Cell phone warning: Deleted personal information often left behind

Deleting information from your cell phone before you get rid of it may not be as easy as it seems.

Is it safe to sell or donate your old cell phones? 13 Investigates discovered personal data often lingers on cell phones – even after the information has supposedly been erased. Experts say millions of phones are affected, putting millions of consumers at an increased risk of identity theft.

Terry Barnhill has a bunch of old cell phones she wants to get rid of.

"Right now I have six of them," she told WTHR, pulling out a bag of used phones. "We upgraded my old phone, so I really don't need these anymore."

Barnhill isn't alone.

Industry figures show more than 1.6 billion new cell phones are sold each year, and the average American cell phone is replaced every 22 months.

The question is: what should you do with your old phones when you're done with them?

Phones put to the test 

"I usually fix them up and sell them on eBay or donate them," Barnhill said.

The "fix" she relies on is the same one used by millions of other consumers before parting with an old cell phone. It's known as a factory reset.

"I went ahead and reset the phone to erase as much as I can erase," explained Barnhill. "There shouldn't be any of my information on there. I wiped it clean."

Many security experts say performing a factory reset on your old phone is exactly what you're supposed to do if you plan to sell or donate it. According to the nation's major wireless carriers, a reset will erase all personal information – such as texts, contact lists, photos and important user data – from your phone's memory.

But does it work?

13 Investigates took Barnhill's phones to the Purdue University Cyberforensics Lab to find out.

Eric Katz, coordinator of Purdue's cyberforensics law enforcement program, examined the phones, which had all been "wiped clean" by a factory reset.

He then connected the phones to a data extraction device to analyze what information – if any – was left behind on the phones.

"There's a lot of information left on this one," he said moments after connecting a Motorola Razr. "It's definitely pulling some sort of data. There's no way there's nothing on this phone."

"A lot of damaging information" 

It took Katz less than three minutes to extract personal contacts, text messages, dozens of pictures, banking information and account numbers from the phone.

The cyberforensics expert has access to state-of-the-art equipment to find the erased information, but he says most of the data can be retrieved by untrained consumers using free software available on the Internet. 

"There's a lot of damaging information that can be found on these phones," he said.

On other cell phones, Katz also found text messages, photos, phone numbers, contact lists and voicemail messages that were thought to be deleted following a factory reset performed on each phone.

"Oh, that's embarrassing," Barnhill said after she saw the photos and information retrieved from her phones. "I'm surprised that there's stuff on it because I did a factory reset. If I want to give these away, I definitely don't want my information out there."

So why is deleted information not really deleted?

"People think they've wiped their phones when they reset them and deleted everything, but that's not necessarily the case," explained Dr. Sam Liles, a Purdue cyberforensics professor. "It's reset the phone itself, but the data is left behind."

Erased – sort of  

To better understand what Liles is talking about, think of your phone as a library that contains three types of information:

Operating data -- manufacturer information that tells your phone what to do

Personal data -- information you enter and store in your phone

Directory data -- organizes your personal data, allowing you to find it

For some cell phones, a factory reset overwrites all of the personal data, effectively destroying your personal information and making it permanently inaccessible. (Good!)

On other phones, however, a factory reset only overwrites the directory data. (Not so good!)

Overwriting the directory is equivalent to destroying the card catalogue at a library. Without the card catalogue, it's difficult to know whether a specific book exists at the library and, if it does, finding the location of a specific book becomes much more challenging. But the books are still there.

Likewise, wiping out the directory data in your cell phone will give the impression there is no personal information remaining. In reality, the personal data is left intact because only the directory data – not the personal data – was overwritten by the reset.

"If you go in with the right tools, you can get the information out," Liles explained. "We've found there are a lot of phones that, even with a factory reset, you can still pull data out of them – a lot of data."

That is not the impression you'll get if you read the reset instructions issued by major cell phone carriers.

Verizon says "performing a hard reset removes all data..."

AT&T advises "a master reset … will permanently erase all personal data, preferences, settings and content."

T-Mobile claims "a master reset (factory reset) … erases all user data."

Is your phone affected?  

Despite those statements, the wireless phone industry acknowledges resetting your cell phone will not always delete the personal information stored inside.

