"One cannot just take the manufacturer's word for it that they do," he said, adding that the number of devices his team tested that had problems removing data was "relatively small," but still significant. Those problems, which again could create security nightmares for both individuals and enterprises, included:
- Remote wipe did not always resume if interrupted by the user.
- The same problem occurred for a local wipe in some devices.
- While a local wipe may work, it does not wipe the data on the SD card.
- Some devices don't wipe data if that data is encrypted.
- Other devices don't wipe unencrypted data.
Blake Turrentine, owner of HotWAN and a trainer for BlackHat said another potential problem is that cloud syncs could still be enabled on devices that have otherwise been wiped. Indeed, there are multiple instruction videos on YouTube on how to recover "loss or erased" data through a cloud bypass.
There is plenty of advice online about how to improve your odds of eliminating data and possible malware on used devices. The Federal Trade Commission advises those looking to sell a device to do the factory reset and also to remove or erase SIM and SD cards, and then to run a check to make sure that phone logs, voicemails sent and received, emails, text messages, downloads and other folders, search histories and photos have all been eliminated.
The online auction site eBay also offers advice, which includes finding the electronic serial number (ESN) of a used smartphone, typically underneath the battery, and then contacting the manufacturer to check on its history, including whether it was ever reported stolen.
But experts warn again that the standard protocols may not be sufficient. "In most devices, a simple factory reset will delete all apps, including user level malware," deBoer said. "However, do not expect a reset to remove root level malware. By flashing the device with clean firmware, a buyer can reset the full system and not just the user apps. This defeats most -- even root level -- malware, but even then very advanced malware may still persist."
Another risk, according to the avast! Blog, is that, "some sellers still don't store their data on removable micro SD cards or internal storage devices. In such cases, an investigator can simply attach the cell phone via USB cable to a computer and it mounts storage as Removable Storage."
More than one expert has said that enterprises for which security is a major priority should not allow refurbished devices to be used on their networks, since the only way to really eliminate the chance of malicious code lurking in a device is to, "take a hammer to it."
Sign up for CIO Asia eNewsletters.