
THERE are certain things you do not want to share with strangers. In my case it was a stream of highly personal text messages from my husband, sent during the early days of our relationship. Etched on my phoneās SIM card ā but invisible on my current handset and thus forgotten ā here they now are, displayed in all their brazen glory on a strangerās computer screen.
Iāve just walked into a windowless room on an industrial estate in Tamworth, UK, where three cellphone analysts in blue shirts sit at their terminals, scrutinising the contents of my phone and smirking. āIf itās any consolation, we would have found them even if you had deleted them,ā says one.
Worse, it seems embarrassing text messages arenāt the only thing I have to worry about: āIs this a photo of your office?ā another asks (the answer is yes). āAnd did you enjoy your pizza on Monday night? And why did you divert from your normal route to work to visit this address in Camberwell, London, on Saturday?ā
Advertisement
Iām at , a company that handles cellphone forensic analysis for UK police forces, but also for private companies and individuals snooping on suspect employees or wayward spouses. Armed with four cellphones, which I have begged, borrowed and bought off friends and strangers, Iām curious to know just how much personal information can be gleaned from our used handsets and SIM cards.
A decade ago, our phonesā memories could just about handle text messages and a contacts book. These days, the latest smartphones incorporate GPS, Wi-Fi connectivity and motion sensors. They automatically download your emails and appointments from your office computer, and come with the ability to track other individuals in your immediate vicinity. And thereās a lot more to come. Among other things, you could be using the next generation of phones to keep tabs on your health, store cash and make small transactions ā something thatās already happening in east Asia (see āFuture phonesā).
Gone phishing
These changes could well be exploited in much the same way that email and the internet can be used to āphishā for personal information such as bank details. Indeed, some phone-related scams are already emerging, including one that uses . āMobile phones are becoming a bigger part of our lives,ā says Andy Jones, head of information security research at British Telecommunications. āWe trust and rely on them more. And as we rely on them more, the potential for fraud has got to increase.ā
So just how secure is the data we store on our phones? If we are starting to use them as combined diaries and wallets, what happens if we lose them or they are stolen? And what if we simply trade in our phones for recycling?
According to the , 80 per cent of us carry information on our handsets that could be used to commit fraud ā and about 16 per cent of us keep our bank details on our phones. I thought my Nokia N96 would hold few surprises, though, since I had only been using it for a few weeks when I submitted it to DiskLabs. Yet their analysts proved me wrong.
Aside from the text messages stored on my SIM card, the most detailed personal information that could be gleaned from my handset came from an application called . It allows users to measure their athletic performance over time and I had been using it to measure how fast I could cycle to work across London. It records distance travelled, fastest speed at different points along the route, changes in altitude, and roughly how many calories I burn off. But when DiskLabs uploaded this data to their computer and ran it through Google Maps and Street View, they were able to pull up images of the front of my office and my home ā with the house number clearly displayed. Sports Tracker also recorded what time I normally leave the house in the morning and when I return from work. āIf I wanted more information, then I could just stalk you,ā says Neil Buck, a senior analyst at DiskLabs.
I had deliberately chosen to turn Sports Tracker on, and many people might not stop to consider how such programs could be used against them. In February, Google launched , networking software for smartphones that shares your location with friends. It can be turned off, but campaign group by Latitudeās complex settings and says it is possible the program could broadcast your location to others without your knowledge. āLatitude could be a gift to stalkers, prying employers, jealous partners and obsessive friends,ā the organisation warns.
āIt is possible your phone could broadcast your location to others without your knowledgeā
A phone-based calendar could also leave you vulnerable. Police in the UK have already identified burglaries that were committed after the thief stole a phone and then targeted the individualās home because their calendar said they were away on holiday, says Joe McGeehan, head of Toshibaās research lab in Europe and leader of DTAACās Design Out Crime project, which recently of trying to make cellphones less attractive to people like hackers and identity thieves. āItās largely opportunistic, but if youāve got all your personal information on there, like bank details, social security details and credit card information, then youāre really asking for someone to ābecomeā you, or rob you, or invade your corporate life,ā McGeehan says.
