A study by Canadian computer scientists found that technicians at electronics repair shops often secretly peek into and sometimes copy customers’ private data.
While many PC and smartphone owners worry about how vulnerable their data is when they send a device in for repair, this study was designed to find out just how common snooping is among repair service providers large and small.
As noted by Ars TechnicaResearchers from the School of Computer Science, University of Guelph, Canada report their findings in a new papersuggesting that it’s quite common for repairers to snoop into customers’ private data.
The researchers also found that most electronics repair service providers have no privacy policies or protocols to protect customers from technicians spying on their device’s data, as well as asking for OS credentials by default when they’re not needed for repairs.
To do this, the researchers left six newly purchased Windows 10 laptops for repair, with the audio drive disabled to give the impression that there was a problem that needed fixing. Then, after the devices were repaired and returned, the researchers analyzed device logs to check for any privacy violations that may have occurred during the repair.
They brought the six laptops to 16 small, regional and national repair service providers between October and December 2021. Three devices were configured with a male persona and three with a female persona. They recruited three male and three female researchers to deliver the devices for repair.
The researchers found that technicians at six of the 16 providers snooped on customer data, while technicians at two providers copied data to remote devices.
Of the six locations where snooping took place, three removed evidence, while one did it to generate no evidence.
The researchers chose to fix the audio issue due to its ease of repair and the fact that it didn’t require access to user files to fix it, as opposed to removing malware. The researchers found that a technician at a national provider had access to the revealing photos of a female experimenter. At regional service providers, there was a privacy violation against male and female experimenters in which documents, photos and revealing photos were viewed. A male researcher’s browser history was reviewed by a technician and revealing photos were compressed and transferred to an external storage device.
For local service providers, they found that a technician accessed a male experimenter’s browser history, while a technician in this group accessed the female experimenter’s documents, photos, and revealing photos, and copied a file containing passwords and revealing photos to an external device.
In addition, technicians from three service providers cleared items in the Windows “Quick access” or “Recently accessed files” list. In another case, the technician zoomed in on thumbnails so they left no trace of file access.
The electronics repair industry offers economic and environmental benefits, write Khan and fellow researchers in the paper. “However, there is a strong need to gauge current industry privacy practices, understand customer perspectives, and build effective controls that protect customer privacy.”