Refurbished iPhones are an excellent source of previous users' data
It looks like you might have to think twice before flipping that old iPhone on eBay when the 3G version finally hits -- it appears that restoring the phone doesn't actually erase the contents of the flash, meaning that your data is available to anyone with the proper tools until it's overwritten. Making matters worse, it appears that Apple doesn't do a low-level format when refurbishing iPhones either -- an Oregon State Police detective was able to use forensic software to pull files, emails, and screenshots off an out-of-the-box refurbished iPhone. This actually shouldn't be surprising to anyone -- we've seen several utilities that access "deleted" portions of storage -- but since Apple doesn't provide users direct access to the iPhone's filesystem, it's basically impossible to clear your personal data off the device short of restoring and filling the disk with junk data. Hopefully iPhone 2.0's Exchange-based "remote wipe" feature is a bit more secure, eh?
[Via TUAW]
[Via TUAW]



















Reader Comments (Page 1 of 2)
Kaiser-Machead @ May 20th 2008 4:04PM
Lame. iPods can be wiped completely without issue, so the iPhone should be no different. I'm glad I'm not playing the early adopter game this time around.
Don Wilson @ May 20th 2008 4:27PM
Settings > General > Reset > Erase All Content and Settings
Quick and simple. I saw the Genius Bar technician do it and he made me confirm to reset the iPhone when I turned mine in to exchange (broken power button).
o rly @ May 20th 2008 4:35PM
It seems like Doug Wilson didn't even read the synopsis, much less the article.
jefffaucher @ May 20th 2008 4:37PM
Seems like O rly didn't read Don Wilson's name properly.
Hardy har har...
Ryan @ May 20th 2008 7:56PM
watch.. in a week, Apple will sell a feature to fully wipe the phones memory for $19.99 citing that they would prefer to give it away free, but must charge due to 'accounting purposes'
SimonRichards @ May 20th 2008 8:51PM
Don't be silly. It will be free for iPhone users but will cost an extortionate amount to iPod Touch users.
Oinquer @ May 21st 2008 5:26AM
10 bucks to Iphone and 20 to Ipod touch
Adam @ May 21st 2008 5:16AM
dude, it been out for almost a year. I think you can buy it and not be an early adopter now.
o rly @ May 20th 2008 4:07PM
...another reason why it's not a business phone, nor very "smart."
I wonder how much longer a low-level format would REALLY take Apple, instead of doing a simple re-flash.
frauhottelmann @ May 20th 2008 4:09PM
Agreed. I can wipe my WinMo phone by sending a text message lol
If you put in a new SIM card it'll send me a notification with the number.
p3t3b2 @ May 20th 2008 6:52PM
Wow!! You would think a '$600 phone' would have a security wipe feature, that's good o'l apple for ya!
bobartig @ May 20th 2008 7:27PM
Writing over the entire storage partition might take another 10 minutes on top of the regular restore process. This is really quite lazy of Apple, and a rather serious security leak. Anyone who's had their iPhone replaced could now have personal data floating out there.
I don't know how most remote wipe features work, but I doubt any of them perform a secure erase, mainly because you can't even be assured that the phone will have sufficient battery power to complete the operation. Solid state is efficient power-wise, but constant disk write for 10 minutes is not something cell phones are designed to do.
omh @ May 20th 2008 7:48PM
bobartig: You can encrypt everything, and then just overwrite the encryption key. That's what a Blackberry does, at least a well secured corporate one.
iEye @ May 20th 2008 4:07PM
Never the less, the Apple iPhone is a far superior device compared to all other phones on the current market...and it can play D......
Kaiser-Machead @ May 20th 2008 4:11PM
The iPhone is a fantastic device, but I think we're seeing the side effect of putting oodles of thought into the usability and sacrificing key functions to make the deadline. That said, the iPhone is likely going to get all of the most important functions before the year is out, but I myself intend to wait until it's mature enough so I don't have to deal with those glaring deficiencies. If I get an iPod touch before then, then I guess I'll just get a new Sony Ericsson and fuggetaboutit.
