Commercial repair shops caught snooping on customer data by Canadian research crew

[b1k3rdude]

Summary

Computer scientists affiliated with Canada's University of Guelph have found that electronics repair services lack effective privacy protocols and that technicians often snoop on customers' data.

 

Quotes

Quote

In a four-part research study distributed via ArXiv, "No Privacy in the Electronics Repair Industry," University of Guelph researchers Jason Ceci, Jonah Stegman, and Hassan Khan describe how they tested the privacy policies and practices of electronics repair shops. The inquiry consisted of a field survey of 18 repair service providers in North America – three national, three regional, and five local service providers, as well as two national smartphone repair service providers and five device manufacturers.

 

My thoughts

This is why A) I never recomend people take thier kit to these kind of places (they are also espensive for what they do) and B) take the hard drive out if they can before handing over the computer.

 

Sources

https://www.theregister.com/2022/11/15/repair_technicians_data/

[OhioYJ]

14 minutes ago, b1k3rdude said:

This is why A) I never recomend people take thier kit to these kind of places (they are also espensive for what they do) and B) take the hard drive out if they can before handing over the computer.

Many people that use computer repair shops are:

 

•  Not going to realize there is date like that on their PC, not realize the importance of protecting it. 
• Not know how to pull a hard drive. That's why they are taking it to a computer repair shop.
• You have the final issue that some problems will require the hard drive to solve, as many times people have simply messed up their OS / Drivers / etc. Could be  virus, malware, etc.

[Heats with Nvidia]

This is really bad, but at least the part that they are not liable to any data loss, is normal. I work in a repair shop, although we don`t repair computer or smartphones. Sometimes the data on the device of a customer is already lost when we get it. Or the part the data is on, needs to be replaced and we can`t copy it. So that is normal and also having the login credentials would help with testing even when its just a battery swap. But you can also just use a Linux USB stick and not touch the user data at all.

 

And by the way, they should also test the bigger companies. I am really sure they have the same problem.

[Applefreak]

21 minutes ago, b1k3rdude said:

Summary

Computer scientists affiliated with Canada's University of Guelph have found that electronics repair services lack effective privacy protocols and that technicians often snoop on customers' data.

 

Quotes

 

My thoughts

This is why A) I never recomend people take thier kit to these kind of places (they are also espensive for what they do) and B) take the hard drive out if they can before handing over the computer.

 

Sources

https://www.theregister.com/2022/11/15/repair_technicians_data/

That is not accurate, please study the paper. The article is clickbait and the author is drawing the wrong conclusions. Here is the link

[jagdtigger]

1 hour ago, b1k3rdude said:

technicians often snoop on customers' data.

Like there is anything stopping an official technician to look around, you most be pretty naive if you think this isnt an universal issue....

[Arika]

22 minutes ago, jagdtigger said:

Like there is anything stopping an official technician to look around, you most be pretty naive if you think this isnt an universal issue....

case in point:

https://9to5mac.com/2021/06/07/apple-pays-out-millions-in-compensation-to-student-after-iphone-repair-facility-shared-her-explicit-personal-images-online/

[Dracarris]

If only there was a way to encrypt user data.

 

But yeah, probably best practice:

1) Don't store noodes on mobile devices

2) Backup your shit so you never require data recovery where technicians inevitably need full access

3) If a repair process requires access to the device, find a store you can truly trust (probably difficult)

[Holmes108]

When a maid cleans your house, she's able to snoop through your whole house too. I don't know what you're supposed to do about this. I mean, obviously, in that case you do whatever obvious stuff you can. Don't leave money out in the open, put away valuables if you're concerned.

 

But otherwise this is just part of the deal. Make a credit card payment with a sales agent, and they can write your credit card number down. All you can do is go with a company you trust, and at the end of the day, sometimes there are creeps out there. It doesn't make it okay, but I'm just saying companies have employees, and employees are people. All you can do is deal with it on a case by case basis I suppose. 

[rcmaehl]

5 hours ago, Applefreak said:

That is not accurate, please study the paper. The article is clickbait and the author is drawing the wrong conclusions. Here is the link

 

Reddit comment sums it up well

 

Quote

"In one of those two cases, I believe, they were going through financial data"

And yet that didn't make it into the paper. In fact it said that no financial data was taken at all, unless they copied it to a piece of paper by hand. You'd think that would be something to lead with if you caught it.

 

And then there's the article itself. Why do they feel the need to imply the battery test was the one that had the data sifted through, it wasn't, they had a second test with a disabled audio driver that was rigged with logging that provided that data(petty perhaps, but the audio one actually did need OS access).

