It's hard being a security researcher. Several of them just had to view thousands of nude selfies pulled from second-hand phones and tablets for a campaign warning people who sell old devices.
The beleaguered infosec bods saw 750 photos of naked women and 250 images of manhood from a pool of 40,000 photos still stored on a mere 20 second-hand Android devices. A factory reset of the gadgets is not enough to securely remove files, the researchers have suggested: the sensitive data has to be overwritten.
Leaving personal information lingering in the flash memory could lead to more than mere embarrassment for victims, if buyers combined location coordinates from photographs' EXIF data and Facebook profile debris that allowed stalkers and perverts to zero-in on selfie stars.
Worse, the thousand Google searches and scattering of job applications also uncovered could facilitate targeted attacks and financial fraud.
"Put all of these pieces together to complete the puzzle and you have a clear picture of who the former smart phone owner was," Avast mobile president John McColgan said.
"Stalkers, enemies, and thieves can abuse personal data to stalk, blackmail and steal people’s identities. They can use this information to watch people’s every move, exploit their strange fetishes, open credit cards in their name, or even continue what they started by further selling their personal information online."
The amount of stored flesh hocked on eBay and co could boggle the mind; Avast said a whopping 80,000 devices were flogged online every day.
McColgan said data needed to be overwritten and deleted before devices were sold in order to prevent forensic recovery, and promoted its free Android anti-theft tool as a solution.
Avast wasn't the first to buy second hand devices to probe for personal data. In 2012 McAfee bought 30 devices on which it found banking details, social media and email logins and photos. A year earlier, Sophos snapped up a bag of lost USBs flogged at an auction run by Sydney's train transport service.
This author has previously found personal data on second-hand devices purchased online. One punter was so casual when selling an iPad they did not even turn off the device, let alone wipe photos and emails stored within. ®