NewAugust 08, 2023

Thinking about taking your computer to the repair shop? Be very afraid

Share:
Thinking about taking your computer to the repair shop? Be very afraid

Not surprisingly, female customers bear the brunt of the privacy violations.

If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt.

Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.\

Blown away

“We were blown away by the results,” Hassan Khan, one of the researchers, said in an interview. Especially concerning, he said, was the copying of data, which happened during repairs for one from a male customer and the other from a female. “We thought they would just look at [the data] at most.”

The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021. In all, the researchers took the laptops to 16 shops in the greater Ontario region. Logs on devices from two of those visits weren’t recoverable. Two of the repairs were performed on the spot and in the customer's presence, so the technician had no opportunity to surreptitiously view personal data.

In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks. As noted earlier, two of the visits resulted in the logs the researchers relied on being unrecoverable. In one, the researcher explained they had installed antivirus software and performed a disk cleanup to “remove multiple viruses on the device.” The researchers received no explanation in the other case.

Here’s a breakdown of the six visits that resulted in snooping:

laptops were freshly imaged Windows 10 laptops. All were free of malware and other defects and in perfect working condition with one exception: the audio driver was disabled. The researchers chose that glitch because it required only a simple and inexpensive repair, was easy to create, and didn’t require access to users’ personal files.

Half of the laptops were configured to appear as if they belonged to a male and the other half to a female. All of the laptops were set up with email and gaming accounts and populated with browser history across several weeks. The researchers added documents, both sexually revealing and non-sexual pictures, and a cryptocurrency wallet with credentials.

The researchers also configured the laptops to run a custom logging app that used the Windows Steps Recorder utility in the background. The utility captured the screen on every mouse click and recorded each key pressed by the user. The researchers also enabled Windows Audit Policy to log access to any file on the device.

The researchers then brought the laptops to two national outlets, two regional ones, and four local ones. Half the customers were male, and the other half were female.

Password required

Besides finding widespread snooping, the study uncovered other problems. Among them: The vast majority of repair shops provide no privacy policy and those that do have no means of enforcing them. Even worse, repair technicians required a customer to surrender their login password even when it wasn’t necessary for the repair needed.

These findings came from a separate part of the study, in which the researchers brought an Asus UX330U laptop into 11 shops for a battery replacement. This repair doesn’t require a technician to log in to the machine, since the removal of the back of the device and access to the device BIOS (for checking battery health) is all that’s needed. Despite this, all but one of the repair service providers asked for the credentials to the device OS anyway.

When the customer asked if they could get the repair without providing the password, three refused to take the device without it, four agreed to take it but warned they wouldn’t be able to verify their work or be responsible for it, one asked the customer to remove the password, and one said they would reset the device if it was required.

 

Related