I'm writing after reading the paper "Security Analysis of Factory Resets" (fr_most15.pdf by Simon & Anderson), in which Android factory reset through 4.3.x has been revealed to basically be a joke. In light of this fact, I'm looking to come up with the simplest, secure process to follow for resetting a phone before selling it. My current phone is on 4.2.2, but I think the process should ideally be generic and applicable to as many OS's as possible.
ASSUMPTIONS
Based on the researchers' findings, let us assume the following:
1) Let us limit our concern to the data and internal SD card partitions, and we assume the latter is stored as an emulated SD card physically stored on the data partition.
2) We assume the flash memory is overprovisioned and therefore cannot be overwritten on a single pass.
3) Let us only consider 4.0.x and later devices that contain the full disk encryption (FDE) feature.
4) We require a procedure that can be employed on a phone that has not been used "securely" from the moment of purchase (such as employing FDE).
5) Let us assume our potential attackers are equipped/motivated to the point of using widely available software tools to scan for data that is logically deleted but not physically overwritten. At a minimum, we require "logical sanitisation" (storage cannot be recovered via standard hardware interfaces). "Digital sanitisation" (storage cannot be recovered via any digital means, including the bypass or compromise of the device’s controller or firmware, or via undocumented drive commands) would be preferable, if it can be achieved. We do not require "analog sanitisation" (reconstruction is impossible even with the most advanced sensing equipment and expertise).
PROPOSED SOLUTIONS
The researchers' proposed the following:
1) "Overwriting the entire partition bit-by-bit once did provide logical sanitisation for all devices and all partitions we studied; it is therefore a reliable alternative. The drawback of this method is that it requires privileged (i.e. root) access to devices in practice. This method does not provide thorough digital sanitisation, since the flash is overprovisioned – but an attacker cannot recover data using public APIs exposed by the Linux kernel."
First question, can anyone please provide a procedure to perform a bit-by-bit overwrite? I assume this would entail sending data via adb, but I would appreciate links to a specific how-to?
Second, since the flash is overprovisioned, would repeating this procedure 2-3 times ensure a reasonable likelihood that all data had been overwritten at least once and provide us with "likely" digital sanitisation in addition to logical sanitisation?
2) "Enabling Full Disk Encryption (FDE) on first use of the device would be more appropriate for ordinary users if devices support it. Enabling FDE only before performing a Factory Reset (as suggested by Google) may only provide logical sanitisation, not thorough digital sanitisation (plain-text data could still be present on the flash as it is over-provisioned). FDE was introduced in ICS (v4.0.x) so it cannot help the large number of affected GB (v2.3.x) devices. FDE for the internal SD card is not supported on all phones, and not all v4.x devices support FDE on the data partition despite AOSP’s support. As a rule of thumb, only devices with an emulated internal SD card inherit the “encryption support” from the data partition when supported. On supported Android versions, the encryption key is stored encrypted with a key derived from a salt and a user-provided PIN (or password). This encrypted blob is referred to as the “crypto footer” in the AOSP source code. An attacker who gains access to the crypto footer has enough information to brute-force the user’s PIN offline. The footer is stored in a dedicated partition or in the last 16KB of the data partition – the exact location is configured by vendors through the “encryptable=” option of the Android fstab file. In either case, we found that the footer was not erased after a flawed Factory Reset. Consequently, to logically sanitise a device with encryption, it is essential to select a strong password to thwart offline brute-force attacks. As most people just use a 4-6 digit PIN, it would usually be trivial to brute-force."
First thought, since we must assume the crypto footer can be recovered, then perhaps our process should include a step in which FDE is enabled using a long, complex, and random password in order to create a decoy crypto footer.
OPTIMAL SOLUTION???
Combining the above proposals to attempt to obtain a reasonable likelihood of digital sanitisation (but at least surely logical sanitisation), I am thinking of the following process:
1) Enable FDE encryption with a maximum-length, complex, random password (if it is not already enabled).
2) Perform a bit-by-bit overwrite of the data partition with 2-3 passes.
- What tools exist to perform this and ensure that the data and internal SD card partitions are included in the wipe?
- Following this process, what state is the phone in? Can it still be booted to Recovery mode to perform a factory reset?
3) Perform a factory reset from the Settings screens, including the "External Storage" option.
4) Enable FDE encryption with a maximum-length, complex, random password to create a decoy crypto footer.
5) Perform a factory reset from the Settings screens, including the "External Storage" option.
