Securely Sanitize Your iPhone Before UpgradingFebruary 2nd, 2012 | Posted by in Security Awareness & Training
Before trading in or selling that old iPhone on eBay or craigslist for the latest version of Apple’s handset, you may want to stop and think about how your personal data on the device might be at risk. Sure, you can use iTunes recovery mode, or the iPhone’s built-in “Reset” method, which claims to erase all of your data and settings on your iPhone, but just how extensive is it?
A few years ago an official from the Oregon State Police Department was successfully able to recover email, photos, and other user’s data that contained personal and financial information from a refurbished iPhone, right out of the box. This should be most disturbing for anyone who has traded or sold their iPhone and has not taken the proper measures to securely sanitize their device of all their personal and private data. Depending on what version of the iPhone you have, the factory restore methods will merely do a quick reformat on the device, rendering nearly all of your data easily recoverable by anyone with access to basic forensic recovery tools, which are widely available.
If you have an iPhone 3GS or later, these phones implement hardware-based encryption using AES256 by default. It may appear that your phone would be secure if it were to fall into the wrong hands, but unfortunately, the way Apple has implemented this security feature is completely insecure. This should be a major concern considering this encryption system is what some companies and government agencies are solely relying on for the security of the data on their iPhones. There have been numerous publicly documented ways to bypass these encryption schemes in a matter of minutes.
If you have a 3GS or later phone, the method used to “securely erase” the iPhone is simply deleting and overwriting the encryption key, which takes only a matter of minutes to complete. This method does not delete your data off the device but rather deletes the encryption keys, rendering the data on the device useless to anyone trying to access the information. This, however, is not the best practice for the protection of your “End of Life Data.” For a more secure method of sanitizing the personal data left behind on your iPhone, extra steps are recommended to ensure the destruction of your data. Multiple demonstrations of how to accomplish this task are available online, but they all do essentially the same thing by overwriting all of the data.
One of the easiest ways I researched is to simply restore your iPhone back to factory defaults and then download an app from the iTunes store called iErase. This application was written by Jonathan Zdziarski, an iPhone forensics expert. This app essentially will allow you to zero out all of the free space on your iPhone, where deleted files can still reside. This includes all of the data that was (and still is) on your iPhone before you restored it back to factory defaults. This method alone has been proven to significantly mitigate the risk of data being recovered from the device.
Another important point to keep in mind before disposing of your phone: if you have any apps that allow you to authenticate based on your iPhone’s unique physical hardware ID, you should visit the app’s website to unlink the phone to your account. You can always link your new phone to those accounts after you install the app on the new phone.
Securely sanitizing mobile devices prior to disposal or trade in is a practice that companies and organizations should include within their policy and procedure documentation as well.
Now that you are more security conscious and aware of how personal data resides on mobile devices, you can take the additional steps needed to mitigate the risk of identity theft through the compromise of your sensitive data.