{"id":47715,"date":"2023-04-03T08:36:36","date_gmt":"2023-04-03T12:36:36","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=47715"},"modified":"2023-04-03T08:37:17","modified_gmt":"2023-04-03T12:37:17","slug":"repair-shops-privacy-issues","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/repair-shops-privacy-issues\/47715\/","title":{"rendered":"What really goes on when your device is in repair"},"content":{"rendered":"<p>Probably everyone has damaged their smartphone, tablet or laptop and needed it repaired at least once in their lives. The cause of the damage may be the user\u2019s own sloppiness: replacing broken smartphone screens brought countless billions of dollars to the industry. But more often, it\u2019s just a random malfunction like the battery failing, the hard drive dying, or a key coming off the keyboard. And this can happen at any time.<\/p>\n<p>Unfortunately, modern devices are made in such a way that even the handiest of computer wizards are often unable to fix them on their own. The repairability of smartphones is steadily decreasing from year to year. To fix the latest models, it takes not only skill and a general understanding of how all sorts of digital gizmos work; you also now need specialist tools, expertise, and access to documentation plus unique spare parts.<\/p>\n<p>Therefore, when a smartphone or laptop breaks, the user usually has little choice other than finding a service center. After all, simply throwing out your broken device, buying another and starting over normally isn\u2019t an option because you\u2019d probably like to recover all the data that was on it. So, it\u2019s over to the service center you head. But there\u2019s a problem: you have to pass your device into the hands of a stranger. Photos and videos, correspondence and call history, documents and financial information can all end up being directly accessible by somebody you don\u2019t know. Can this person be trusted?<\/p>\n<h2>Homemade porn viewings at repair shops are a thing<\/h2>\n<p>I personally gave this some serious thought recently after what a friend of mine told me. He\u2019d had an informal chat with some guys working at a small repair shop. They told him without any hesitation how they occasionally held viewings of homemade porn found on the devices they repair for employees and their friends!<\/p>\n<p>Similar incidents pop up in the news from time to time. Employees <a href=\"https:\/\/www.huffpost.com\/entry\/geek-squad-nude_n_3749201\" target=\"_blank\" rel=\"nofollow noopener\">stealing<\/a> private photos of customers have been found in <a href=\"https:\/\/www.ibtimes.co.uk\/woman-catches-apple-technician-stealing-her-nude-photos-during-phone-repair-1671893\" target=\"_blank\" rel=\"nofollow noopener\">more than one service center<\/a>. And sometimes even <a href=\"https:\/\/www.providencejournal.com\/story\/news\/2018\/12\/17\/police-find-13-who-say-their-images-were-used-in-nude-photo-sharing-case-at-video-store\/6620617007\/\" target=\"_blank\" rel=\"nofollow noopener\">bigger stories<\/a> emerge: in one case, service-center employees not only stole photos of female customers for years, but also put together entire collections of them and shared them.<\/p>\n<p>But, surely such incidents are exceptions to common practice? Not every service center has staff eager to get their hands on customers\u2019 personal data, right? Unfortunately, results of a <a href=\"https:\/\/arxiv.org\/pdf\/2211.05824.pdf\" target=\"_blank\" rel=\"nofollow noopener\">study<\/a> I recently came across show that breaches of customer privacy by maintenance technicians are a much more common problem than we would all like to think. In fact, it seems highly likely that excessive curiosity on the part of repair staff is a feature of this industry rather than isolated outrageous incidents. But let\u2019s not get ahead of ourselves. I\u2019ll take you through it all step by step.<\/p>\n<h2>How electronics repair services treat their customers\u2019 data<\/h2>\n<p>A study was conducted by researchers at the University of Guelph in Canada. It consists of four parts, two of them devoted to the analysis of conversations with customers of repair services, and two were field studies in service shops themselves (which I will focus on here). In the first of the \u201cfield\u201d parts, the researchers tried to find out how repair shops treat privacy in terms of their intentions. First and foremost, the researchers were interested in what privacy policies or procedures the service shops had in place to safeguard customers\u2019 data.<\/p>\n<p>To do this, the researchers visited nearly 20 service shops of various types (from small local repairers to regional and national service providers). The reason for each visit was to replace the battery in an ASUS UX330U laptop. The reason behind the choice of malfunction was simple: diagnosing the problem and solving it does not require access to the operating system, and all the necessary tools for this are in the laptop\u2019s <a href=\"https:\/\/en.wikipedia.org\/wiki\/UEFI\" target=\"_blank\" rel=\"nofollow noopener\">UEFI<\/a> (the researchers use the old-fashioned term BIOS).<\/p>\n<p>The researchers\u2019 visits to the service centers involved several steps. First, they looked for any information readily available to the customer regarding the service center\u2019s data privacy policy. Second, they checked to see if the employee taking the device would request the username and password to log in to the operating system and, if so, how they would justify the need to hand that information over (there\u2019s no obvious reason for this because, as stated, battery replacement doesn\u2019t require access to the operating system). Third, the researchers noted how the password for the device being handed over for repair was stored. Finally, fourth, they asked the employee accepting the equipment a direct and unambiguous question: \u201cHow do you make sure no one will access my personal data?