Secrets can be extracted from used cellphones

Sam Bachman is a frequent upgrader. Not of cars or homes, but of his "smart phone." Hooked on the convenience of a cellphone that's also a mini PC, calendar and address book, the social worker just bought his sixth Treo smart phone. And before advertising his old model for sale online, he took what he thought was a savvy step: He "reset" the device to wipe it free of data.

Or so he thought.

It turns out that hackers or sleuths armed with commercially available software can resurrect erased data on cellphones, including address books and calendar contacts, photos, videos and e-mails, turning used phones into a treasure trove for identity thieves, security experts say.

"You could re-create someone's entire life from the data you recover from these devices," said Norm Laudermilch, chief technology officer for Trust Digital, a McLean, Va., security company that helps companies and government agencies protect data.

Cellphones with lots of memory are essentially little computers. They pose a special risk because of two converging trends: their size and portability, making them easier to lose, and the fact that people are increasingly documenting their lives through their phones.

"It is amazing how a couple of megabytes of data on a cellphone can reveal so much about you — the last place you were, the last person you talked to," said Amber Schroader, chief executive of Paraben Corp., a forensic software firm that teaches law-enforcement agents how to get cellphones to spill secrets.

Bachman, 43, said he carries his Treo everywhere and loves the feeling of not being "tethered to my home and my computer." In stores, if he wants to comparison-shop, he can go online to check a price. At Starbucks, he can track his caloric intake after ordering that venti latte — about 400 calories. He snaps pictures and shoots video of his three children. On his new Treo 700, he can listen to Internet radio as he trains for the Marine Corps Marathon.

But until a reporter called to ask how he had erased the data on the used phone he was selling on Craigslist, Bachman said, he never realized how vulnerable his data was to theft.

His 143 passwords and PINs for various check-cashing cards, online bank accounts and e-mail services were stored on the phone in an encrypted form, which would have made it almost impossible for a hacker to access them. But the other data he thought he had erased — personal contacts, pictures and Web search terms — were recoverable, experts said.

Cellphones store data on a type of chip known as flash memory. The phone operating system never actually erases data, though. It "dereferences" it, or deletes pointers to where the data are located, so the phone essentially "forgets that it's there," said Bruce Schneier, a security technologist in Mountain View, Calif. That is similar to what happens on personal computers — the files remain on the hard drive; only the references are deleted.

There are 220 million cellphone subscribers in the United States. Typically, cellphones are used for 1-½ years before they are replaced, providing ample opportunity for data breaches through lost, stolen, sold or recycled models.

Trust Digital recently bought from eBay 10 used smart phones, each with at least 40 megabytes of memory, for an experiment in data recovery. Using simple software created in-house, the firm's technicians retrieved an astonishing variety of information — one company's plans to win a multimillion-dollar federal transportation contract, e-mails about another firm's $50,000 payment for a software license, bank accounts and passwords, medical prescriptions, and receipts for utility payments.

The fact that cellphones can give up secrets makes them as valuable to law enforcement as to criminals.

Lee Reiber, a Boise, Idaho, police detective specializing in cellphone forensics, has used recovered phone data to crack homicide, child-abuse and domestic-abuse cases. A man suspected of being a pedophile was undone by his phone. "We had all his pictures," Reiber said.

The maker of the Treo phones, Palm Inc., has developed a method that not only erases but also overwrites the data with 1's and 0's, sometimes called the "zero-out" method. Instructions can be found on the Palm.com Web site by searching "zero-out reset" or "factory reset."

Other companies making smart phones include Nokia and Siemens AG.

Trust Digital recommends that cellphone owners seek advice from device manufacturers, carriers that sold them their phones or their companies' information technology administrators. The Web site Wirelessrecycling.com provides directions for erasing data from many models.