Techno prognostication firm IDC says (I think they are right on this one) that worldwide sales of tablets will surpass desktop PCs and laptops by the end of 2014. This will result in a boomlet in the second-hand tablet market and a recent article on Infosecurity says that in response, firms will need to start data wipe their old tablets just as thoroughly as old hard disks to protect their data.
The company is responsible for any company data held on the mobile device; no matter the flavor of BYOD practiced so it is the company that must take responsibility for removing data from the device before disposal. The Infosecurity article says that ensuring that mobile device solid-state memory is completely clean is technically difficult.
Solid-state memory
The article highlights BlackBelt, which has just enhanced its data wiping product to include Apple (AAPL) and Google (GOOG) Android tablets explained the difficulty to the author. “Solid-state memory uses a technique called wear leveling to maximize the life expectancy of the memory chips.” BlackBelt’s business development manager Ken Garner told Infosecurity, “It works by spreading the binary information (0s and 1s) randomly across all the memory cells in the chip. This means that unlike on spinning disk memory, the location of the data on the user interface bears no relation to where it is stored on the drive, making traditional forms of deletion ineffective.”
BlackBelt says end-users can’t data wipe their phones, “it isn’t possible for an individual to perform a full removal of personal data from any smartphone or tablet using a device’s in-built factory reset or by re-flashing the operating system.” the vendor explains to Help Desk Security that wear leveling will, “over-rule instructions to permanently overwrite old data.”
Solid-state memory wear leveling
Because of ‘wear leveling, neither remote wipes nor factory resets are guaranteed to remove all the data from solid-state memory. The blog points out that a low-cost product called Wondershare, can recover data from solid-state memory. Mr. Garner claims the software, “recovers just about everything after either a factory reset or a local (phone operating system) delete.”
When a tablet is retired it is incumbent on the company to make sure that all data held on the device is adequately deleted. One problem, says Garner, is that “Many data wiping solutions, more often than not, have been “…re-purposed from data wiping solutions for traditional hard disk drives,” and that simply doesn’t work on solid-state memory.
Three-stage process to wipe SSM
DataWipe, uses a three-stage process: first writing 0s in every memory cell, secondly writing 1s in every cell, and thirdly writing random 0s and 1s across every memory cell. The result, he claims, is guaranteed data erasure that can also provide audit, compliance, and reporting data in an industry-standard XML format that is easily exchanged with all the major DLP, SIEM, policy management, and mobile device management solutions solving both the technical difficulties around tablet recycling.
Wiping data from a PC or a first-generation Apple iPad that is being retired is important because of the enormous amount of data they can store. This makes the proper destruction of that data on the device essential before it leaves the organization. Unfortunately, IT asset disposition firm Retire-IT sees that many firms simply swap the devices with new ones or merely format the drives without securely wiping the data. The Columbus, OH-based firm says this leaves organizations vulnerable. Kyle Marks, CEO of Retire-IT told Help Net Security that:
99% of problems happen before a disposal vendor touches equipment. No vendor can destroy data if they don’t receive an asset, which is why we strongly encourage clients to destroy data before any move. Better safe than sorry. Of course, disposal vendors should destroy data (again) regardless
Retire-IT looked at tracking data from 1,072 corporate disposal projects encompassing 233 different companies and reported some shocking figures:
- 4 out of 5 projects (81.5%) had at least one missing asset.
- 1 out of 8 (11.6%) had a negative variance. The devil is in the details, but nobody looks very closely.
- Only 79% of the serial numbers were matched with subjective matching.
- Without subjective matching, only 58% of serial numbers were matched.
Sanitize IT equipment
Help Net Security offers some suggestions to help sanitize IT equipment:
Computers – Derik Boot and Nuke Linux Live CD for full disk wiping. It supports many types of wiping, including the DoD 5220.22-M method with 3 passes.
Starting with Windows Vista (and Windows 2008 Server), the Microsoft OS overwrites the contents of each sector when you do a Slow Format on your media. They recommend Microsoft’s SDelete for wiping files on Windows.
For Apple OS X there’s the Disk Utility.
On Linux use the “wipe”, “srm” or “shred” commands to securely sanitize files on most distributions.
Printers and copiers – Consult the manual to find out how to clear the memory or use third-party software to wipe the hard drive. Which I covered here
Mobile devices – Wired recommends a hammer and don’t forget to remove the SIM card.
Related articles
- BYOD: Preventing Breaches Can Be A Challenge (healthsecuritysolutions.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.