\u201d to find out what privacy policies and protocols were in place. <\/p>\n<p>The results of this part of the study were disappointing.<\/p>\n<ul>\n<li>None of the service shops visited by the researchers informed the \u201ccustomers\u201d about any respective privacy policy before accepting the device.<\/li>\n<li>Except for a single regional center, all services asked for the login password \u2013 arguing that it\u2019s simply <em>required<\/em> for either diagnostics or repair, or to check the quality of provided services (which, as mentioned above, isn\u2019t the case).<\/li>\n<li>When asked if it was possible to perform battery replacement without a password, all three national providers replied \u201cno\u201d. At five smaller services they said that without a password they wouldn\u2019t be able to check the quality of work carried out and therefore refused to take responsibility for the results of the repair. Another shop suggested removing the password altogether if the customer didn\u2019t want to share it! And finally, the last shop visited said that if they\u2019re not given the password the device could be reset to factory settings should the maintenance technician need to do so.<\/li>\n<li>As for storage of credentials, in almost all cases they were stored in an electronic database along with the customer\u2019s name, phone number and e-mail address, but there was no explanation as to who could access this database.<\/li>\n<li>In about half of cases, the credentials were also physically attached to the laptop handed over for repair. It was either printed out and attached as a sticker (in the case of larger services), or simply handwritten on a sticky note \u2013 that\u2019s classic! Thus, it would appear that any of the employees of the service shops (maybe even casual visitors too) could have access to the passwords.<\/li>\n<li>When asked how data privacy would be guaranteed, the employee who accepted the device and other repair staff gave assurances that only the technician repairing the device would have access to it. However, further inquiries showed that there was no mechanism that could guarantee this; only their word was to be had on this.<\/li>\n<\/ul>\n<h2>So what do maintenance technicians do with customers\u2019 personal data?<\/h2>\n<p>Having found out that the service centers have no mechanisms to curb the curiosity of their specialists, in the next part of the study, the researchers began examining what actually happens to a device after it\u2019s handed over for repair. To do this, they bought six new laptops and simulated a basic problem with the audio driver on them. They simply turned it off. Therefore, the \u201crepair\u201d needed just superficial diagnostics and quickly fixing the problem by turning it on. This particular malfunction was chosen since, unlike other services (such as removing viruses from the system), \u201cfixing\u201d the audio driver requires no access to user files whatsoever.<\/p>\n<p>The researchers made up fictitious user identities on the laptops (male users in the first half of the experiment and female users in the second half). They created a browser history, email and gaming accounts, and added various files \u2013 including photos of the experimenters. Also added was the first \u201cbait\u201d: a file with the credentials to a cryptocurrency wallet. The second bait was a separate folder containing mildly explicit images. The researchers used real female-coded pictures from Reddit users for the experiment (after having obtained consent beforehand, of course).<\/p>\n<p>Finally, and most importantly, before the laptops were handed over to the service, the researchers turned on the Windows Problem Steps Recorder utility, which records every action performed on the device. After that, the laptops were passed on \u201cfor repair\u201d to 16 service centers. Again, to get a complete picture, the researchers visited both small local services and centers of major regional or national providers. The genders of the \u201ccustomers\u201d were evenly distributed: in eight cases devices were configured with a fictional female persona, and in the other eight \u2013 with a male one.<\/p>\n<p>Here\u2019s what the researchers found out:<\/p>\n<ul>\n<li>Despite its simplicity, the problem with the audio driver was solved in the \u201ccustomer\u2019s\u201d presence after a short wait in just two cases. In all other experiments, the laptops had to be left until at least the next day. And the service centers of national service providers kept them in for \u201crepair\u201d for at least two days.<\/li>\n<li>For two local services, it wasn\u2019t possible to collect the logs of the repair staff\u2019s actions. In one case, a plausible reason for this couldn\u2019t be found. In the other, the researchers were told that maintenance technicians had to run antivirus software on the device and cleanup its disk due to multiple viruses (the researchers were absolutely sure that at the time of drop-off, the laptop could not have been infected).<\/li>\n<\/ul>\n<p>In the other cases, the researchers were able to explore the logs; here are their findings:<\/p>\n<ul>\n<li>Among the remaining logs, the researchers found six cases where the repairers gained access to personal files or browser history. In four cases, this was recorded on the \u201cfemales'\u201d laptops; the other two \u2013 on the \u201cmales'\u201d ones.<\/li>\n<li>In half of the incidents, curious service center employees tried to hide traces of their actions by clearing the list of most recently opened Windows files.<\/li>\n<li>The repair staff were most interested in image folders. Their contents (including explicit photos) were viewed in five cases. Four of the laptops in these cases \u201cbelonged to\u201d females, the other \u2013 to male.