Device Reset Strategies

09.04.2023

Complete Device Reset

This is the complete device reset solution that I personally use for my own systems. While we find ourselves in sightly different scenarios, I can guarantee that I have just as much of a reason to want a clean slate. Depending on your system, this is not a cheap solution, and without some forethought might be a little more work to pull off.

If you do not want to take that chance on some of these things, but also want to have some guarantee that they are not currently an active attack surface, there are some things that we can do to investigate your exposure. It would however require unfettered access to your devices which may or may not be desireable.

Below is a list of reset tasks which are to be followed in the order in which they are listed. Make sure that you never connect your new, secure device to a network that you have connected to previously.

Reset Tasks

  1. Setup new email on trusted device using trusted third-person email as recovery email.
  2. Create new Apple ID with new email from a trusted device. Make sure the password is secure: no less than 100 bits of entropy. You can use this to generate a strong password and it will help calculate the bits of entropy for you.
  3. Obtain a new, secure device (phone). Ensure that ALL compromised devices are turned off and does not join the same network as the new device. Do NOT swap the SIM card from the exposed device to the new one.
    • Alternatively, you can factory reset the compromised device although this does carry a risk that the hardware has been compromised. Based on what I learned from our conversation, that risk does seem relatively low however. Do NOT initialise from a backup.
  4. Obtain a new SIM card for the new device. If your SIM card is currently active and functional, it has not been swapped which means you might be fine to keep your current number, however you need to get a new SIM card and cut the old one. My strongest recommendation is however to get a new number.
  5. Replace all other potentially compromised devices. That includes:
    • Any device with a CPU including IoT devices that have been on the same network as the compromised device: ie. tablets, smart watches, computers, smart speakers and tvs.
    • Routers and any network switches that have been used for WLAN.
    Similarly to before, you can chose to just do a factory reset on these devices to keep costs low, but the same comments as before stands.
At this point any future activity should be sufficiently secured and we can start the recovery of your existing data. Depending on how many of the above steps you decide to skip or alter, you may or may not already have access to some of your data. Ensure that this is done on a public network on the already compromised device.

Data Recovery

  1. Download archives of your iCloud data. Check this link to see how. This should be done on a public network and computer preferably using a computer cafe and the archives can be copied to a new external hard drive. If you are in a country that does not have computer cafes, see if there are public library computers or other things like this. As a last resort, we can spin up a VM for you where we can download it and add it to your new accounts.
  2. If you need your old emails, you can check out this guide to see how to download an archive of you Gmail. If you do this, just make sure that you do NOT open any emails from the "attacker" on your secure devices.
    • If you decided to keep your old email, you can follow this Google advice to "recover" your email account (although this is not a 100% guarantee).
  3. Transfer ownership of your social media accounts or otherwise to your new email and change the passwords.

Partial Device Reset

If you are exclusively using Apple devices, the likelihood that you have any rootkits installed on your device is very low, however without thorough physical investigation, I would not be able to give a guarantee that this is the case. If you are willing to take the chance that, here are the steps that you could skip if either too expensive or too time consuming. The list is ordered by least likely (based on the limited knowledge that I have of your situation) to be an active attack surface.
  1. Factory reset rather than acquiring new devices.
  2. Keep network switches and routers.
  3. Keeping same phone number.
  4. Anything below this point, I really would not recommend.
  5. Keeping same SIM card.
  6. Keeping the same email.