Snooping technician

Repair firms might be rifling through your personal data

Sending your device in for a repair is something most of us have likely done at some point. Whether PC, mobile device, or something else altogether, there’s a good chance the digital wheels will fall off eventually.

Keeping the data on those devices secure while the item is being looked at has always been a cause for concern. Should you copy everything to a local device, or the cloud? What about sensitive files and folders? Do you throw up your hands and simply trust that the repair technicians won’t take a peek at what’s lying around on the broken item?

More to the point, does the organisation you’re trusting your data to have any sort of privacy policy, disclaimer, or advice for what you should do with your stored documents?

It’s a fascinating subject, with more than a few grey areas…especially in cases where law enforcement is involved. Full access granted to a repair technician back in 1997 was how disgraced singer Gary Glitter was arrested for possession of illegal content.

Should repair firms be allowed full access by default? Should your files be off-limits if they’re replacing a fan? Where is the line, and is anybody actually bothering to draw one in the first place?

Missing privacy policies and flimsy T&Cs

A recent study from researchers at the University of Guelph aims to shed light on this subject. According to The Register, 18 repair services in North America (which includes device manufacturers, mobile repair services, and all manner of business size be it national or regional) were surveyed.

The primary concern was if they have privacy policies, and what they do with the customer data. The researchers requested various types of repairs, and The Register notes that a battery replacement resulted in “all but one” of the firms asking for login details. There is no reason at all to request this information for a battery switch out on a laptop, and yet almost all of the firms did so.

When you handed over that faulty laptop to a repair service, did you encrypt the files on the device, or query why the firms were asking for logins in relation to a battery exchange? If not, you’ll have to just hope that they’re not going to do something dubious with your data.

Digging into the research

Some key points and highlights from the research:

  • Data privacy issues aren’t just for small “I’ve never heard of it” stores. A few years ago, someone found an Apple Store technician swiping a nude photograph after asking for the customer’s PIN twice. The person in question assumed the PIN request was part of the repair process.

  • No organisation provided a privacy policy upfront, and only three regional & three national stores provided T&Cs once a device was handed over. Additionally, the T&Cs only stated that the organisations are not liable for data loss, and the customer is responsible for backing data up.

  • No mention of data safeguarding on the part of the business, and no mention of how the customer can protect their data from snooping.

  • All but one business asked for login credentials regardless of what work was being carried out. The three major chains surveyed stated that logins were needed for “paperwork”. Others stated that logins were needed for diagnostics, or to verify that work had been done.

  • Various organisations asked about login storage stated that passwords are kept alongside name, contact number, and email address in a database with no word as to the security of that database, who has access, or how long the data is stored for. Two organisations even printed a label with this information, and then pasted it to the device and charger, accessible to all staff members.

  • When asked how technicians would ensure nobody would access data on the devices, none of the ten businesses asked had any plan or protocol in place to prevent this from happening and all responses boiled down to variations of “Trust me, we won’t do it”.

None of this is particularly great. What’s about to follow is quite a bit worse, especially given the “trust me” routine.

Taking the bait

The researchers created what you might call a physical honeypot device, designed in such a way to look like a real, genuine PC owned by an actual person not running a test. With permission from people who post anonymous body shots to Reddit, those images were placed in folders on the devices to look as though they belonged to the owner(s).

Sadly, multiple files and folders were accessed in ways that they shouldn’t have been. Folders containing images and revealing images were accessed by some organisations, browser history was accessed on another device, and in one case revealing images were zipped and transferred to an external storage device. Indeed, of the multiple potential violations available (accessing a data folder, images, revealing images, finance data, browser history, and data transfer), one local service provider ticked all of the violation boxes except accessing browser data.

So much for “trust me”.

What can you do to keep your privacy intact?

There is clearly no unified approach to this on behalf of repair services, and no real way to know what you’re getting your device into. Having said that, hardware manufacturers do seem to recognise this issue and have taken steps to address it. For example, Samsung’s Maintenance Mode aims to keep phone data secure while the device is off being repaired.

Having said that, here’s a few things you can do to try and ward off privacy invasions of your potentially broken devices:

  • If you’re worried about leaving data on a device in any form at all, no matter what security precautions you’ve put in place, you may just wish to transfer everything to an external drive and safely wipe the device. I have seen people do this and then experience a catastrophic fault with the external hard drive, losing everything in the process, so if your budget allows for a second backup, do that too. You could also consider making use of cloud services for non-sensitive files and folders. 

  • Leaving files or logins on a device? At the very least, you should consider signing out of apps, websites, or anything else requiring a login of some sort. Browser history seems like something snoops are interested in, so wipe that too. Backup or transfer your contact list somewhere else if required. Encrypt files using a solution you’re comfortable with. If you need to password protect files or folders, ensure you’re not reusing a password from somewhere else.

  • Ask if the repair shop has a privacy policy, and how it makes use of your data. Question if there’s anything in the T&Cs beyond the shop not taking responsibility for data loss. Query why they need a login to change a battery, and how they ensure data on a device is not accessed or tampered with by the technician. You may feel as though these questions are somewhat over the top, but if the slice of research above is anything to go by, it’s possibly long overdue.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.