clean.

"Personal and corporate data is being sold on the open market through eBay, and it's also available to anyone who finds, steals or purchases a used smart phone or PDA from any other source," Nick Magliato, chief executive of Trust Digital, said in a statement. "The general public needs to immediately be made aware of this fact."

In its sampling of 10 mobile devices purchased on eBay, Trust Digital retrieved nearly 27,000 pages of sensitive data. The users of these devices included the corporate counsel of a multibillion-dollar technology company that serves the legal market, a former employee of a publicly traded security software company, and an employee of a Web services company.

The sensitive data was gleaned from the flash memory of the gadgets, because the users failed to "hard" wipe their devices, according to Trust Digital.

The company advised mobile device users to enable the password function on their smart phone or PDAs and inquire about data security from their cellular carrier. Palm Treo 650s and BlackBerry handhelds from Research In Motion have a built-in hard wipe function. Commercial hard-wipe products are available to other mobile device users.

[ml_ess]

Same problem as computer hard drives

This is an excellent example of the "it won't happen to me" symptom... again, people need to always be aware of the risk that's involved in storing personal data on portable devices (especially PDAs and laptops which can easily be lost or stolen http://essentialsecurity.com/Documents/article18.htm).

There was another story a couple of weeks ago about recycled hard drives with personal information from the UK being sold in Nigeria... so never assume that your information is secure, unless you take the necessary measures to protect it.

[vabiro]

Solution?

This problem is definitely not going to get any better, if you think of the amount of info stored on the typical blackberry, in the form of e-mails and attachments. If you look at more versatile devices, lick pocketPC-based phones of Trios, then the risk is even bigger.

Not too many phones that are available today don't have the ability to read e-mail. They may not be very good at it, but my Razr will use GPRS to check my POP or IMAP account. When you add that to the 5 or so Mb of storage, then it could become a source of info if lost or stolen.

I think the key is starting out with some form of encryption on the device to begin with. If the recovered files are encrypted then there is not much value.

Better yet, if you could remotely delete the information when the phone goes missing that would be optimal. I think the Blackberry Enterprise Server has this, but if you're not using BES then you're out of luck.

There are a couple of products out there to help delete the info on lost phones, but I think that the one that shows the most promise is a new product from a company called Mbience (http://www.mbiencegroup.com/).

The reason I like it is that it that it seems to look at a collection of potential risks and address each one.

The other thing is that they don't require you to have some big enterprise mail solution like Exchange or Lotus. They are a the perfect solution for a small business or individual user that needs to watch out for these emerging risks.

Cheers
Victor