<\/li>\n<li>Browser history was the subject of interest for two laptops \u2013 both \u201cbelonging to\u201d males.<\/li>\n<li>Financial data was viewed once \u2013 on a \u201cmale\u2019s\u201d device.<\/li>\n<li>In two cases, user files were copied by maintenance technicians to an external device. Both times, they were explicit photos, and in one case, the aforementioned financial data was added.<\/li>\n<\/ul>\n<div id=\"attachment_47719\" style=\"width: 3010px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/03\/31112030\/repair-shops-privacy-issues-1.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-47719\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/03\/31112030\/repair-shops-privacy-issues-1.png\" alt=\"Results of a study on customer privacy violations by service-center employees]\" width=\"3000\" height=\"1331\" class=\"size-full wp-image-47719\"><\/a><p id=\"caption-attachment-47719\" class=\"wp-caption-text\">In about half of all cases, service-center employees gained access to user files. They were almost always interested in pictures \u2013 including explicit photos<\/p><\/div>\n<h2>How to protect yourself from nosy maintenance technicians<\/h2>\n<p>Of course, it should be borne in mind that this is a Canadian study. It wouldn\u2019t be right to project its results onto all countries. Nevertheless, I somehow doubt that the situation generally around the world is much better. It\u2019s likely that service centers in most countries, just as in Canada, have no cogent mechanisms in place to prevent their employees from violating customer privacy. And it\u2019s also likely that such employees take advantage of the lack of restrictions set by their employers to pry into customers\u2019 personal data \u2013 especially that of women.<\/p>\n<p>So, before you take your device to the service center, it\u2019s worth doing a little preparation:<\/p>\n<ul>\n<li>Be sure to make a complete backup of all data contained on the device to an external storage device or to the cloud (if possible, of course). It\u2019s standard practice for service centers to make no guarantees as to the safety of customer data, so you may well lose valuable files in the course of a repair.<\/li>\n<li>Ideally, your device should be completely cleared of all data and reset to factory settings before taking it in for repair. For example, this is exactly what <a href=\"https:\/\/support.apple.com\/en-us\/HT201557\" target=\"_blank\" rel=\"nofollow noopener\">Apple recommends doing<\/a>.<\/li>\n<li>If clearing and preparing the device for service isn\u2019t possible (for example, your smartphone\u2019s display is broken), then try to find a service that will do everything quickly and directly in front of you. Smaller centers are usually more flexible in this regard.<\/li>\n<li>As for laptops, it may be sufficient to hide all confidential information in a crypto container (for instance, using a <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">security solution<\/a>), or at least in a password-protected archive.<\/li>\n<li>Owners of Android smartphones should use the <a href=\"https:\/\/support.kaspersky.com\/KISA\/Android_11.55\/en-US\/144306.htm\" target=\"_blank\" rel=\"noopener\">app locking feature<\/a> in <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Premium for Android<\/a>. It allows to lock all your apps using a separate pin code that\u2019s in no way related to the one used to unlock your smartphone.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Could someone be viewing your private photos while your device is being repaired?<\/p>\n","protected":false},"author":2726,"featured_media":47720,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1788],"tags":[3761,363,43,4431,45,49],"class_list":{"0":"post-47715","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"tag-laptops","9":"tag-personal-data","10":"tag-privacy","11":"tag-repair","12":"tag-smartphones","13":"tag-tablets"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/repair-shops-privacy-issues\/47715\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/repair-shops-privacy-issues\/25470\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/repair-shops-privacy-issues\/20903\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/repair-shops-privacy-issues\/28074\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/repair-shops-privacy-issues\/25772\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/repair-shops-privacy-issues\/26148\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/repair-shops-privacy-issues\/28607\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/repair-shops-privacy-issues\/34947\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/repair-shops-privacy-issues\/20391\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/repair-shops-privacy-issues\/21017\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/repair-shops-privacy-issues\/29970\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/repair-shops-privacy-issues\/26055\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/repair-shops-privacy-issues\/31782\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/repair-shops-privacy-issues\/31468\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/privacy\/","name":"privacy"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=47715"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47715\/revisions"}],"predecessor-version":[{"id":47819,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47715\/revisions\/47819"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/47720"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=47715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=47715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=47715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}