OUCH! | May 2012
IN THIS ISSUE…
• Stored Information
• Wiping Your Device
• SIM Cards / SD Cards
• Options For Disposal
• Special Training Offer
Safely Disposing of Your Mobile Device
The Ouch! team would like to welcome and thank Mr. Joshua Wright as our guest editor. Mr. Wright is a SANS senior instructor and author of SANS’ wireless security (SEC617) and mobile device security (SEC575) courses. You can follow Mr. Wright on Twitter at @joswr1ght or on his website at http://www.willhackforsushi.com.
Mobile devices, such as smartphones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. A key question becomes, What are you doing with your older devices? Many people simply dispose of their older mobile devices with little thought about all the personal data they have accumulated. However, a surprising amount of personal information is stored on these older devices. If your devices are not securely wiped before disposal, this information can easily be recovered, exposing you or your organization to tremendous risk.
Mobile devices store far more sensitive data then you may realize, perhaps more than your computer. When you dispose of your device you could be exposing the following information:
• The contact details for everyone in your address book, including family, friends, and co-workers
• Call history, including inbound, outbound, and missed calls
• Text messages or logged chat sessions
• Location history based on GPS coordinates or cell tower history
• Web browsing history, cookies, and cached pages
• Personal photos, videos, audio recordings, and emails
• Stored passwords and access to personal accounts, such as your voicemail
WIPING YOUR DEVICE
Before you begin securely wiping your mobile device, consider whether or not you want to back up any of your data, such as photos, videos, or any other information. Once you’ve followed the steps below, you will not be able to recover any of your data. In addition, if your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below.
Unfortunately, just deleting your data is not enough, it can still be recovered. We recommend that you use the device “factory reset” function to remove all data from the device and return it to the condition it was in when you bought it. We have found that factory reset will provide the most secure method for removing data from your mobile device. The location of the factory reset function varies among devices; listed below are the steps for the most popular devices.
• Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings
• Android Devices: Settings | Privacy | Factory Data Reset
• Windows Phones: Settings | About | Reset Your Phone
• BlackBerry Phones: Options | Security Options | Security Wipe
If you still have questions about how to perform a factory reset, check your owner’s manual or the
manufacturer’s website. Another option is to take your mobile device to the store you bought it from and get help resetting it from a trained technician. Remember, simply deleting your personal data is not enough as it can be easily recovered.
In addition to the data stored on your device, you also need to consider what to do with your SIM (Subscriber Identity Module) card. Many mobile devices use a SIM card to uniquely identify you and your account information when you place and receive calls on a mobile network. When you perform a factory reset on your device, the SIM card retains information about your account. If you are keeping your phone number and moving to a new phone, talk to the phone salesperson about transferring your SIM card to the new phone. If this is not possible (for example, if your new phone uses a different size SIM card) keep your old SIM card and physically shred or destroy it to prevent someone else from re-using it.
SD CARD SIM
EXTERNAL STORAGE CARDS
Some mobile devices utilize an external SD (Secure Digital) card for additional storage. These storage cards often contain pictures, smart phone applications, and other sensitive content. Remember to remove any external storage cards from your mobile device prior to disposal (for some devices, your SD cards may be hidden in the battery compartment of your device). These cards can often be reused in new mobile devices or can be used as generic storage on your computer with a USB adapter. If reusing your SD card is not possible, then just like your old SIM card, we recommend you physically destroy it.
OPTIONS FOR DISPOSAL
When it comes to disposing of your old mobile device, instead of throwing it out, consider recycling it
instead. Most carriers offer a discount on your next purchase when you recycle. Another option is to donate your mobile device to the charitable cause of your choice. Below are just some of the many places you can either recycle or donate your mobile device.
Recycling Mobile Phones
EPA Mobile Phone Donations Site
National Coalition Against Domestic Violence
Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.
Common Security Terms:
SANS Security Tip of the Day:
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org
Does your Small or Medium organization need help with securing the most vulnerable part of your organization? Check out a great program to train up to 750 Users for just $3,000. Program runs only from June 01 to July 31, 2012. Learn more at: http://www.securingthehuman.org/programs/sme
OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BYNC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact email@example.com.
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller
© The S A N S Institute 2012 http://www.securingthehuman.org