Code cracker
When Buck looked at my colleagueās iPhone, he found two 4-digit numbers stored in his address book under the names āMā and āVā. A search through his text messages revealed a few from Virgin informing him that a new credit card, ending in a specific number, had just been mailed to him. Buck guessed that āMā and āVā were PIN codes for the Virgin credit card and a Mastercard ā and he proved to be correct on both counts.
āOut of context, an individual piece of information such as an SMS is almost meaningless,ā says Jones. āBut when you have a large volume of information ā a personās diary for the year, his emails, the plans heās building ā and you start to put them together, you can make some interesting discoveries.ā
In this way the DiskLabs team also identified my colleagueās wifeās name, her passport number and its expiry date, and that she banks with Barclays. Ironically, Barclays had contacted her regarding fraud on her card and she had texted this to her husband. Buckās team also discovered my colleagueās email address, his Facebook contacts, and their email addresses.
This kind of personal data is valuable and can fetch a high price online. Itās ideal for so-called 419 scams, for instance, in which you receive an email asking for help in exporting cash from a foreign country via your bank account, in exchange for a share of the profits. āWhat they need to launch a successful 419 scam is personal information,ā says Jones.
A growing awareness of identity theft means that many people now destroy or wipe computer hard drives before throwing them away, but the same thing isnāt yet happening with cellphones, says Jones. At the same time, we are recycling ever greater numbers of handsets. According to market analysts ABI Research, by 2012 will be recycled for reuse each year.
As part of a study to find better ways to protect cellphone data, Jones recently acquired 135 cellphones and 26 BlackBerry devices from volunteers, cellphone recycling companies and online auctioneers eBay. Around half of the devices couldnāt be accessed because they were faulty. In our own smartphone experiment, we were unable to retrieve any data from a BlackBerry, or the Samsung E590.
However, Jonesās team found 10 phones that contained enough personal data to identify previous users, and 12 had enough information for their ownerās employer to be identified ā even though just three of the phones contained SIM cards.
Of the 26 BlackBerrys, four contained information from which the owner could be identified and seven contained enough to identify the ownerās employer. āThe big surprise was the amount we got off the BlackBerry devices, which we had expected to be much more secure,ā says Jones. While BlackBerry users have the option of encrypting their data or sending a message to purge data from their phones should it be sold or stolen, many had not done this. āSecurity is only any good if you turn the damned thing on,ā says Jones.
āSecurity is only any good if you turn the damned thing onā
His team managed to trace one BlackBerry back to a senior sales director of a Japanese corporation. They recovered his call history, 249 address book entries, his diary, 90 email addresses and 291 emails. This enabled them to determine the structure of his organisation and responsibilities of individuals working within it; the organisationās business plans for the next period; its main customers and the state of its relationships with them; travel and accommodation arrangements of the individual; his family details ā including children, their occupations and movements, marital status, addresses, domestic arrangements, appointments and addresses for medical and dental care; his bank account numbers and sort codes, and his car registration index. Two further BlackBerrys ācontained details of a personal nature about the owner and other individuals that would have caused embarrassment or distress if it had become publicly knownā, says Jones.
Although his team used specialist forensic software to retrieve data from the phones, much of it could be obtained directly from the handsets themselves, or by using simple software of the kind that is sold with a phone. āThis was not designed to be a sophisticated attack, it used simple techniques that anyone would have access to,ā Jones says.
Thatās bad news, considering that around 20 millions handsets were lost or stolen worldwide in 2008, according to UK data-security specialists Recipero. So how can people go about making their phones more secure? Turning on the security settings is an important first step, says McGeehan, as this may dissuade potential thieves from going to the effort of trying to crack the codes. Then make sure you delete anything you want to keep secret, while bearing in mind that it is often possible to recover it (see āPhone security Q & Aā). āI work on the basis that anything I put on there Iāve got to be prepared for people to see,ā says McGeehan.
