Are “Factory Resets” a Secure Way to Delete Data?
A recent Consumer Reports article, questioning the effectiveness of the Android OS factory reset function, has raised some questions about our data erase policy. This post was written to help clients better understand how we clear data on the devices sent to us through the DATA Secure program.
First of all, most people realize that, given enough time and money, data stored on almost ANY electronic device can be recovered, so long as the device is not physically destroyed. In some instances, it may be worth the time, money and effort to recover the data on a specific device.
For instance, a high powered CEO’s laptop is burned in a fire, but the hard drive is intact…a statesman’s tablet slides off the roof of his limo and is run over by the motorcade following him…a crime boss smashes his smartphone before the authorities have the chance to confiscate it…in these cases, as you can imagine, the data can be of great value, and some may be willing to go to great lengths to recover it. For the rest of us mere mortals, the methods we use to ensure data security are effective.
The Consumer Reports article refers two methods of resetting/clearing Android devices: factory data reset and hard reset.
The standard Android OS factory data reset function, found in the devices Settings menu, is a quick and easy method to clear user data and return the device to “factory”. While it seems like the data has been erased from the device it can be recovered using free software, therefore we do not rely on this method.
A hard reset uses a hardware button/key combination to boot the device into recovery mode. From there, a device can be data wiped and reset. This is the standard industry method used to delete/reset an Android device. While it seems like the data has been erased from the device it can be recovered using free software, therefore we do not rely on this method either.
Our preferred method uses software that complies with the latest guidelines as laid out by NIST 800-88 rev 1 December 2014 for levels Clear and Purge. This method renders data recovery infeasible using state of the art laboratory techniques.
In some instances we use Androids data encryption function. When an android device is encrypted and then factory reset, the encryption key is obliterated and recovery of the data on the device is infeasible. This is a time consuming but effective method that we use on occasion.
In addition, we erase any removable storage, such as a Micro SD card, found in the device. Using the device OS to delete the storage, or even reformatting it on a computer, does not securely erase this type of storage. Free software exists that will allow anyone to recover some, if not all, data on storage erased in this manner. We use a combination of software and hardware that enables us to erase external/removable storage devices, to Department of Defense standards.
Apple and Blackberry Devices
Newer iPhones and Blackberry devices encrypt their data by default, which boosts security throughout the life of the device.
Apples iOS Security document states: “The “Erase all Content and Settings” option in Settings obliterates all the keys in Effaceable Storage, rendering all user data on the device cryptographically inaccessible.” The “Wipe Handheld” function on a Blackberry device has the same result – data on the device is rendered inaccessible.
Although effective, this method is not always available to us, since some devices are password protected. However, each iOs and Blackberry device can be reset, achieving the same result, using software tools.
When to Destroy a Device
Some devices we receive cannot be accessed because they are physically broken, don’t power up, or have some software problem that makes accessing the OS menu impossible. These devices, no matter the model or value, are used for parts or are destroyed, ensuring the data remains secure.
What You Should Do
If securing the data on unclaimed devices is important to you ask your vendor how they erase the data. If they simply perform a factory data reset be advised that the data on any device you send will not be adequately erased.
If you have any questions about our processes and policies, please contact your representative.