 

"one technician did so in a way to avoid generating evidence". Thumbnails, he looked at the thumbnails without opening the files. High tech work that one. No mention of the one group that managed to disable all the logging without giving any explanation (or the one that did explain it by saying the machine had a ton of viruses so they cleaned it. Which I guess is a totally different problem with some repair shops).

 

[Kisai]

8 hours ago, b1k3rdude said:

Summary

Computer scientists affiliated with Canada's University of Guelph have found that electronics repair services lack effective privacy protocols and that technicians often snoop on customers' data.

 

Quotes

 

My thoughts

This is why A) I never recomend people take thier kit to these kind of places (they are also espensive for what they do) and B) take the hard drive out if they can before handing over the computer.

 

Sources

https://www.theregister.com/2022/11/15/repair_technicians_data/

In other news, water is wet.

 

There is no expectation of privacy when you get your devices repaired. This has been a known thing since ... oh forever. You usually sign a waiver that says the technician is permitted to do anything to the device in the course of repairing it, and you agree to any reasonable costs associated with it. 

 

I'm sure there's photography people out there still alive that will tell you about less-trustworthy photo staff making copies of photos they found interesting/incriminating.

 

Same with computers once digital cameras became common. It used to be a thing between 1998 or so to at least 2016, where because of the need to use the user's credentials to access the machine, a lot of "private" information would be popped up by the device, without even looking for it. The only things that have changed since the GDPR was coming into force, is that it's now obnoxiously more time consuming to go looking for things on purpose.

 

But when you back up a user's device, be that a computer or a smartphone, your average person isn't sitting there and looking at everything. There is no time to do that, and generally the "red flag" events are the wallpaper of the device, or icons of things saved on the desktop. If, you as a computer technician login to the machine and the first thing you see is CEI, well you're likely going to have to make a decision on if calling the police is worth risking your job and bad publicity over. No tech I know of ever gave a care if there was pirated software or videos on the device. 

 

Personally, I took the angle of "I'm not going fishing without a license." If the person who brought it in, didn't tell me to look at something, and nothing wrong with the system leads me to it, I'm probably going to ignore it if it doesn't present a repairable action. AV products will point you towards where something is stored that might be questionable.

 

At any rate a computer and a smartphone don't differ that much in these scenarios. It's just far more likely that people will store photos and video on their personal device and not have a backup, and thus want to keep the contents. 

 

 

And the underlying problem is that these companies don't screen their employees that they allow to handle private information. That "store" I worked for at some point was owned by BB before BB closed all the non-BB stores.

 

During holiday seasons, the store just hires anyone that can reinstall the OS. That's it. If it was a laptop and can't be fixed in store with retail parts, it was sent off to a repair depot. 

 

 

I can tell you exactly what was needed:

1. ASUS laptops will not allow the OS or BIOS to update without the battery being at full charge

2. The lack of charge leads to the discovery of the bad battery

Then either it was sent to ASUS's repair depot if it was under warranty, or they ordered a third party battery.

3. After the new batter is aquired, the laptop is dismantled to the level needed to replace the battery, the battery changed

4. The laptop is powered on in a dismantled state to check that the device boots the OS and charges. 

5. If no problems found with the battery installation, it's put back together and the customer is phoned to come get their laptop.

This is a point I want to highlight. Often "corporate policy" dictates that everything be done, even if it's logically unnecessary. Failure to do so means you get written up for it. So "asking" is policy, but the customer has the option to refuse, which may raise a red flag to doing the repair (eg it's not their device) and the techs may refuse to accept the repair for that reason.

 

Personally, if I was not working for the store, I would just ask for it out of standard procedure, and if they refused I would just tell them that the scope of repairs will be limited to only changing the battery. Certain computers (eg Dell) have sufficient onboard diagnostics that don't require booting the OS to check for battery health. ASUS laptops do not (they simply show the battery charge level.)

 

While it doesn't necessarily require booting the OS to confirm it's charging, it's sufficient to check the LED's, as no laptop I've ever seen has "zero indication" that the battery is charging.

 

If I was still working for the store I'd just say, sorry policy requirement.

 

Most "retail" places will have a label or sticky note, because the person who accepts the machine may not be the same person who works on it (eg sending it to a depot.) 

 

To that end, even the enterprise company I worked for did that. Laptops would arrive with the user's name on several labels including the shipping label. I never asked users for their username or password because the tool on the USB drive just let me reset the admin account on the device if I only needed access to the device. Doing this to "retail" end user units would not be viable since it would lock the user out of their device, where as domain-connected machines aren't.

 

Well, if you're not going to provide the account credentials, then the only way to confirm it works is by reimaging the laptop. Standard procedure.