As for me, Iāve taken to deleting potentially incriminating messages as soon as they arrive in my inbox ā and reproving the sender in return. I have also passed my old handset to my husband for safekeeping. If those brazen messages must fall into someone elseās hands, Iād rather they were the hands of the Don Juan who composed them than a smirking IT geek in a distant windowless room.

Future phones
By next year about 1 in 3 new smartphones will have accelerometers. Pressure sensors and gyroscopes will follow, and soon your handset may keep tabs on your health and pay your bills too.
For example, Nokia is experimenting with adding biosensors capable of monitoring heart and breathing rates, as well as glucose and oxygen levels in the blood. āYour phone could act as a wellness diary, and start to integrate data with the primary health records kept by your doctor,ā says Marc Bailey, a researcher at the Nokia Research Centre in Cambridge, UK.
Meanwhile mobile commerce, or M-commerce, in which phones are used to transfer money or pay for shopping, is already expanding rapidly. Cellphone users in Japan can buy train or airline tickets with their handset, while people in Afghanistan, the Philippines and east Africa can use their handsets to transfer money to each other. āM-commerce is coming, and the expectation is that it will become prevalent in the UK and other European countries within four years,ā says Joe McGeehan, head of Toshibaās research lab in Europe.
Though these developments should bring many benefits, security is expected to become a problem. āAs soon as you put money on anything, criminals become more interested in it,ā says McGeehan.
To counter this, manufacturers are developing more secure ways of encrypting data on handsets. According to Nokia, users will be able to alter security settings depending on how much data they want available at any one time. Phones with built-in fingerprint scanners are already on the market, and Sharp has experimented with on handsets, though hackers have recently shown that face recognition is easily defeated with .
Meanwhile, Apple is thought to be considering adding biometric security measures, such as a fingerprint scanner, to . However effective these security features are, though, they will only work when turned on.
Phone security Q & A
If I delete a message or photo on my phone will it disappear completely?
Data often remains on a phoneās memory chip until it is overwritten. Phones also create extra copies that are spread around its memory. It is possible to overwrite files by copying new data onto the phone. Commercial software will āzero fillā a memory or SIM card to overwrite it.
Where do recycled handsets end up?
According to Andy Jones, a security specialist at British Telecommunications, the main markets for recycled phones are Nigeria and China, āboth of which are regarded as areas posing a high threat to the security of informationā.
What if I smash up my SIM card?
Forensic analysts can often recreate SIM cards using the data thatās stored on the handset. How much information they can retrieve depends on the phone model. It is also possible to stick a damaged SIM card back together and then extract its data.
Can my movements be tracked, even if I donāt have GPS on my phone?
A technique called can be used to track someone to within 10 to 15 metres, using cellphone masts to triangulate their position. GPS can give more detailed information, such as your altitude or the speed you are travelling at.
Can my handset be used to spy on me?
If someone can get direct access to your handset, they can install software that lets them listen to conversations and monitor text messages without your knowledge. Without direct access, they can still monitor your phone usage remotely, but not eavesdrop on your conversations. It is also possible to send text messages that look like they come from someone else ā a technique called SMS spoofing. This makes it possible to upload messages to someone elseās Twitter account, or send your boss rude messages using a colleagueās number.
How do I improve my phoneās security?
Switch on all security options such as handset PIN codes. Download software to wipe your phone before you throw it away or send it for recycling. Consider buying a handset with . Alternatively, add software that can or even remotely should it be stolen, allowing you to encrypt all data stored on it, disable it entirely or even make it emit a loud alarm.
Is it legal for my employer or partner to send my cellphone for analysis?
If it is a company phone, or was a present from your partner, beware. Chances are that they can claim legal ownership and so can do what they want with it.