Recycling is generally a good thing. But it may not be such a good thing when it comes to digital devices -- smartphones, tablets and laptops.
There are security risks -- both to individuals and enterprises -- to buying and selling used devices, even when they have been reset or "wiped," to clear the memory, eliminate apps and return them to original factory settings.
Security experts say buyers should be aware that even doing all the recommended "refurbishing" measures may not eliminate Trojans or malware, which can remain on a device at the root level. And sellers should be aware that their personal or corporate information may remain on devices that they put up for sale on eBay or Craigslist.
Those risks are worth considering at any time of the year, but especially after big product releases, like Apple's recent Special Event 2015, when the company announced the long-anticipated iWatch, a new MacBook and various improvements to other products.
That is when those who must have the latest and greatest tend to flood the second-hand market with their former "must haves" and those who are happy with year-old technology come looking for good deals.
Without some major scrutiny, it could be a bad deal for both. Mario deBoer, research vice president, Security and Risk Management Strategies at Gartner for Technical Professionals, notes that, "wiping data from flash memory is not trivial, and a factory reset does not mean a complete overwrite of all data."
DeBoer said being able to totally clean a device depends in part on who makes it. "Data on mobile devices with always-on encryption can be effectively and efficiently wiped by destroying the key at factory reset," he said. "This holds for Apple devices, but most Android device manufacturers do not enable encryption by default."
That, he said means some data can be recovered by those with the right forensic tools.
Indeed, a post on the avast! Blog reported that, using digital forensics, investigators were able to recover sensitive personal information including, "pictures (even very private ones!), videos, contacts, SMS messages, Facebook chat logs, Google searches, GPS location coordinates, and more," from "supposedly erased" Android devices.
[See tips for buying and selling second-hand devices on page 2]
The same risks exist for corporate data that was, presumably, erased. David Lingenfelter, information security officer at MaaS360 by Fiberlink, said the risks have expanded with the expanded use of mobile devices. "It's not just email any more," he said. "They're putting documents on them, to read later when they're offline. It could be something as sensitive as a board book document."
And Jack Walsh, Mobile Security & Special Projects manager at ICSA (International Computer Security Association) Labs, which tests security functions built into mobile devices, said that sometimes those functions may not work.
Sign up for Computerworld eNewsletters.