Pochi @ May 20th 2008 4:12PM
Far superior. Unless you value your privacy.
But who really gives a crap about that kind of stuff, right? It has coverflow, oooooh!
matt @ May 20th 2008 4:41PM
I'm pretty sure the iPhone is far superior in only very few ways, including (but maybe not limited to):
-Internet browsing (ONLY on WiFi though)
-HTML email
-Pretty user interface
-Threaded SMS
I'm also pretty sure that other smartphones are far superior in the ways that are either very basic or actually matter including (but not limited to):
-Decent security of any sort (Remote wipe, data scrubbing, encrypted data, etc.)
-WiFi security compatibility (specifically the ability to employ various security algorithms that iPhone simply does not support, thus making it worthless in many secure WiFi environments)
-Push email
-Compressed web browsing (through programs like Opera or Skyfire) for web surfing in EDGE-only areas
-Search abilities in long lists of messages (or anywhere else for that matter)
-MMS
-Reliability of phone calls
-Customizable sound profiles for different environments
-A speaker that is actually audible when the windows are rolled down in your car
-Navigation capabilities (and no, triangulated GPS through Google Maps is NOT an answer)
So I implore you, iEye, to tell us exactly how you can call "the Apple iPhone is a far superior device compared to all other phones on the current market." I'm not sure what's most important to you, but surely what I've listed above is not untrue.
And yes, I've owned probably every device currently out there, including the iPhone. And I also know that Apple has the potential to fix the above listed shortfalls. So don't tell me what Apple is planning on doing. I'm talking about today, May, 2008, and prior.
fhlh89 @ May 20th 2008 4:44PM
idiot...
Steve A. @ May 20th 2008 4:50PM
Matt, don't forget that many winmo phones have the ability to tether and share their internet connection with a laptop via USB or bluetooth. For users in our industry, that is a must. Until the iPhone can do that, it's considered a toy for us.
My 8525 3G phone has 1500kb down, 600 kb up and a ping of 180. Not bad for mobile.
matt @ May 20th 2008 5:35PM
You're right, Steve. I was sure I'd be forgetting something, hence the "including (but not limited to)" in my description :-)
SirPasta117 @ May 20th 2008 4:07PM
Is that illegal?
potato @ May 20th 2008 4:16PM
Not illegal, just dangerously stupid.
anonymouspimp @ May 20th 2008 4:15PM
Holy crap... I'm sitting here thinking about the sensitive/confidential documents that go through my BB... That would not be good.
Neeko @ May 20th 2008 4:17PM
Thats pretty scary that all the refub iphones in the world still have your CC info and personal banking info.. Or confidential business emails still stored on them after you thought you formatted it..
Yeah i would be pissed if i was a user.. Lets see how long this will last before the Apple fanboys storm the tower demanding APPLE fix this.
How long do you think itll take for someone to try and sue APPLE b/c their personal info was found on a refurb iphone that they thought had been deleted by a format.
iEye @ May 20th 2008 4:19PM
Apple will appease the masses by handing out a coupon for $100 off the next iPhone...
Andrew @ May 20th 2008 4:52PM
Yeah, because giving $100 worth of credit covers for something bigger that COULD potentially happen if someone were able to find information and use it and inflict various damage to the prior user...
Nick M. @ May 20th 2008 5:05PM
i see Apple running out of stock of Refurb iPhones quite quickly due to identity thieves reading this article.
bondsbw @ May 20th 2008 7:48PM
So far, Apple has been decent about delivering security updates. I hope this one is the same way.
spellprince @ May 20th 2008 4:22PM
iPhOWNED!
carl @ May 20th 2008 5:57PM
iGroaned
superklye @ May 20th 2008 4:24PM
Why the hell are people doing banking and credit card related stuff on their iPhones?
Ian @ May 20th 2008 4:36PM
agreed.
Lein @ May 20th 2008 4:41PM
Well, probably because it has the most heavily advertised full-featured browser on a mobile device, and with it you should be able to do whatever you damned well please?
