Is There Data Snooping in the Electronics Repair Services Industry?

Apex Labs Dissects a 4-Part Study on Privacy and Security Issues in Electronics Repair

Is there data snooping by electronics technicians when we bring our devices in for repair? The researchers in this paper claim to have conducted the first-ever comprehensive study to understand the state of privacy in the electronics repair services industry.

While the premise of the level of security in electronics repair is something that has crossed every security professional’s mind, it’s not an issue that may be as prevalent to your average customer, as made apparent in the paper.

The authors gathered the data by investigating the following five questions:

  • Does the electronics repair industry have privacy policies or procedures to safeguard customers’ data? If so, how are those policies or procedures communicated to customers?
  • Do repair service providers only request access to resources that are necessary for the repair?
  • Do service technicians access customers’ data? If so, how widespread is this issue, and what type of violations are common?
  • How well do customers understand the risks associated with device repairs, and how does that knowledge influence their device repair decisions and repair preparations?
  • What solutions are viable to improve the state of privacy in the electronics repair industry?

Identifying Electronics Data Snooping Issues in Four Research Phases

To answer those five questions, the authors conducted a four-part study that included:

  • Identifying any existing privacy practices for customers
  • Detecting privacy violations during device repair
  • An online survey of study participants
  • A semi-structured interview of study participants

For me, the valuable data is in the first two parts of the study as these steps gather concrete data while the second half of the study is generated from participants who are trying to recall information or offer their opinions.

The two stakeholders in this study were the electronic repair service providers (service providers) and customers. The service providers were broken up into three types: national, regional, and local. There are more details listed in the article that better define what these three types are, but you can think of it as a range from Best Buy to a mom-and-pop shop. No service providers were advised of the study as that could have impacted the results.

In addition, a range of devices from smart phones to computers were used for the study, along with a variety of “issues” for which they were brought in for repair. One issue, for example, was a battery replacement, which would not require any type of passwords/passcodes to perform the service.

Study #1: Identifying Existing Privacy Practices for Customers

The first study had some alarming results. None of the service providers had any type of privacy policy listed or visible to the customer upon dropping off or shipping the device in need of repair, and only a handful of them provided terms of service documentation after handing over the device. To make matters worse, the documentation was typical verbiage that stated how the service provider was not held liable for data loss, or it was a generic policy on data collection and retention. However, these documents do not provide any explicit protections for the customers.

There were several other “red flags” uncovered during this study as well relative to customer privacy:

  • I did not expect much signage to be hanging on their walls in terms of their privacy policies; however, there was nothing about any privacy policy provided to the customer, even upon request.
  • All but one of the service providers requested passwords/passcodes to perform service, even for something as simple as replacing a laptop battery.
  • When asked how the data was being stored, the customers were simply told that they were stored in a database and given no further information.
  • Passwords were also observed to be placed on a sticker on the laptop.

In my personal experience, I’ve been asked for this same type of access on services that did not require it; however I fought it and they proceeded to perform the job without it. This behavior may be a reoccurring theme, but nonetheless I was not surprised by the results that came out of the first study.

Study #2: Detecting Privacy Violations During Device Repair

To observe privacy violations during service, software logging was added to the devices that would track all actions, and parameters were put in place as to what constituted privacy violations.

Six categories were used:

  1. Accessing the users’ data folder (containing documents)
  2. Accessing any of the picture folders
  3. Revealing pictures
  4. Accessing and revealing a finance folder or financial information
  5. Accessing browsing history
  6. Copying users’ personal data to an external storage device.

I feel like the categories the study was tracking made sense as they would typically be actions a malicious actor would take.

Just fewer than half the service providers were caught accessing data from the categories above. Accessing and revealing picture folders were the most common actions, which is no surprise as there have been many high-profile incidents of revealing pictures being hacked.

