What really goes on when your device is in repair

Probably everyone has damaged their smartphone, tablet or laptop and needed it repaired at least once in their lives. The cause of the damage may be the user’s own sloppiness: replacing broken smartphone screens brought countless billions of dollars to the industry. But more often, it’s just a random malfunction like the battery failing, the hard drive dying, or a key coming off the keyboard. And this can happen at any time.

Unfortunately, modern devices are made in such a way that even the handiest of computer wizards are often unable to fix them on their own. The repairability of smartphones is steadily decreasing from year to year. To fix the latest models, it takes not only skill and a general understanding of how all sorts of digital gizmos work; you also now need specialist tools, expertise, and access to documentation plus unique spare parts.

Therefore, when a smartphone or laptop breaks, the user usually has little choice other than finding a service center. After all, simply throwing out your broken device, buying another and starting over normally isn’t an option because you’d probably like to recover all the data that was on it. So, it’s over to the service center you head. But there’s a problem: you have to pass your device into the hands of a stranger. Photos and videos, correspondence and call history, documents and financial information can all end up being directly accessible by somebody you don’t know. Can this person be trusted?

Homemade porn viewings at repair shops are a thing

I personally gave this some serious thought recently after what a friend of mine told me. He’d had an informal chat with some guys working at a small repair shop. They told him without any hesitation how they occasionally held viewings of homemade porn found on the devices they repair for employees and their friends!

Similar incidents pop up in the news from time to time. Employees stealing private photos of customers have been found in more than one service center. And sometimes even bigger stories emerge: in one case, service-center employees not only stole photos of female customers for years, but also put together entire collections of them and shared them.

But, surely such incidents are exceptions to common practice? Not every service center has staff eager to get their hands on customers’ personal data, right? Unfortunately, results of a study I recently came across show that breaches of customer privacy by maintenance technicians are a much more common problem than we would all like to think. In fact, it seems highly likely that excessive curiosity on the part of repair staff is a feature of this industry rather than isolated outrageous incidents. But let’s not get ahead of ourselves. I’ll take you through it all step by step.

How electronics repair services treat their customers’ data

A study was conducted by researchers at the University of Guelph in Canada. It consists of four parts, two of them devoted to the analysis of conversations with customers of repair services, and two were field studies in service shops themselves (which I will focus on here). In the first of the “field” parts, the researchers tried to find out how repair shops treat privacy in terms of their intentions. First and foremost, the researchers were interested in what privacy policies or procedures the service shops had in place to safeguard customers’ data.

To do this, the researchers visited nearly 20 service shops of various types (from small local repairers to regional and national service providers). The reason for each visit was to replace the battery in an ASUS UX330U laptop. The reason behind the choice of malfunction was simple: diagnosing the problem and solving it does not require access to the operating system, and all the necessary tools for this are in the laptop’s UEFI (the researchers use the old-fashioned term BIOS).

The researchers’ visits to the service centers involved several steps. First, they looked for any information readily available to the customer regarding the service center’s data privacy policy. Second, they checked to see if the employee taking the device would request the username and password to log in to the operating system and, if so, how they would justify the need to hand that information over (there’s no obvious reason for this because, as stated, battery replacement doesn’t require access to the operating system). Third, the researchers noted how the password for the device being handed over for repair was stored. Finally, fourth, they asked the employee accepting the equipment a direct and unambiguous question: “How do you make sure no one will access my personal data?” to find out what privacy policies and protocols were in place.

The results of this part of the study were disappointing.

• None of the service shops visited by the researchers informed the “customers” about any respective privacy policy before accepting the device.
• Except for a single regional center, all services asked for the login password – arguing that it’s simply required for either diagnostics or repair, or to check the quality of provided services (which, as mentioned above, isn’t the case).
• When asked if it was possible to perform battery replacement without a password, all three national providers replied “no”. At five smaller services they said that without a password they wouldn’t be able to check the quality of work carried out and therefore refused to take responsibility for the results of the repair. Another shop suggested removing the password altogether if the customer didn’t want to share it! And finally, the last shop visited said that if they’re not given the password the device could be reset to factory settings should the maintenance technician need to do so.
• As for storage of credentials, in almost all cases they were stored in an electronic database along with the customer’s name, phone number and e-mail address, but there was no explanation as to who could access this database.
• In about half of cases, the credentials were also physically attached to the laptop handed over for repair. It was either printed out and attached as a sticker (in the case of larger services), or simply handwritten on a sticky note – that’s classic! Thus, it would appear that any of the employees of the service shops (maybe even casual visitors too) could have access to the passwords.
• When asked how data privacy would be guaranteed, the employee who accepted the device and other repair staff gave assurances that only the technician repairing the device would have access to it. However, further inquiries showed that there was no mechanism that could guarantee this; only their word was to be had on this.