That said, if the USER is a moron, that's not Apple's fault. Although I guess you could argue that it IS their fault, what with their ridiculous campaigns touting their software as being the most secure and stable, giving their user a false sense of security.
Andrew @ May 20th 2008 4:42PM
I also agree, but I guess people interpreted how Apple marketed/advertised the iPhone and it's internet capabilities. By Apple saying the iPhone would be able to browse web pages like you would on a reg. desktop or do things like you would be able to do at home on your computer would make an uniformed user that it would have the same security measures of a desktop.
Bryan @ May 20th 2008 4:54PM
Why would you own a mobile device if you didn't use it to do your daily tasks? It's just a pretty little solitaire playing phone if you aren't using it to do tasks "on the go" that you would normally do on your laptop of desktop.
Carl @ May 20th 2008 4:52PM
Most users think about security as an afterthought; usually when something bad's happened.
Timmy @ May 20th 2008 4:26PM
Remote wipe sounds kinda dirty
snitch @ May 20th 2008 4:32PM
It's not only the iPhone, this can be done to any device otherwise it wouldn't be for sale. Also don't expect this software to be in the hands of Anyone but top ranking law enforcement agencies, this is not something your local narcotics office will have it's hands on ether i don't think. Anything can be done but i doubt law enforcement will do forensic on a phone just for any little dumb thing
Bryan @ May 20th 2008 4:54PM
What are you talking about? This is something that the guys I work with could figure out in their spare time. You don't need to work for a law enforcement agency in order to be able to hack an iPhone.
David @ May 20th 2008 5:24PM
nothing a quarter inch drill bit couldn't prevent...
HyperHacker @ May 20th 2008 8:31PM
The entire problem is that the data is not erased properly, thus it's ridiculously easy for *anyone* to recover.
Fred @ May 20th 2008 4:35PM
How quickly do you think this will become a nonissue? Apple is gonna issue an update and you'll be able to do a complete dump. I agree that it's sad that this is happening but the guy listed in the story did say that he used "forensic software" to get the files, it wasn't like some guy just was clicking through and found the stuff. How many other devices is this true of? Stop running around screaming like the iPhone is the only device that is potentially insecure!
Waveblade @ May 20th 2008 4:44PM
I dunno, it's pretty standard of Apple to have their devices and hardware to be on "lockdown". This flaw or plus (in this case, it is a flaw), not being able to erase all your data is pretty sketchy,
shaka999 @ May 20th 2008 5:22PM
The question is why wasn't it done in the first place.
kal326 @ May 21st 2008 10:37AM
Even if it is fixed, it doesn't really help all of the people that have already turned in their phones and have been resold or are available for sale. I doubt Apple is going to go back and wipe every ready for sale refurbished phone it has in inventory.
Andrew @ May 20th 2008 4:36PM
Forget about the iPhone can do this and that, this is some serious and scary stuff here. And what's more disturbing is even with the iPhone's refurbished from Apple themselves are not throughly formatted before selling again. If I had an iPhone that I sent back for whatever defect and had information on it and thought it was released, I would be going crazy right now knowing that it's still on there. Even if Apple didn't include a format app on the iPhone itself, they could have easily programmed a separate app you can download and run to format the iPhone.
As an Apple fan, this is extremely disappointing, security should have been a top priority and it's not a good enough of an excuse by anyone (not even Apple) to say it's our/their first phone.
bondsbw @ May 20th 2008 7:54PM
Agreed. At one point, I thought I would have to take my iPhone in to get repaired/replaced. I fixed it myself with some effort, but I'm scared now at the data that could have been given away if it were resold.
Poke4Christ @ May 20th 2008 4:37PM
Wow, this is a major security hole. I'm surprised by apple. Shame!
retro77 @ May 20th 2008 4:53PM
I'm just laughing at all the lowly ranked iPhan-boys.....lol times
Andrew Pearson @ May 20th 2008 5:12PM
So.... if it's jailbroken and you can access the filesystem, what do you need to delete?