The researchers also observed one service provider transferring data to a separate drive, as well as a good percentage of service providers trying to cover their steps by deleting traces of their data snooping on the device. Again, no surprise here when it comes to this type of behavior. Electronics repair services is an industry that has barely any regulation when it comes to customers’ privacy and data, as well as no oversight internally as to how the data is being handled. For these reasons, it’s of upmost importance to make sure you take as many measures as possible to limit access to the data. Suggestions on mitigations that can be put in place are discussed later in the article.

One element that stood out to me from the first two studies was how small the sample was. Only twelve service providers were tested, so that may have skewed the data to either side. I have no doubt that what occurred in this study is commonplace, but I’m just not sure the statistics line up with reality.

Study #3: An Online Study of Study Participants

112 participants were collected for an online survey where they could provide an array of questions on the customer experience when it came to service providers.

The categories were:

  • Demographics and background
  • Devices needing repairs
  • Reasons for not getting repairs
  • Who repaired the device
  • What protocol was followed for repair services
  • Safeguards employed by the respondents and the service providers to protect their personal data.

The article provides in-depth statistics in every category; however the statistics that interested me the most were relative to whether the participants thought the service provider would conduct data snooping on their phone. Only 9% of participants were concerned about data snooping during their electronics repair. In my opinion, this result is understandable as your average end user doesn’t have security at the forefront of their mind.

One of the other questions asked was relative to whether the service provider requested the passcode for the device to perform service. In this part of the study, the results differed from the researchers’ result in the second study. They found that 41% of the participants were not asked for their passcode as opposed to the almost 100% in the second study. The researchers attribute this variance to the broader scope of the survey, as it included locations where credentials may not be typically requested (e.g., in home repair service, cellular service provider, and their organizations IT department).

Study #4: A Semi-Structured Interview with Study Participants

The goal of this part of the study was to get deeper insights into the experiences of participants during their electronics repair process and to obtain feedback on possible solutions.

The questions were broadly categorized into the following categories:

  • Demographic and background
  • Device needing repair
  • Choice of service provider
  • Repair experience
  • Possible improvements.

I think the results for this study are reflective of a standard mindset of the general public – security simply isn’t at the forefront of their mind. Most participants either didn’t care or didn’t think of their personal security and privacy when getting their device repaired; only 5% of participants were concerned with their privacy.

The participants also tended to use service providers that had a good reputation, which was largely based primarily on Google reviews. In addition, mirroring what was found in the second study, 83% of the participants were asked for passwords no matter what the service was.

None of the participants found any evidence of a service provider snooping the device; however, keep in mind that these service repairs were not part of the research and did not have any data snooping software to detect that kind of activity. It’s safe to assume that we would have seen similar activity in similar numbers as uncovered in the previous study should there have been detection software installed.

Bringing Awareness to Electronics Repair Security: A Step in the Right Direction

The researchers reviewed the situation holistically and discussed some ideas and solutions for how to improve security and privacy in the electronics repair services industry. I feel some of the responses are valid and should be further pursued; one of which was a recommendation to have diagnostic utilities built into devices but sandbox the service provider away from customer data. This solution sounds great but does require manufacturer participation to implement.

The researchers believe a reliable solution requires actions from three stakeholders – device manufacturers and OS developers, service providers, and regulatory agencies. I share the same sentiment especially when it comes to regulation.

Overall, I think this research was a step in the right direction for raising awareness of device security and privacy in electronics repair services. From this study, here are the primary actions that need to occur to effectively address the uncovered issues:

  • Customers need to be more aware of their devices and what content they contain.
  • Service providers need more privacy policies in place as well as oversight.
  • Device manufacturers need to be more proactive in providing methods for repair that don’t jeopardize customer privacy.
  • Regulatory agencies should be put in place to provide a baseline as to what standards service providers must meet.

Security and privacy can’t be addressed with one-size-fits-all solutions. The issues here are multifaceted and sometimes require action from multiple parties.

Finally, my only gripe with the study was the sample size for the first and second studies. It would be interesting to see which way the statistics would have swung with a larger sample of service providers.