An organization may need to delete data from a device for a few different reasons. Different types of data wipes exist, and they are designed to be applied in different scenarios. For example:
- Fast Wipe (Remote Wipe): Ideal when data must be removed quickly, such as a lost/stolen device
- Full Wipe (Factory Restore): Completely clears a device and is more useful for device management.
Understanding the differences between different types of device wipes and their capabilities is essential for device management and data security. For example, knowing whether or not a factor restore can actually remove malware from a device is vital for effective incident response.
Why Would You Need Factory Reset vs. Remote Wipe
The two main types of device wipes are factory reset and remote wipe. Each of these is intended for specific use cases.
A factory reset is designed to restore a device to the state that it was in when it was first unboxed. This includes deleting all of the user’s files and data from the device and restoring its settings to the manufacturer’s defaults.
Factory reset is the ideal form of device wipe when preparing a device for a new owner. Some examples include:
- Reassigning existing devices to new employees
- Device loan programs for travel, remote work, etc.
- 1:1 programs granting students access to tablets or laptops
In all of these cases, the desired end result is a usable device that contains none of the previous owner’s data, making a factory reset the ideal solution. Additionally, the fact that a factory reset takes longer than other wipes — minutes instead of seconds — is not an issue in this scenario.
Factory resets can be beneficial in other scenarios. For example, a factory reset can remove viruses from a device in some cases, making the infected device safe and usable again.
In some scenarios, the time required to perform a factory reset may be too long. For example, if a device is lost or stolen, then an attacker that interrupts the factory reset process may be able to retrieve data from the stolen device. Alternatively, a rogue employee that refuses to return a company device may be able to retain access to corporate data, systems, and applications.
A remote or hard drive wipe may be the better option in these cases. A hard drive wipe deletes critical information — such as the Master Boot Record (MBR) on Windows devices — that allows the system to function. The MBR is a relatively small piece of data, so the wipe can complete rapidly, and deleting it renders the device unusable, making it unable to boot Windows.
Does Factory Reset Erase Everything?
Ideally, a factory reset would delete all data on a device and restore it to default settings. This protects the previous owner’s privacy and makes the device ready for a new owner.
In reality, a factory reset may not be able to delete everything. Due to the nature of modern hard drives, data stored on a device is retained until it is overwritten by other data, potentially multiple times.
A factory reset restores manufacturer-default settings and denies easy access to files stored on the device, but these files may still be accessible to a sophisticated attacker.
However, the retrievability of the previous owner’s data decreases over time. As the new owner stores data and takes actions on the device, previously stored data will be overwritten. Over time, if the hard drive is filled up, all previously stored data will be overwritten.
A remote wipe such as Prey’s Kill Switch, on the other hand, will remotely disable the drive. This does not include deleting any data other than some critical files that the device needs to function normally, such as the MBR on Windows. A sophisticated attacker could still retrieve the files stored on the device.
Does Factory Reset Remove Viruses?
A device can be infected with viruses or other malware in various ways. Malware may be delivered via a phishing email, infected files stored on a flash drive, malicious websites, or other means.
The footprint of malware on a device depends heavily on the malware variant and its intended purpose. Some malware may be installed as malicious files, others may only exist as running programs, and some may be present in lower layers of a device, such as the device’s firmware.
The location of the malware on the device determines how effective a factory reset will be in removing the malware. If the virus is only present as a malicious file or a running program, then a factory reset should remove the malware.
On the other hand, malware that is in the computer firmware or BIOS/UEFI or the hard drive firmware, then it may survive the factory reset. The reason for this is that factory resets focus on the software level, not the firmware level.
On the other hand, if you use Kill Switch, it means that you are looking to disable the drive and your only goal is to destroy the data no matter what. In this case, you don’t really care about the device being infected or not, you are just using this solution to get rid of data, and you do not expect to recover it.
The choice between using Factory Reset and Kill Switch depends on the goals of the device wipe. Factory Reset provides more comprehensive data deletion but is slower, making it a better choice for device management or malware removal. In contrast, Kill Switch is designed to quickly render a device unusable and is better suited to protecting a lost or stolen device.
Both Factory Reset and Kill Switch can provide some protection against the exposure of a previous owner’s sensitive data stored on a device to a thief or new owner. However, neither completely rewrite the data stored on the device nor provide a 100% guarantee that malware installed on the device will not survive the reset.