The past few years have been big for the Internet of Things (IoT), and the future of the connected device industry looks even brighter. Research firm IHS forecasts that the IoT market will grow to 30.7 billion active devices by 2020 and 75.4 billion by 2025. As we continue to witness this tangible shift toward IoT devices, previously futuristic ideas are coming to life all around us and changing the way we experience the world. And while these digital luxuries provide new levels of convenience, the security concerns of connected devices have been well documented. But, what happens when you decide to sell, re-gift, or otherwise dispose of these IoT products? How can you be sure you’re not leaving traces of personal data for the next owner to access.
In this article, I’m going to outline various tips for securely removing your personal information and data, and general security best practices for connected devices. So, let’s start with some of the more obvious scenarios and work our way through other IoT technology.
Computers, Tablets, and Phones
You’ve decided it’s time to call it a day on your laptop, tablet or smartphone, in favor of an upgrade. What now? First, be sure to backup all your data before firing up that Craigslist ad and making the switch. Cloud accounts make it easy to access your files across a range of devices, and online services for tablets and smartphones will often automatically sync personal data. You should already be saving contingency versions of your important files on a regular basis (for a variety of reasons), but be sure you have backup copies of anything you want to transfer over before getting rid of that old device.
Next, wipe all the data and potentially sensitive settings from your computer’s hard drive, or your tablet or smartphone. There are two things you should consider to securely wipe your devices. First, your files and contact lists aren’t the only things to worry about. Your device likely has many settings that connect to cloud services or might expose things about you to potential new owners. You need to be sure to reset all your device’s settings, too. Second, just “deleting” something from computer storage may not totally remove it. Without going into the specifics, when you delete files or format your hard drive, your computer (or mobile phone) just “forgets” how to find those files; it doesn’t necessarily overwrite them. There are several forensic and recovery tools that can find and restore that data if it hasn’t been overwritten. Securely wiping data may involve overwriting files at least a few times.
The process for securely wiping a device depends on the device itself. Luckily, many phones and tablets are easier to wipe, since some mobile operating systems (OSes) have features built in to handle it for you. For instance, the settings menu on iOS devices allows you to go to General => Reset => Erase All Content and Settings to get rid of all your sensitive data. This feature will either destroy the encryption keys your phone used to secure your data, making that data totally inaccessible, or older iOS versions overwrite that data a few times. It also removes the phone from your iCloud account and Find My Phone. In short, it’s a simple one-button method to security wipe iOS devices.
Android devices can be a bit harder to wipe since there are many variants of this OS, all of which may act differently. Most versions of Android should have a “Factory Data Reset” option. However, in the past researchers found that this was not a secure wipe. Since it didn’t overwrite data on the device, attackers with the right software could recover that data. If you want to really destroy the data on your Android device, it’s best you encrypt it first. Once you encrypt the device and then factory reset, new owners won’t have the keys necessary to read your data.
Finally, for good old-fashioned laptops and desktops, the key is to make sure you overwrite data on your hard drive with a special secure wipe tool. There are many tools out there, including free Windows options like Eraser, that help you make sure data you delete is gone forever. Also note, you may have to follow a different process to securely wipe SSD drives, but there are many instruction guides online.
Although wiping your personal computer, tablet or smartphone is a fairly obvious tip, it’s incredibly important that you take the time to do it properly. Failing to completely reset your old devices can leave your personal data at risk of being discovered by the next user.
The automotive industry is becoming more advanced and modern cars now come off the assembly line with Bluetooth hands-free calling, GPS navigation systems, even Wi-Fi. The convenience of having easy access to your phone book, locational data, and favorite apps while behind the wheel is almost too good to turn down. The problem is that as our cars become increasingly sophisticated, they store more of our personal data, just like a PC or smartphone would.
One step you might forget in all the excitement of selling your old car is removing all that personal information. In fact, I just purchased a used car and found several names and phone numbers archived from the previous owner’s contacts. When the time comes to sell your connected car, be sure to clear all login, contact, and personal data from the settings. If you forget this step, you could be gift wrapping access to your social media accounts, contact list, home address and more for the car’s new owner. Some dealers may be starting to take this into account themselves, but in my case, I did find the previous owners’ stored Bluetooth devices.
As an aside, leaving data behind in rental cars’ Bluetooth systems is another common mistake (as if the rental car process wasn’t enough of a hassle by itself). Whether you’re on a business trip or taking a vacation, if you sync your address book and other data to a rental vehicle, be sure to clear saved numbers, calls and other information before returning it.
By the way, we’ve been talking about this problem in the perspective of the seller avoiding leaving sensitive information for the buyer. However, this issue can also pose risk to buyers, so they can benefit from resetting smart cars. too. Recently, an IBM X-force researcher found that he could still access the car he sold in the car’s app. While the car’s local settings had been cleared, the manufacturer’s cloud had not been. This meant the old owner could still unlock doors, and gain access to the new owner’s car.
Let’s say you can’t wait to trade in that old Xbox 360 for an Xbox One. Through the years, gaming consoles have become one of the hardest types of devices to attack. This is largely due to increasingly hardened security through hardware and software updates designed to prevent piracy. But don’t be fooled. Although they might be some of the most secure IoT devices on the market, the fact that they’ve evolved to become your one-stop-shop for entertainment means gaming products now save valuable data to their hard drives and SD cards – just like personal computers.
