Privacy is a tough enough question when using a device – but what about when we’re done with it? In a world of two year service agreements with device upgrades and things being attached to long-life property like cars and homes, your data could fall into the hands of the next owner way too easily.
“Oh, it’s OK, I wiped the phone with a factory reset.”
image courtesy droid-life.com
Well, that’s comforting. Until you read the recent story about what security software firm Avast found when they bought 20 phones on eBay and started sniffing around. (Let’s keep in mind, Avast is in the business of selling security software, so raising alarm is somewhat self-serving – but the facts remain in this scenario.) I’ll spare the gory details of what they discovered, but uncovering very personal information the previous owners thought was gone was relatively easy.
Deleting a file, whether on a hard drive or in a flash file system, usually doesn’t actually get rid of the data immediately. The delete metaphor typically goes into the file directory, removes the file name, and invalidates the pointer to where the file was stored – effectively saying that space is now free for use by other data. If your storage system is relatively full, some application will likely come along and overwrite some or all of the deleted content soon.
Until that happens, the file is still out there for the taking, unless something else is done. There are secure wipe routines available, which typically go over free storage space and rewrite a sequence of something like all 1s followed by all 0s to positively erase latent data. If a user loads such an application, there is a downside: it can take a very long time, and the operating system is pretty much consumed while the app beats on the storage system. But, the data is now gone.
Some devices or applications encrypt hard drives or flash storage – oh, say an Apple device running iOS 5 or later. The Apple version of factory reset on a later generation device supporting hardware encryption takes out the encryption key, making it a lot harder to use any data found. Those phones Avast pilfered for their study? All Android, where security is a variable; an OEM could certainly take steps to secure a device better.
This raises a question for the Internet of Things: how secure is a device when it changes hands? If you decide to leave your Nest thermostat in your house when you move, are your personal settings and Wi-Fi secure passwords really gone – or just invalidated? How about that car you just traded in, especially if it uses an OEM in-dash system based on QNX Auto or Microsoft SYNC? No disparagement or rumor-mongering intended; these particular systems may or may not actually implement flash encryption or secure overwrite at the device – if someone has more details on how device reset is handled for these examples, I’d welcome a comment.
The point is, you don’t want to be designing an IoT device that leaves data to be easily found after the new owner takes possession. Nothing is absolutely secure, but it seems with hardware encryption relatively easy to implement in SoCs and MCUs these days, personal info should be encrypted, and the key reestablished as the first step when a new service account is set up.
If that new encryption key is stored in non-volatile memory with emulated multiple time programmability (eMTP), such as Sidense SiPROM, initiating an account with a new secure key becomes a customer service advantage – for both the new owner and the previous one. One advantage of storing encryption keys in Sidense 1T-OTP is they are virtually impossible to decipher by reading bit-cell states, meaning both old and new keys are more secure against reverse engineering efforts.
Again, nothing is absolutely safe. As the Apple versus Android experience in the Avast study shows, encryption provides a layer of protection that blocks the vast majority of simple access attempts. NVM IP adds value to the encryption strategy. We are not going to stop the selfie-on-Snapchat phenomenon, but we should be able to keep the next device owner from seeing it after the fact.