It seems that the factory reset for Android 4.3 and below is flawed, in that researchers were able to recover data from wiped phones. Two University of Cambridge scientists tested 21 phones from Samsung, HTC, Nexus and 2 other unspecifed vendors all running versions of Android ranging from 2.3 to 4.3 and were able to recover data from a supposedly wiped phone. They did not test newer versions and so are unsure if the problem has been rectified nor did Google respond to The Register when they inquired. The researchers had a success rate of 80% for recovering tokens for Google and Facebook and could even recover encryption keys, although the keys were still password protected they could be brute forced. Make sure to encrypt your phone with a long password before you wipe it and sell it, give it away or toss it out!
"Half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed."
Here is some more Tech News from around the web:
- No, Your SSD Won't Quickly Lose Data While Powered Down @ Slashdot
- Microsoft brings Office 365 feel to Outlook.com @ The Inquirer
- New Windows 10 Build 10122 aims to fix file association hijacking @ The Register
- Colorful rising fast in graphics card market @ DigiTimes
- BlackBerry: we ARE cutting jobs AGAIN @ The Register
Brute-forcing a 17-digit
Brute-forcing a 17-digit (that’s what I’m using, usually) password that has a combination of upper and lower casing mixed with numbers, would (approximately) take them at least 10000 years, even if they’d had the whole friggin’ Tianhe-2 as their code-breaking machine. Good luck with that, lel. It’s much easier to simply implement a keylogger these days, than to brute-force anything.
Pretty much their
Pretty much their recommendation, so you are pretty damn safe.
Your time estimate might be off though, this is from 2012 and who knows what people have cooked up by now. 25 GPUs brute force 348 billion hashes per second
“Of course this type of
“Of course this type of hardware is only good if you have a copy of the password hashes themselves.”
Nuff said.
P.S. I’ve recalculated the
P.S. I’ve recalculated the estimate and…yeah, that was a slight mistake of sorts, lol. For something like Tianhe-2 to brute-force that password of mine (which is also under Rijndael), it’d actually take them not the 10000 years like I thought previously, but only 3…centuries. %)
As for the “10000 years”…that actually turned out to be an estimate for the Mac Book Pro, lel.
Not as terrifying as it could
Not as terrifying as it could be.
Now here is a very good
Now here is a very good question:
Does this apply to custom recoveries that have the “format” vs “wipe” option?
They specify in their PDF
They specify in their PDF …
"We present the first comprehensive study of Android Factory Reset, by studying 21 Android smartphones from 5 vendors running Android versions from v2.3.x to v4.3."