So what do maintenance technicians do with customers’ personal data?

Having found out that the service centers have no mechanisms to curb the curiosity of their specialists, in the next part of the study, the researchers began examining what actually happens to a device after it’s handed over for repair. To do this, they bought six new laptops and simulated a basic problem with the audio driver on them. They simply turned it off. Therefore, the “repair” needed just superficial diagnostics and quickly fixing the problem by turning it on. This particular malfunction was chosen since, unlike other services (such as removing viruses from the system), “fixing” the audio driver requires no access to user files whatsoever.

The researchers made up fictitious user identities on the laptops (male users in the first half of the experiment and female users in the second half). They created a browser history, email and gaming accounts, and added various files – including photos of the experimenters. Also added was the first “bait”: a file with the credentials to a cryptocurrency wallet. The second bait was a separate folder containing mildly explicit images. The researchers used real female-coded pictures from Reddit users for the experiment (after having obtained consent beforehand, of course).

Finally, and most importantly, before the laptops were handed over to the service, the researchers turned on the Windows Problem Steps Recorder utility, which records every action performed on the device. After that, the laptops were passed on “for repair” to 16 service centers. Again, to get a complete picture, the researchers visited both small local services and centers of major regional or national providers. The genders of the “customers” were evenly distributed: in eight cases devices were configured with a fictional female persona, and in the other eight – with a male one.

Here’s what the researchers found out:

• Despite its simplicity, the problem with the audio driver was solved in the “customer’s” presence after a short wait in just two cases. In all other experiments, the laptops had to be left until at least the next day. And the service centers of national service providers kept them in for “repair” for at least two days.
• For two local services, it wasn’t possible to collect the logs of the repair staff’s actions. In one case, a plausible reason for this couldn’t be found. In the other, the researchers were told that maintenance technicians had to run antivirus software on the device and cleanup its disk due to multiple viruses (the researchers were absolutely sure that at the time of drop-off, the laptop could not have been infected).

In the other cases, the researchers were able to explore the logs; here are their findings:

• Among the remaining logs, the researchers found six cases where the repairers gained access to personal files or browser history. In four cases, this was recorded on the “females'” laptops; the other two – on the “males'” ones.
• In half of the incidents, curious service center employees tried to hide traces of their actions by clearing the list of most recently opened Windows files.
• The repair staff were most interested in image folders. Their contents (including explicit photos) were viewed in five cases. Four of the laptops in these cases “belonged to” females, the other – to male.
• Browser history was the subject of interest for two laptops – both “belonging to” males.
• Financial data was viewed once – on a “male’s” device.
• In two cases, user files were copied by maintenance technicians to an external device. Both times, they were explicit photos, and in one case, the aforementioned financial data was added.

In about half of all cases, service-center employees gained access to user files. They were almost always interested in pictures – including explicit photos

How to protect yourself from nosy maintenance technicians

Of course, it should be borne in mind that this is a Canadian study. It wouldn’t be right to project its results onto all countries. Nevertheless, I somehow doubt that the situation generally around the world is much better. It’s likely that service centers in most countries, just as in Canada, have no cogent mechanisms in place to prevent their employees from violating customer privacy. And it’s also likely that such employees take advantage of the lack of restrictions set by their employers to pry into customers’ personal data – especially that of women.

So, before you take your device to the service center, it’s worth doing a little preparation:

• Be sure to make a complete backup of all data contained on the device to an external storage device or to the cloud (if possible, of course). It’s standard practice for service centers to make no guarantees as to the safety of customer data, so you may well lose valuable files in the course of a repair.
• Ideally, your device should be completely cleared of all data and reset to factory settings before taking it in for repair. For example, this is exactly what Apple recommends doing.
• If clearing and preparing the device for service isn’t possible (for example, your smartphone’s display is broken), then try to find a service that will do everything quickly and directly in front of you. Smaller centers are usually more flexible in this regard.
• As for laptops, it may be sufficient to hide all confidential information in a crypto container (for instance, using a security solution), or at least in a password-protected archive.
• Owners of Android smartphones should use the app locking feature in Kaspersky Premium for Android. It allows to lock all your apps using a separate pin code that’s in no way related to the one used to unlock your smartphone.