Someone could be viewing your private photos during your device repair.

Most likely, at some point in your life your smartphone, tablet or laptop has broken and you have had to repair it. Damage to the device may have been caused by the user themselves. In fact, replacing smartphone screens has cost the industry billions of dollars; But it is more common that they are errors such as a battery failure, the death of the hard drive or a key that has become detached from the keyboard. Something that could happen at any moment.

Unfortunately, modern devices are made in such a way that not even the most skilled computer wizard could fix them on their own. In fact, smartphone repairs continue to decline year after year. Repairing the latest models requires not only general skills and knowledge of how all digital gadgets work, but also specialized tools, experience, and access to documentation and unique replacement parts.

Therefore, when a smartphone or laptop breaks, the user has no choice but to contact a technical service. After all, throwing away the device, buying another one and starting from scratch is not an option, since you most likely want all your data back. Now it is the job of the technical service you are contacting. But there is a problem, you have to give your device to a stranger, leaving all your data in their hands: photos, videos, correspondence, call history, documents and financial information. Can you entrust them to that person?

Technical services employees and homemade porn

Personally, I recently reflected on this after what a friend told me after a talk with the employees of a repair shop. During their conversation, the employees claimed to have viewed the homemade porn they found on the devices they repaired from other employees and even friends.

These types of incidents make the news from time to time. In fact, employees stealing private photos from clients has happened in more than one technical service , even generating great stories : on one occasion, some employees were not only stealing photos of their clients for years, but they were compiling collections. completely and they shared them.

But these incidents won’t be common, right? Not all technical services will have their staff eager to get their hands on customers’ personal data, right? Well, unfortunately, the truth is that the results of a study I recently discovered show that customer privacy leaks by maintenance technicians are a much more common problem than we think. In fact, one could say that this excessive curiosity on the part of the repair team is not due to isolated incidents, but is part of the industry. But let’s not get ahead of ourselves, let’s go step by step.

How technical services process customer data

Let’s take as a guide the study of researchers from the University of Guelph in Canada. This study consists of 4 parts, 2 of them dedicated to the analysis of conversations with customers of technical services and another 2, to field studies of the repair shops themselves, on which I will focus. In the first part of the “field” studies, the researchers tried to discover what intentions the workshops have when it comes to dealing with the privacy of their clients. First and foremost, the researchers were interested in knowing the workshops’ privacy policies or procedures to protect their data.

To do this, the researchers visited about 20 workshops of different types, from small repair shops to national and regional technical services. The chosen failure was the replacement of the battery of an ASUS UX330U laptop since, for its diagnosis and repair, access to the operating system is not required and all the necessary tools for this are in the UEFI of the laptop; Researchers use the now obsolete term: BIOS.

During their visits to the workshops, the researchers followed a series of steps. First, they were looking for any type of information readily available to the customer about the technical service’s data privacy policy. Second, they checked whether the employee to whom the device was delivered requested the username and password to log in to the operating system and, if so, how they justified the need to provide that information, given that there is no reason obvious for this because, as we have already mentioned, replacing the battery does not require access to the operating system. Third, the researchers looked at how the password was stored for the device being delivered for repair. And, fourth and last, they asked the employee in charge of collecting the equipment directly and unequivocally: “How do you make sure that no one accesses my personal data?” to find out what privacy policies and protocols they had in place.

The results of this part of the study were disappointing:

• None of the workshops the researchers visited informed “customers” about any privacy policies before accepting the device.
• With the exception of a single regional workshop, the rest requested the login password, arguing that it was simply necessary  for diagnostics or repairs, or to check the quality of the services provided (although, as we have already mentioned, it is not really necessary ).
• When asked if it was possible to replace the battery without the password, the three national suppliers answered no. Five smaller workshops stated that without the password they would not be able to check the quality of the work performed and therefore refused to take responsibility for the results of the repair. Another service even suggested the idea of ​​removing the password option entirely if the customer didn’t want to share it. And finally, the last workshop they visited stated that if they were not given the password, the device could be reset to factory settings if the maintenance technician found it necessary.
• Regarding the storage of credentials, in almost all cases they were stored in an electronic database along with the client’s name, telephone number and email address, but no one explained who could access this database.
• In about half of the cases, the credentials were also physically attached to the laptop delivered for repair. In larger workshops, it was printed and attached as a sticker or simply handwritten on a sticky note – that’s a classic! Therefore, we could affirm that any employee of these technical services, perhaps even occasional visitors as well, could have access to the passwords.
• When asked how they would ensure data privacy, the employee accepting the device and other staff assured that only the technician repairing the device would have access to it. However, a series of subsequent investigations showed that no mechanism could guarantee this; the only thing they had was their word.