FEEDBACK
While the above process seems thorough, perhaps it is needlessly redundant? At a minimum, I would like to achieve 2-3 passes of bit-by-bit overwrite and the installation of a decoy crypto footer to resist decryption of any encrypted blocks that might be recoverable.
ASSUMPTIONS
Based on the researchers' findings, let us assume the following:
1) Let us limit our concern to the data and internal SD card partitions, and we assume the latter is stored as an emulated SD card physically stored on the data partition.
2) We assume the flash memory is overprovisioned and therefore cannot be overwritten on a single pass.
3) Let us only consider 4.0.x and later devices that contain the full disk encryption (FDE) feature.
4) We require a procedure that can be employed on a phone that has not been used "securely" from the moment of purchase (such as employing FDE).
5) Let us assume our potential attackers are equipped/motivated to the point of using widely available software tools to scan for data that is logically deleted but not physically overwritten. At a minimum, we require "logical sanitisation" (storage cannot be recovered via standard hardware interfaces). "Digital sanitisation" (storage cannot be recovered via any digital means, including the bypass or compromise of the device’s controller or firmware, or via undocumented drive commands) would be preferable, if it can be achieved. We do not require "analog sanitisation" (reconstruction is impossible even with the most advanced sensing equipment and expertise).
PROPOSED SOLUTIONS
The researchers' proposed the following:
1) "Overwriting the entire partition bit-by-bit once did provide logical sanitisation for all devices and all partitions we studied; it is therefore a reliable alternative. The drawback of this method is that it requires privileged (i.e. root) access to devices in practice. This method does not provide thorough digital sanitisation, since the flash is overprovisioned – but an attacker cannot recover data using public APIs exposed by the Linux kernel."
First question, can anyone please provide a procedure to perform a bit-by-bit overwrite? I assume this would entail sending data via adb, but I would appreciate links to a specific how-to?
Second, since the flash is overprovisioned, would repeating this procedure 2-3 times ensure a reasonable likelihood that all data had been overwritten at least once and provide us with "likely" digital sanitisation in addition to logical sanitisation?
2) "Enabling Full Disk Encryption (FDE) on first use of the device would be more appropriate for ordinary users if devices support it. Enabling FDE only before performing a Factory Reset (as suggested by Google) may only provide logical sanitisation, not thorough digital sanitisation (plain-text data could still be present on the flash as it is over-provisioned). FDE was introduced in ICS (v4.0.x) so it cannot help the large number of affected GB (v2.3.x) devices. FDE for the internal SD card is not supported on all phones, and not all v4.x devices support FDE on the data partition despite AOSP’s support. As a rule of thumb, only devices with an emulated internal SD card inherit the “encryption support” from the data partition when supported. On supported Android versions, the encryption key is stored encrypted with a key derived from a salt and a user-provided PIN (or password). This encrypted blob is referred to as the “crypto footer” in the AOSP source code. An attacker who gains access to the crypto footer has enough information to brute-force the user’s PIN offline. The footer is stored in a dedicated partition or in the last 16KB of the data partition – the exact location is configured by vendors through the “encryptable=” option of the Android fstab file. In either case, we found that the footer was not erased after a flawed Factory Reset. Consequently, to logically sanitise a device with encryption, it is essential to select a strong password to thwart offline brute-force attacks. As most people just use a 4-6 digit PIN, it would usually be trivial to brute-force."
First thought, since we must assume the crypto footer can be recovered, then perhaps our process should include a step in which FDE is enabled using a long, complex, and random password in order to create a decoy crypto footer.
OPTIMAL SOLUTION???
Combining the above proposals to attempt to obtain a reasonable likelihood of digital sanitisation (but at least surely logical sanitisation), I am thinking of the following process:
1) Enable FDE encryption with a maximum-length, complex, random password (if it is not already enabled).
2) Perform a bit-by-bit overwrite of the data partition with 2-3 passes.
- What tools exist to perform this and ensure that the data and internal SD card partitions are included in the wipe?
- Following this process, what state is the phone in? Can it still be booted to Recovery mode to perform a factory reset?
3) Perform a factory reset from the Settings screens, including the "External Storage" option.
4) Enable FDE encryption with a maximum-length, complex, random password to create a decoy crypto footer.
5) Perform a factory reset from the Settings screens, including the "External Storage" option.
FEEDBACK
While the above process seems thorough, perhaps it is needlessly redundant? At a minimum, I would like to achieve 2-3 passes of bit-by-bit overwrite and the installation of a decoy crypto footer to resist decryption of any encrypted blocks that might be recoverable.