Sensitive Data On Phones And Tablets Can't Be Erased, Researchers Say

Making sure that deleted data is really gone has never been easy, and it just keeps getting more difficult. On February 16, a group of researchers reported that it's almost impossible to reliably erase sensitive data from smartphones and thumb drives. In fact, as much as 85 percent of a "deleted" file may still exist in flash memory—even after using techniques that would obliterate data from a conventional hard drive.

That means the most mobile of devices, which are the hardest to physically secure, are also the hardest to keep safe from a data perspective. And at a time when retailers are beginning to hand tablets and smartphones to associates so they can let customers check out anywhere in the store, it raises a serious question: If a thief walks off with that mobile device, just how much sensitive information could the thief get access to? Short answer: A lot, if he's willing to open up the device, remove the flash memory chips inside and read them directly.

That's what the researchers from the University of California, San Diego, did. They tested a variety of solid-state drives, including USB thumb drives, by loading them with data, erasing and overwriting the data using various techniques known to work well on conventional magnetic disks, and then opening the devices and checking the chips to see what had survived.

The results are pretty depressing. On thumb drives—which are probably the riskiest place to put sensitive data anyway, because they're so easily lost or stolen—a file that had been overwritten 10 times was barely gone at all at the chip level: 84.9 percent of the data survived.

Put simply, what works for magnetic hard drives—writing on top of the existing data—doesn't work on flash drives. There's simply no safe way to store sensitive data on those drives, because there's no way to reliably delete them. The only secure way to deal with that data is either to encrypt it or to never store it on the thumb drive or smartphone in the first place.

Here's the problem: On conventional hard drives, it's possible to actually overwrite data on exactly the same spot on the magnetic surface. Change those bits magnetically, and the sensitive data is gone.

But flash drives don't work that way. They can't write small pieces of data in-place on the drive, even though that's what appears to be happening. Instead, one entire chunk of flash memory is copied to a different chunk of memory, but with the new data replacing the old. Then the new chunk of memory (technically it's called a page) is logically swapped in for the old page, which is added to the list of empty space on the drive.

Unfortunately, that old page hasn't actually been erased.Unfortunately, that old page hasn't actually been erased. The sensitive data is still there—just not accessible through the "flash translation layer," the circuitry that makes flash memory look like a disk drive. There's no way for a program to kill that data.

But it's relatively easy for a thief who steals a thumb drive to pry it open, connect the flash memory chips to an under-$1,000 homemade reader and resurrect most of the data—payment card numbers, personal customer information or whatever else is supposed to have been deleted.

If that seems unlikely, remember that thieves have hacked together some very sophisticated hardware to steal payment card data. The UCSD researchers said a copy of their own flash-chip reader "would require only a moderate amount of technical skill to construct."

Indeed, the researchers said the only way to be sure that data was deleted from a flash-memory device was if the manufacturer specifically designed a "secure delete" function into the drive—and then that function would probably only work reliably if it was erasing all the flash memory in the drive. And that's not likely to happen for all flash drives any time soon. For the cheapest ones—thumb drives—it may never happen.

What does that mean if you're going to use iPhones or iPads in your store? Don't store any sensitive data on the flash-memory "drive" in the mobile device, even temporarily. Apple's i-devices use regular programming memory that can be securely wiped, so it's probably safe to hold a payment card number in memory momentarily while a card is being swiped. But storing it on the device's flash drive? Not safe—even a remote wipe won't reliably clear that data.

Of course, in practice, the price of an iPhone or iPad actually provides a little bit of security (though only a little). Dismantling the device to sift through the flash-memory chips will almost certainly destroy its resale value. And there's no guarantee for a thief that there will be anything useful hidden in the mobile device's memory. It's a gamble, and maybe—maybe—a thief will go for the quick profit instead of the long-shot.

Still, making sure programmers don't use flash storage for any unencrypted sensitive data is probably a good practice in any retailer's IT shop.

But thumb drives? They have no resale value. They're cheap, easy to disassemble, have no remote-wipe function and are routinely used for carrying unencrypted data. That makes them unsafe for any type of sensitive information—and the perfect target for thieves.

No one in your business should be using thumb drives. And good luck getting rid of them.