So what do maintenance technicians do with customers’ personal data?

After discovering that service centers do not have mechanisms to stop the curiosity of their specialists, in the next part of the study, the researchers began to examine what really happens to a device after it is handed in for repair. To do this, they bought six new laptops and pretended to have a basic problem with the sound driver ; They just disconnected it. Therefore, all that was necessary for its “repair” was a superficial diagnosis and quickly solving the problem by activating it again. The researchers chose this particular bug because, unlike other services (such as system virus removal), “fixing” the sound driver does not require any access to the user’s files.

The researchers invented fictitious user identities on the laptops: men in the first half of the experiment and women in the second. They created a browsing history, email accounts and games and added several files, including photos of the researchers themselves. They also added the first “bait”: a file with the credentials of a cryptocurrency wallet; the second was an isolated folder with slightly explicit images. The researchers used real images coded by women from Reddit for the experiment (after obtaining consent, of course).

Lastly, and most importantly, before the laptops were delivered for service, the researchers activated the Windows Troubleshooting Recorder tool, which records every action performed on the device. The laptops were then delivered for “repair” to 16 technical service centers. Again, to get a full picture, the researchers visited both local workshops and the centers of major regional or national suppliers. Regarding the gender of the “clients”, the distribution was uniform: in eight cases, the devices were configured with a female fictitious person, and in the other eight, with a male one.

Here’s what the researchers discovered:

• Despite its simplicity, the problem with the sound driver was resolved in the presence of the “customer” after a short wait in only two cases. In all other experiments, the laptops had to stay until at least the next day. And the technical services of the national service providers had them under “repair” for at least two days.
• In two local services, it turned out to be impossible to collect records of the actions of repair personnel. In one of the cases, no logical reason could be found for this. In the other, researchers were told that maintenance technicians had to run antivirus software on the device and wipe the disk due to multiple viruses; even though the researchers were absolutely sure that, at the time of delivery, the laptop could not be infected.

In the rest of the cases, investigators were able to analyze the records; Here are their findings:

• Among the remaining records, researchers found six cases in which technicians gained access to personal files or browsing history. Four of these cases were recorded on women’s teams; the other two, in those of men.
• In half of the incidents, the most curious technical support employees tried to hide traces of their actions by deleting the list of recently opened files in Windows.
• What the repair people were most interested in were the folders with images. Its content, which included explicit photos, was viewed in 5 of the cases, of which 4 “belonged” to women, the other to men.
• Browsing history was the subject of interest for two laptops, both “owned” by men.
• Financial data was once reviewed on a man’s device.
• Maintenance technicians even copied the user’s files to an external device on two occasions. In both cases they were explicit images and in one of the cases, they also added the financial information that we talked about previously.

In about half of the cases, technical support employees accessed user files. The main interest was images, including those with explicit content.

How to protect yourself from nosy maintenance technicians

Of course, it must be taken into account that this is a Canadian study, it would not be correct to project these results in all countries. However, I somehow doubt that the overall situation around the world is much better. Technical services in most countries are likely to be the same as in Canada and do not have compelling mechanisms to prevent their employees from violating customer privacy. In addition, these employees could also take advantage of the lack of established restrictions to intrude on the personal data of customers, especially women.

Therefore, before taking your device to technical service, it is worth taking into account a series of precautions:

• Be sure to take a full backup of all data stored on your device to external memory or the cloud whenever possible. Technical services usually do not guarantee the security of their customers’ data, so you could lose valuable files during the repair.
• The best option is to wipe all data on the device and restore it to factory settings before taking it for repair. For example, that’s exactly what Apple recommends you do .
• If cleaning and preparing the device is impossible because, for example, the screen is broken, try to find a service that will carry out the repair quickly and with you in front of you. In this sense, small workshops tend to be more flexible.
• As for laptops, it would be enough to hide all sensitive information in a password-protected file, at a minimum, or in an encrypted container using, for example, a security solution .
• Android smartphone owners could use the app lock feature in Kaspersky Premium for Android that allows you to lock all apps using an isolated PIN code that is in no way related to the one used to unlock your smartphone.