So when it comes time to sell your old console, the main issues are deactivating your online accounts (PlayStation Network, Xbox Live, etc.), and deleting the data on the console. The account deactivation is a basic step, but one many forget. In one case, I bought a used PS3 that still had the previous owner’s PlayStation Network (PSN) account intact. If I hadn’t deactivated the account myself, I could’ve continued buying games with his credentials. You can easily find instructions for deactivating different consoles’ accounts online.
The console will also have menu options to reset them, or delete data. Again, like computers, sometimes a delete isn’t really a complete delete. However, modern consoles, like the new PlayStation offer both a quick and full delete. Be sure to use the full option for a secure wipe.
It’s understandable to be excited to play ‘Halo Wars’ on Xbox One, but make sure you don’t forget to securely wipe your old console before selling it. Mistakes like that can give the next owner access to your personal images, videos, credit card information and even browsing history. That could be game over.
Smart Home Devices
If you’re moving out of your home, consider what connected devices – and data – you might be leaving behind. Some home purchase agreements include caveats that allow the new homeowner to inherit IoT products installed by the previous owner. The procedure for removing your personal data from smart home products like the Nest Thermostat is relatively simple but can be easily forgotten through the moving process. Nest and other smart home products enable you to remove the device from your online account and reset the product, itself, to factory defaults. This should effectively cleanse the device of your information, leaving it ready and waiting for the new user to setup their own account.
Forgetting to wipe the connected home devices you leave behind can leave remnants of your personal information for the home’s new owner to find. Chances are, they’re not secretly a black hat with malicious intent – but unprotected data is still a chilling proposition nonetheless.
Nest products – and other IoT devices in general – have been scrutinized over privacy concerns. While they’re designed to analyze and learn your preferences, they also accumulate usage data and other information that gets sent back to a service provider. But, that’s a whole other ball of wax.
Smart Printers, Copiers, and Other Office Devices
Smart office devices are exposed to some pretty critical information. Whether it’s a smart copier or digital printer, we’ve heard concerns for years that these devices can save information they encounter. So, when you’re getting rid of that home office printer/copier, how can you be sure that you’re not tossing out years of information for someone else to recover? First, find out if your office device has built-in storage. If it doesn’t, then there’s a good chance none of your information has been saved to the machine. If your printer or copier does include a cache of local data, you can often remove the storage devices, and wipe it in the same way you wipe normal computer storage.
It’s worth noting that some businesses do elect to always remove storage devices from any computing device they sell or recycle. Besides securely erasing this data yourself, you can also give these storage devices to data destruction services, which may even go as far as physically destroying the storage device.
Some higher-end printers include email functionality that allows them to send files via email directly from the printer controls. In order to protect your email address and any others that might be stored on a smart printer, be sure to wipe this data before selling or disposing of it. Most printer manufacturers should have menu options to do so.
Smart watches and other wearables like fitness and health trackers have, and will continue to become more engrained in our everyday lives. As a matter of fact, research firm IDC predicts that by 2019, more than 89 million smart wearable units will ship worldwide. That’s a lot of FitBits, Pebbles, Microsoft Bands and Apple Watches!
A recent study by HP Fortify found that many smart watches contain significant vulnerabilities related to privacy, insecure firmware, authentication, and encryption. The study examined ten popular smart watches and found that 90 percent of the time data flowing to and from the watches was easily intercepted.
That said, the bulk of this information storage is somewhere else (in the cloud). While attackers might intercept it in transit, these small, typically resource-light devices don’t tend to store much data locally. If you’re planning to sell or give away any kind of connected wearable device, you do need to make sure it’s factory reset, so that it can no longer connect to its associated cloud account. You probably won’t have to go to much trouble to wipe any local data on these wearables (that said, this will differ from device to device).
General Security Tips for IoT Devices
By their very nature, IoT devices are quite diverse, and thus expose us to a variety of attack profiles. The devices I’m most concerned with today are those that have quickly embedded traditionally known operating systems into non-traditional computing devices without taking security into account. For example, think of a refrigerator, DVR or webcam that’s running a Linux operating system. Since attackers are already familiar with Linux, hacking these types of devices is easy for them. Worse yet, the manufacturers making these devices seem to be years behind in security hardening and development. Furthermore, since these devices are basically just computers, they often have storage full of sensitive information.
The issue of IoT device security has gained a great deal of attention due to the widespread effects of recent Mirai botnet attacks. My hope is that we’ll see more connected device manufacturers incorporate security into their products – from research and development to completion – in the near future.
As far as what you can do to protect your data on an IoT device you sell, I’ll leave you with three important strategies:
- Make sure your data is securely wiped from the device. If you’re using a type of IoT device that has a hard drive or local storage, it probably has some data that you need to delete before reselling. However, you need to remember that with computers, not all deletes wipe equally. Do a little research to see if your device’s “factory reset” is a secure wipe or not. If it isn’t, you might have to find alternate means to really kill your data.
- Don’t forget the device’s settings. When we think of protecting our data, we normally worry about erasing the sensitive files we might have on a device. However, we can’t forget that many of the settings in an IoT device link to our private data, too. These devices are connected to our cloud and social network accounts, they have a memory of all the access points we’ve connected to, they know your email address, and much more. Make sure you also erase all the device’s settings and deactivate the device from any cloud accounts it might be linked to.
- Don’t forget the settings in the cloud, too. Learn from what the X-force researcher discovered about his smart car. Even if you wipe all a device’s local settings, sometimes manufacturers might design features that allow cloud accounts to always have access to the device, unless the account itself gets deactivated and reset. If you can manage a device with a mobile app, be sure that you don’t still have access to the device after factory resetting it.