Techno prognostication firm IDC says (I think they are right on this one) that worldwide sales of tablets will surpass desktop PCs and laptops by the end of 2014. This will result in a boomlet in the second-hand tablet market and a recent article on Infosecurity says that in response, firms will need to start data wipe their old tablets just as thoroughly as old hard disks to protect their data.
The company is responsible for any company data held on the mobile device; no matter the flavor of BYOD practiced so it is the company that must take responsibility for removing data from the device prior to disposal. The Infosecurity article says that ensuring that mobile device solid state memory is completely clean is technically difficult.
The article highlights BlackBelt, which has just enhanced its data wiping product to include Apple (AAPL) and Google (GOOG) Android tablets explained the difficulty to the author. “Solid state memory uses a technique called wear leveling to maximize the life expectancy of the memory chips.” BlackBelt’s business development manager Ken Garner told Infosecurity, “It works by spreading the binary information (0s and 1s) randomly across all of the memory cells in the chip. This means that unlike on spinning disk memory, the location of the data on the user interface bears no relation to where it is stored on the drive, making traditional forms of deletion ineffective.”
BlackBelt says end users can’t data wipe their phones, “it isn’t possible for an individual to perform a full removal of personal data from any smart phone or tablet using a device’s in-built factory reset or by re-flashing the operating system.” the vendor explains to Help Desk Security that wear leveling will, “over-rule instructions to permanently overwrite old data.”
Because of ‘wear leveling’, neither remote wipes nor factory resets are guaranteed to remove all of the data from solid-state memory. The blog points out that a low-cost product called Wondershare, can recover data from solid-state memory. Mr. Garner claims the software, “recovers just about everything after either a factory reset or a local (phone operating system) delete.”
All of this demands that when a tablet is retired, it is incumbent on the company to ensure that all data held on the device is adequately deleted. One problem, says Garner, is that, “Many data wiping solutions, more often than not, have been ‘re-purposed’ from data wiping solutions aimed at traditional hard disk drives;” and that simply doesn’t work on solid state memory.
DataWipe, uses a three-stage process: firstly writing 0s in every memory cell, secondly writing 1s in every cell, and thirdly writing random 0s and 1s across every memory cell. The result, he claims, is guaranteed data erasure that can also provide audit, compliance and reporting data in an industry standard XML format that is easily exchanged with all of the major DLP, SIEM, policy management and mobile device management solutions solving both the technical difficulties around tablet recycling.
Wiping data from a PC or a first generation Apple iPad that is being retired is important because of the enormous amount of data they can store. This makes the proper destruction of that data on the device essential before it leaves organization. Unfortunately, IT asset disposition firm Retire-IT sees that many firms simply swap the devices with new ones or merely format the drives without securely wiping the data. The Columbus, OH based firm says this leaves organizations vulnerable. Kyle Marks, CEO of Retire-IT told Help Net Security that:
99% of problems happen before a disposal vendor touches equipment. No vendor can destroy data if they don't receive an asset, which is why we strongly encourage clients to destroy data before any move. Better safe than sorry. Of course, disposal vendors should destroy data (again) regardless
Retire-IT looked at tracking data from 1072 corporate disposal projects encompassing 233 different companies and reported some shocking figures:
- 4 out of 5 projects (81.5%) had at least one missing asset.
- 1 out of 8 (11.6%) had a negative variance. The devil is in the details, but nobody looks very closely.
- Only 79% of the serial numbers were matched with subjective matching.
- Without subjective matching, only 58% of serial numbers were matched.
Help Net Security offers some suggestions to help sanitize IT equipment:
Starting with Windows Vista (and Windows 2008 Server), the Microsoft OS overwrites the contents of each sector when you do a Slow Format on your media. They recoomend Microsoft’s SDelete for wiping files on Windows.
For Apple OS X there’s the Disk Utility.
On Linux use the “wipe”, “srm” or “shred” commands to securely sanitize files on most distributions.
Printers and copiers – Consult the manual to find out how to clear the memory or use third-party software to wipe the hard drive. Which I covered here