Skip to content ↓ | Skip to navigation ↓

My boyfriend works a demanding day job at a major Canadian big box furniture and appliance retailing chain. Knowing that I write about information security for a living, he had an interesting story to tell me:

“An LG Smart TV was returned to us by the customer, and it had their credit card credentials in it! Why didn’t they do a factory reset first? They’re so careless!”

It occurred to us that probably thousands, perhaps millions, of consumer devices are returned to retailers around the world with consumer’s sensitive data. Those devices can take a multitude of forms – PCs, tablets, smartphones, video game consoles, and now even Smart TVs.

Consumers have sensitive data tied to various online services, including but not limited to Netflix, Hulu, PlayStation Network, Xbox Live, Amazon, Crunchyroll, Google Play, iTunes, and the App Store. These accounts often have credit card data tied to them, as well! But even if they don’t, letting an online account fall into someone else’s hands can have disastrous consequences. It may even result in identity theft or compromising a user’s entire online life.

So, here are some tips on how to keep your sensitive data on specific types of consumer devices from ending up in the hands of a third-party when selling, returning or giving away a device.

How to Factory Reset Devices That You’re Returning, Giving Away, or Reselling

PCs:

Whether your PC runs Windows, OS X, Linux, or any other operating system, the same principles apply.

  • The lion’s share of sensitive data will be on your PC’s hard drive. You can protect your data to some extent by completely reformatting your HDD. Doing so will get rid of the operating system you had installed and any files and applications you had in its filesystem. For optimal reformatting, I recommend using GParted. Burn the GParted disc image onto a blank DVD. Then boot your PC from the GParted disc. You can remove the partitions on your HDD and reformat the whole disc with ext4, NTFS, HFS, or a number of other filesystems that are frequently used by Windows, OS X, and Linux. It’s even possible to remove the MBR or GPT.
  • But a data recovery operation will likely be able to recover your sensitive data, even from a completely reformatted HDD. If you think someone might go to the trouble of data recovery to retrieve your data, it’s best to keep your HDD in your possession. Replace your HDD with a brand new factory formatted HDD for a future owner, if you must.

Android Smartphones and Tablets:

  • To perform a factory reset within Android, go to your Android settings and then go to the Backup & Reset section. Then go down and select Factory data reset. This should return your phone or tablet to the state it was in before you bought it.
  • Be careful to not change your Google/Gmail password before you initiate a factory reset of your phone or tablet. To be safe, don’t do a factory reset unless your password is at least a couple of weeks old. Otherwise, you’ll find yourself (or your device’s new owner) completely locked out of using your device for three days. It’s a security feature that was introduced in Lollipop 5.1 to deter phone and tablet thieves.
  • A determined and technologically knowledgeable person may still be able to retrieve your sensitive data from your phone or tablet’s internal disc. So, it’s best to encrypt it as an added measure. This can also be done within Android. Go to Settings, then Security. Select Phone storage encryption. Be sure to come up with a password with over ten characters, upper and lower case letters, numbers, symbols, and no dictionary words! The new device owner will be able to flash its internal disc with a new Android install.
  • If you use an SD card, keep it for yourself. Buy a brand new blank SD card to put in the phone or tablet if doing so helps you sell or return the device.

iPhones and iPads:

  • The equivalent of a factory reset can be done within iOS for both iPhones and iPads. Go to Settings, General, then reset. Then tap on Erase All Content and Settings. You may be asked for your passcode and Apple ID password.

PS3:

  • Use the master power switch at the back of the console to do a hard switch off. Wait a few seconds, then flick the switch back on. Hold the power button at the front until you hear three beeps. Once your PS3 has booted back up, go to System, then Format to format the HDD. That process could take a few hours.
  • As in a PC, a data recovery operation could still be performed on a PS3-reformatted HDD. For optimal security, keep your HDD and replace it with a fresh from the factory HDD. Many notebook form factor HDDs for PCs are compatible with the PS3.