 

I just want to mention up-front here, that it is literately an unreasonable demand to not hand over the keys to something you want something repaired. If you don't know it, it's a red flag that the device is STOLEN. If you don't want to hand it over because it's something that you use everywhere, you should remove it from the device if the device still functions to do so.

 

That's what Apple makes you do.

 

So... every single "female" had someone access their pictures... that's embarrassing. Strange how only the regional ones took interest in the males.

 

It should probably be noted, and probably not observed by the people who actually did this study, that just because their background logging didn't detect snooping, doesn't mean there wasn't any. As I've mentioned multiple times, there are ways of getting the data from the device without the credentials. From using the enterprise tools to gain administrative access to the device (thus "problem step recorder" would not be able to record it) to using Linux or Windows PE boot discs to not even boot the user's OS. There are high end Windows PE boot recovery disk images out there, that anyone who needed forensic access to a machine would use to not leave a trace.

 

It would be well out of scope for a "battery replacement" to backup the hard drive or re-image the machine, but had the repair been sent to a depot, that might be policy to do so. It's entirely possible that the drive was cloned, the machine worked on, and then re-imaged back to the original state, or even having the hardware swapped for a "like" model unit. In the case of smart phones, and Nintendo consoles, that's pretty much what they do since the storage is soldered to the Motherboard.

 

 

 

 

[Kisai]

35 minutes ago, huilun02 said:

So we should opt for repair services that cost less and does not have weeks long turnaround time. Those that dont have the time luxury to mess with your data.

 

Does this ring any bells?

If a repair has weeks-long turn around time, it's because they're overbooked. Which is also standard fare at all national computer-selling stores (eg, BB, Staples, etc) 

 

They consider sales more important than service, even though service can bring in a lot more money if the repair techs are competent. If they aren't competent, then people will just keep bringing back and demand refunds on the original sale.

 

True story, I once had someone cancel their computer purchase (costing the sales rep their commission) because the sales person told the customer a big fat lie. Somehow the sales rep got me to answer questions for the customer while they went off to handle another sale, and the customer asked the right question.

 

Over time I've basically only found two things to be true about repair jobs:

- Customers who are impatient, will never be satisfied, and just want to be in control. If you accept the job, Ignore everything, you can not please them. There is only one question "Do you want me to fix this?" If that's not a straight "yes", then refuse. It's not worth the hell you'll have to deal with.

 

- Customers who are patient, and don't make demands about anything, just want it fixed, and often don't even care how much time or money it costs to fix it. They know they are ultimately at fault for the situation, and are just hoping it can be fixed as soon and cheap as possible, but know that if they make unreasonable demands you might just refuse to fix it.

 

Between the retail store and the call centers, this has remained true with only slight variations based on "how much money they are willing to spend" to solve a problem. Some people do not value the data on the machine and would rather you wipe it if it's cheaper. Some want it backed up at any cost.

 

To that end, if you value your privacy, you are better off finding a repair tech that is willing to let you shoulder-surf. I don't care so much, but don't ask why I'm doing something unless you're willing to listen.

 

[Mark Kaine]

On 11/18/2022 at 12:25 PM, b1k3rdude said:

This is why A) I never recomend people take thier kit to these kind of places (they are also espensive for what they do) and B) take the hard drive out if they can before handing over the computer.

i worked at a repair shop a long time ago... im wondering how are you supposed not to "snoop"? it was often necessary or even requested by customers to check "if there's anything wrong " or save their data (as in recover) ... sure it's funny what stuff you see on people's computers,  but in many cases unavoidable...

 

If they take the hard drive out we wouldn't be able to fix the computer because usually the hard drive *is* the issue,  plus you think installing windows every time you want to check a computer is somehow feasible,  sure is but thats gonna cost a lot of $$$ and is therefore *not* feasible. 

 

Also expensive?  i don't think so, actually the place was kinda too cheap for what they were doing... and how time intensive it often is/was...

 

i remember we repaired a dudes "GTA5" i think it took my colleague the whole night and it cost like 30 bucks, expensive my ass!

 

 

On 11/18/2022 at 12:46 PM, Applefreak said:

clickbait

glad im not the only one who noticed

[RoseLuck462]

If your device breaks, might as well destroy it completely and start fresh 

[williamcll]

This is why you encrypt your files before you hand it in for hardware repairs.

