My 2 Cents:  This is just a heads up for all you iPhone users out there that might have had their’s replaced by Apple or have sold it!!! If you need more info about how to completely erase your device before selling / giving it away please note the link below…

May 16, 2008: Refurbished iPhone Reveals Customer Data

A few days ago, I posted a discovery in that personal data remains intact (in deleted portions of the file system) following a full iPhone restore. As it turns out, Apple may not have been aware of this privacy leak either. Thank goodness, or identity theft might actually be, like, hard. A detective from the Oregon State Police, whom I’ve verified, notified me this afternoon that an out-of-the-box refurbished iPhone he purchased contained recoverable personal data including email, personal photos, and even financial information which he was able to recover using my forensic toolkit. The photos he sent me included the individual’s name, which I’ve blurred out myself, but if you’ve ever had to return a defective iPhone, you might recognize this inbox. The more sensitive information hasn’t been posted here for obvious reasons.

What you’re looking at here is a partial list of the previous customer’s files which were recovered from the iPhone’s free space, and a screen-shot that the iPhone took itself of the user’s inbox, browser window, etc. when its user pressed the ‘Home’ button. Application snapshots are taken every time a program goes into the background to generate the zoom effects built into the device. And yes, the actual email and other personal data was also available.

UPDATE 5/21: The detective has confirmed for me that this particular refurbished phone came directly from Apple. More screen-shots below. Since the original owner’s email address was easily recovered, I’ve shot him an email asking him if he wouldn’t mind giving me a bit of history on the device.

UPDATE 5/22: I received an email back from the original owner of the device. He confirmed that it was in fact turned into Apple for warranty repair. “Yes I did turn in my iPhone for warranty service a few months ago and they gave me a new one in exchange.”



May 5, 2008: iPhone Privacy Alert: Restore Mode Leaves Much Personal Data Intact

Many iPhone users have felt safe sending their phones into Apple or selling them on eBay with the feeling that their personal data and digital past have been erased by performing a restore. Think those embarrassing photos are gone for good? Think again. While the restore process takes long enough to make most people (including many well-respected iPhone developers) assume the “disk” stored in NAND memory is formatted, it actually isn’t.

As part of my work on a forensics toolkit for the iPhone, I decided to test whether user data could survive a full restore in iTunes. There have been rumors floating around that the entire NAND is flashed to 0xFF when the device is restored, but this is untrue – this only occurs in a different part of the iPhone (the NOR), but not the NAND. To confirm this theory, I first deleted any backups of my device and then forced the iPhone into recovery mode. From there, I performed a full firmware restore of my iPhone, ensuring that no backups or syncing were performed. I then performed a basic recovery of the raw disk using the forensic toolkit I put together, and analyzed it. What I discovered was that deleted mail, contacts, and pretty much all of my other personal information was still residing in unallocated space on the device. My personal information was safe and sound, and available to anyone with the right skills to recover it.

What does this mean? This means that when you do a restore through iTunes, it is only the equivalent of performing a “Quick Format” on your iPhone. And for those of you who use “Erase all Content and Settings”, this has even less of an effect, as it doesn’t even destroy the file system. In both cases, all of the personal information that was sitting on the device prior to the erase or restore is still left sitting in the unallocated blocks of the iPhone’s NAND memory. To make matters worse, the restore process is likely to restore the original operating system files over the same location as the old ones, meaning very little data is likely to be corrupted at all. Let this be a caution to everyone who sells used iPhones or sends their phone into Apple – you are releasing your personal data with it.

NOTE: I could use a couple more test phones, and at least one iTouch

Jonathan Zdziarski’s Domain