"Resetting your phone is not going to ensure the data is erased, said John Marinho, vice president of cybersecurity and technology at CTIA, a trade organization that represents the wireless communications industry. "In some cases the factory reset will wipe the device clean and in others it won't. It really depends on the model and the device… the factory reset is inherent to the design of the device so it varies from manufacturer to manufacturer."

Liles said it is very difficult for consumers to know which cell phones offer adequate security from a factory reset and which do not.

"It really depends on the phone," he said. "On a lot of phones you can pull everything out fairly quickly. In some cases, it can take hours upon hours to get the data out of just one single phone. On some phones, all the data will be completely overwritten, although that's a pretty rare situation."

On one of Barnhill's cell phones – a Droid X – Purdue researchers could not retrieve any personal information at all.

Katz says it is nearly impossible to tell which phones will be thoroughly wiped clean by a factory reset without a detailed analysis, although he said certain models tend to perform better than others.

"Blackberrys are really good. That reset is pretty foolproof," Katz said. "But I can usually always find information on an iPhone. Even when a user thinks it's gone, I can usually find it," he said, after retrieving a list of incoming calls from a freshly reset iPhone 5.

"The risk is real"  

While cell phone security features have improved in recent years, used cell phones still pose a security threat to consumers, according to Rick Mislan, a former communications electronic warfare officer for the U.S. Army who now serves as a professor at the Rochester Institute of Technology's Golisano College of Computing and Information Sciences.

"[Used] phones that are purchased online with master resets are still full of information," Mislan said. "We've received phones that are loaded with data and images that you wouldn't want to get out. There are actually people out there exploiting this information. The risk is real, not theoretical."

Liles agrees that leftover data on cell phones presents a risk.

"Many of these phones have a map of your life on them," he said. "Identity theft is a huge issue and it's a growing industry, and when you consider what you put on your phone and how vulnerable some of that information can be, simply selling your phone for a few bucks might not be worth it."

More than 11 million cases of fraud related to identity theft are reported each year in the United States. Most cases involve an undetermined source, and there are no statistics reporting the prevalence of crime related to information from cell phones.

So what do the experts do with their old cell phones? Liles says he doesn't take any chances.

"Pull the battery out of them and crush them," he advised. "I just destroy mine. The risk of having somebody take that phone and being able to hurt my family is too much. Most people are too nice to do something like that, but there is that risk and I'm not going to take it."

How to protect and delete your personal info  

Destroying your phone is not the only option.

Selling, donating and recycling are all viable choices -- as long as you follow a few crucial steps....

1. CTIA recommends you download a data eraser application to your cell phone before you part with it. Some of those apps really do wipe your phone clean, according to Marinho, and some are even free. "There is no certainty when it comes to the [factory] reset, so we recommend the extra precaution of erasing the information with an application," Marinho said. CTIA provided this list of apps you can consider. (Look under the "wipe" column.)

2. It's not guaranteed to wipe out your private information but go ahead and reset your phone to the original factory settings. Even if there is some personal data left on your phone after this step, the factory reset will at least delete the data directory to your private information, making it harder for someone else to find any sensitive information. 

3. If your phone has an SD card and/or a SIM card, remove them! Those memory cards can contain a lot of information that you never want to pass along to a stranger. Factory resets are designed to erase information from the phone's internal memory, not from its external memory card.

4. Do not simply throw away your old cell phone. Many phones – especially older ones – contain toxic materials, so if you're concerned about security, disable your phone (hammers can work nicely) and then RECYLCE IT. Some recyclers, like Recycle Force in Indianapolis, say they offer only "end-of-life recycling." That means they do not resell your phone; they dismantle and melt it to recycle its valuable metals. (Very difficult to steal personal data from a melted cell phone!) Here are some recycle options to check out:

Recycle Force
1125 Brookside Avenue, Suite D12
Indianapolis, Indiana 46202

Green Wave Computer Recycling
9206 E 33rd Street
Indianapolis, IN 46235

Julian Center
2011 North Meridian Street
Indianapolis, IN 46204
(317) 941-2204



GRC Wireless

Barnhill still plans to donate her phones to a local charity… after she takes some additional security measures.

"I want them to go to someone who needs them," she said. "But it does make you think. Your personal life could be in someone else's hands if you give away your phone without knowing what steps to take."