[Sauron]

Quote

For our analysis, we categorized privacy violations into six categories: accessing users’ data folder (containing documents), any of the picture folders, revealing pictures, finance folder, browsing history, and copying users’ personal data to an external storage device. We note that other types of violations are possible, but we only report observed violations. Table 1 shows privacy violations for the two types of experimenters. We only noted one violation from one national service provider against a female experimenter. The folders that contained pictures and revealing pictures were accessed. For regional service providers, we noted one violation each against male and female experimenters. The documents, pictures, and revealing pictures were accessed for both experimenters. The browser history of the male experimenter was also viewed by the technician, and the revealing pictures were zipped and transferred to an external storage device. For the local service providers, we only note one violation against the male experimenter (browser history was accessed) and two violations against the female experimenter. The technician at one local service provider accessed documents, pictures, and revealing pictures. The technician at the other local service provider committed all violations except viewing the browsing history. The technician also copied a password-containing file and the revealing pictures to an external device.

@b1k3rdudethese are the full privacy violations observed by the study. They do not include reading financial information as the article erroneously states. The study also mentions that this is a very small sample size so there is no information on whether this happens "often" or not; we just know that it can happen and that the services they tested don't have policy in place to prevent it.

[Sauron]

11 hours ago, Mark Kaine said:

i worked at a repair shop a long time ago... im wondering how are you supposed not to "snoop"? it was often necessary or even requested by customers to check "if there's anything wrong " or save their data (as in recover) ... sure it's funny what stuff you see on people's computers,  but in many cases unavoidable...

Sure, but if I come in for a battery replacement and ask for nothing of the sort it's not acceptable for a technician to then go through my photos, browsing history and passwords and then copy some to an external drive without my explicit request or permission. I can understand the person at the front desk not knowing if login information would be required and having to ask anyway but a technician should know better and there should be checks in the system.

[Gamer Schnitzel]

On 11/18/2022 at 12:55 PM, jagdtigger said:

Like there is anything stopping an official technician to look around, you most be pretty naive if you think this isnt an universal issue....

"Official" technician means you can sue the company for millions for snooping while the repair shop has $5 in their cash till you can have as compensation.

[jagdtigger]

7 minutes ago, Gamer Schnitzel said:

you can sue the company

Yes you can sue them, good luck for winning though.....

[Kisai]

7 hours ago, Sauron said:

Sure, but if I come in for a battery replacement and ask for nothing of the sort it's not acceptable for a technician to then go through my photos, browsing history and passwords and then copy some to an external drive without my explicit request or permission. I can understand the person at the front desk not knowing if login information would be required and having to ask anyway but a technician should know better and there should be checks in the system.

 

See, had batteries not require opening the PC, you could just replace the battery in front of them.

 

All laptops other than some high-end chonky models require being opened, and while I know I could certainly do this with a dell in under 10 minutes, I would want at least the hour to make sure it's charging and booting to windows, and not the "charging" or the PSU being the problem.

 

There are a lot of problems with this research, but I'd say it's most invalid aspect is the assumption that access=snooping. If the files were not transferred off the machine, it's likely nothing of consequence really happened, and it could just be the tools/scanning software opening files.

 

Just to repeat, the "tool" they used takes screenshots. Only a terribly incompetent tech person would fail to notice this tool running.

 

FYI, it would be interesting to see LTT or GN try to repeat the study, but with a better sense of what the tech's actually did.

 

[Sauron]

14 hours ago, Kisai said:

If the files were not transferred off the machine

They were in some cases

[mr moose]

The saddest thing about this is that because they sensationalized some bits, people are just going to ignore all of it.

 

It should go without saying that we don't know how prolific it is, but you'd have to be blind to think it doesn't happen often enough to be a problem. 

[LAwLz]

It's a shame to see this happen, especially when Nathan Fielder found the solution to this issue years ago:

 

 

[Mark Kaine]

On 11/21/2022 at 11:09 AM, williamcll said:

This is why you encrypt your files before you hand it in for hardware repairs.

tbh, most people have no idea whatsoever about this stuff and just want their pc/laptop "repaired"...

 

 

which in most cases (by far) is removing all the ad and malware and spyware, which actually spies on their data 24/7, which they installed because "it was free..."  

 

so in a way they aren't stupid,  they know they messed up, and they're gonna have to trust the shop... which is why its important to choose a shop with a good reputation,  which is easier said than done,  but vast majority won't "encrypt" their stuff and I'm not sure if that wouldn't make it harder / impossible to fix their computers to begin with... most likely they could encrypt as much they want, would need to handover the pw however  ¯\_(ツ)_/¯ 

[jagdtigger]

 

[Zodiark1593]

Regrettably, this is of no surprise whatsoever.
 

Outside of warranty repairs, the people most likely to require PC repair services, are also the ones least able to protect their data. It isn’t hard at all to pull data off a pc. 
 

If there’s any consolation, it’s that with full disk encryption being the default on new systems, it’s harder for a tech to image a drive for later perusal.