PS4:

  • Before you sell or return your PS4, deactivate your PSN account from it. While at your PS4’s main menu screen, navigate up to your notifications pressing “Up” on your controller. Then press “Right” and select Settings. Go to PlayStation Network/Account Management and select Active As Your Primary PS4. On the following screen, Active should be a selectable option and Deactive should be greyed out. If not, select Deactivate.
  • Now you can clear your PS4’s HDD of your data. Back at the main menu, press “Up” to go to your notifications. Then press “Right” to go back to your Settings. Scroll down to select Initialization and then Initialize PS4. You’ll then be given two options for data removal, Quick and Full. Quick is faster, obviously. But even your PS4 warns you that third parties may still be able to easily recover data from your device if you choose that option. It’s better to select Full, but the process may take several hours.
  • Just like with the PS3 and other devices with HDDs, the absolute most secure option for keeping your disc’s sensitive data private is to keep your HDD in your personal possession. Just replace it with a brand new, factory-formatted HDD which has never been used.

Xbox 360:

  • To factory reset your Xbox 360’s HDD, first press the Guide button (the button that looks like the Xbox logo in the middle of your controller.) At the menu screen that appears, select Settings then System Settings. Then go to Console Settings > System Info. A unique console serial number will then be displayed. Write it down very carefully on a piece of paper.
  • Go back to System Settings and then Storage. Navigate to your Hard Drive, then press the yellow Y button. Device options should now be on your screen. Select Format. During the formatting process, you may be asked for the console serial number that you wrote down. You may also be asked for your Microsoft password.
  • After the formatting process, you will return to the home screen, logged out of Xbox Live. Go to Settings, System, Storage, find your user account, then delete it.
  • At the risk of sounding like a broken record, because data recovery can be done from reformatted partitions, the only way to be 100% sure that your data is safe is to keep your HDD and put a brand new HDD in the device that you’re selling, trading, or giving away.

Xbox One:

  • Factory resetting an Xbox One is a bit simpler than factory resetting an Xbox 360. First, when you’re at your Xbox One’s home screen, scroll left and select Settings. Go to All Settings, then System. Then go to Console info & updates and select Reset console.
  • You will be presented with multiple options. They are Reset and remove everything, Reset and keep my games & apps, and Cancel. Obviously, you don’t want to select Cancel. Reset and keep my games & apps can be useful if you want to keep your console, but you’re having technical problems that you need to troubleshoot. To clear your console’s HDD of your data before it goes to someone else, you’ll want to select Reset and remove everything.
  • Like with other devices, just replace the HDD if you want to keep your sensitive data completely secure.

Samsung Smart TVs:

  • Ensure that your TV is off.
  • Take your remote and press four buttons simultaneously: Info, Menu, Mute, and Power.
  • Then, press the following buttons in this order (not simultaneously): Mute, 1, 8, 2, and Power.
  • Your TV will reboot in Service Mode. Go to Options, then Factory Reset.
  • Now your TV will turn off. You may turn it back on to check that the factory reset was successful.
  • If your TV has any SD cards or any other removable media, keep them for yourself. Don’t give them away with your TV.

LG Smart TVs:

  • Finally, it’s time to learn how to reset the type of consumer device that my boyfriend found in his store with a previous customer’s sensitive data!
  • Press the Home button on your remote. Select the Settings icon in the top right corner. Then, go to General and Reset to Initial Settings.
  • There will be on-screen instructions for resetting your TV that are specific to its model. Follow those instructions carefully.
  • If your TV has any SD cards or any other removable media, keep them for yourself. Don’t give them away with your TV.

It takes a little bit of effort, but it’s well worth it if you are giving away, returning, or selling your device. Make sure that your sensitive data doesn’t fall into someone else’s hands.

Retailers should be more proactive about making sure that consumers don’t return products that still have their data in them. But ultimately, the responsibility for protecting your data is yours.

 

kim crawleyAbout the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.

By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.

Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.

She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

SANS White Paper: Security Basics
  • Prof John Walker

    Good article – Happens all so very often – I recall when I was at Experian. In the interest of Greenness, there was a plan to have users hand in their old mobiles into a collection box at lunchtime – no consideration or advice of cleansing, and not a thought given to if these devices could possibly contain business related information or contacts. Same case at a big well known Gas Supplier in the outskirts of London – same problem. When it was raised as a security observation, I was told ‘our security policy does not allow users to store company data on their cell phones’ – but they did.

    And there was the case of a high-profile UK Government Agency who leased their MFD’s [Multi-Functional Devices [Printers to most] which were connected to a system which had mistakenly processed UK Secret Information – these devices were returned to the owner company with no cleansing whatsoever.