Many people, even the most tech-savvy, find themselves in situations where repairing a phone or computer is beyond their capabilities. Such occasions often require a device to be professionally repaired, but this also means there is a risk that technicians will gain access to the user’s private data. According to a new report, this is something that happens about half the time, and the risk increases if the client is female.
How Ars Technica reportsnew research conducted by researchers at the University of Guelph in Ontario, Canada, looked at logos from laptops that were repaired at 12 service centers (national, regional and local) in Ontario between October and December 2021.
Worryingly, not only did technicians from six locations gain access to personal data, but two of them also copied the data to a personal device. The report found that employees were more likely to access personal information if the item being repaired belonged to a customer, and in those cases they tended to look for more sensitive information, including both sexually suggestive and non-sexual photos, documents and financial information.
The actual numbers may have been even higher, as researchers visited 16 stores, but the logs of two laptops were unrecoverable, and two outlets made repairs on the spot instead of doing them overnight.
In three cases, technicians tried to disguise their rummaging by deleting Windows Quick Access or Recently Accessed Files. For unrecovered logs, one employee said they installed antivirus software and performed a disk cleanup to “remove multiple viruses on the device,” while the other provided no explanation.
The only issue with all the laptops was that the audio driver was disabled, a simple fix issue that certainly doesn’t require access to personal files.
Half of the machines were made to look like they came from male owners and half from female users. The researchers added documents, both sexually suggestive and non-sexual photos, and a cryptocurrency wallet with credentials, as well as custom logging software.
Another troubling part of the study involved taking the laptop to the store to have the battery replaced, a simple procedure that does not require access to the operating system. When asked if the work could be done without providing a password, three refused to carry out the procedure if the client did not provide it, four agreed but warned that they would not be able to verify their work or be responsible for it, one asked to remove the password, and one said they would reset the device if required.
The report is troubling for anyone thinking of getting their device repaired: almost all services asked for passwords when they weren’t required, half snooped on personal data, a few tried to hide/delete evidence of snooping, etc. But that’s nothing new. Last June, Apple paid an Oregon woman millions of dollars after two employees at Pegatron, one of Apple’s main service technicians, posted photos and videos of her on her social media directly from an iPhone she had sent in for repair. It is these types of incidents that have led to the fact that starting with the Galaxy S22, Samsung will introduce the so-called One UI 5 system to its Galaxy devices. Service mode, thanks to which access to sensitive information, such as photos, contacts or messages, can be blocked for the duration of the device repair.