Most used cell phones and PDAs contain personal information that their former owners neglected to adequately delete, according to security company Trust Digital.
Trust Digital examined a small sample of used phones and PDAs purchased from sellers on eBay and recovered data from nine out of 10 of the devices.
"The file system on your cell phone or PDA is just like the one on your PC's hard drive," says Norm Laudermilch, the CTO at Trust Digital who restored the data. "If you delete a file, you're not really overwriting the data. All it's doing is changing the index of the file system or the file's pointers."
That makes salvaging data from discarded devices a snap, Laudermilch says. "It's really very simple. There are free tools on the Internet, as well as commercial tools that can resurrect data. We wrote our own little tool, about 30 lines of code."
Among the data that Laudermilch restored were credit card account numbers, sensitive chat logs, business E-mails about contract negotiations, and computer passwords.
Because phone and PDA data is stored in flash memory, it's retained even if the device's battery is drained or removed. To delete flash memory data, users have to do a "hard reset," which returns the hardware to its factory-fresh condition. Each phone and PDA maker uses a different hard reset procedure; some, in fact, can only be carried out by a technician or after users contact the phone service's help desk.
Phones and PDAs aren't the only electronic gear that isn't properly wiped before being tossed or sold. Studies of the contents of used hard drives have found similar results: a wealth of data, some of it confidential or personal.
Trust Digital recommends that users secure cell phones and PDAs using passwords to lock out casual snooping in case the devices are lost.