More Than 25% of Phones Purchased Contained Sensitive Data
By Tom Ventsias
Photo by iStock
You’d never hand over your phone to strangers, but University of Maryland security experts have discovered that law enforcement agencies are instead selling the devices to them, still packed with personal and financial information.
Their recent study found that many of the phones sold at police property auction houses—which sell devices seized in criminal investigations or that have gone unclaimed from lost-and-found inventories—are not properly wiped of personal data. The study, conducted over two years with cellphones bought from the largest police auction house in the U.S., uncovered troves of personal information from previous owners that potentially put them at risk of harm from identity theft to blackmail.
Of the 228 phones that the UMD team successfully bid on, 61 (27%) contained personal data like Social Security numbers, credit card and banking information, passport data and pictures of driver’s licenses.
“We were actually surprised at the level of personal information we found, and the ease by which we could access it,” said Dave Levin, an associate professor of computer science who led the UMD team.
Some of the phones they accessed had been used in criminal activities like identity theft, a discovery Levin found particularly troubling.
“It’s as if people that were victims of identity theft were being ‘re-victimized’ by having their personal information available again for anyone to see,” he explained.
The UMD team determined that some of the phones had been used by sex workers, with text messages between the workers and their clients still intact.
Dealing with such delicate data meant that before Levin and several graduate students could try to understand the scale of a problem that had never been systemically explored, they first had to work closely with the university’s legal counsel and institutional research review board to establish the ground rules for the study.
“There were stringent guidelines in place—how each phone we received was catalogued, the processes we used to access the phones, and most importantly, what we would be legally required to do if we found any evidence of child abuse,” said Julio Poveda, a second-year computer science Ph.D. student who was part of the research team.
The UMD team did not come across any evidence of child abuse but did uncover other information that was unsuitable for public dissemination, such as depictions of adult nudity and drug use.
“It's important to remember that your phone does not just have your data, it has data from anyone who has communicated with you,” said Richard Roberts, a sixth-year computer science Ph.D. student and lead author of the study.
Roberts, who presented the team’s academic work at a major security conference earlier this year, said that out of the 61 phones the researchers accessed, they determined that there had been some form of digital contact with more than 7,000 people.
Levin, Poveda and Roberts are all security experts, but decided against using any type of sophisticated digital forensics for their study. “We wanted to attempt to gain access to any cellphone data using techniques that someone on the street might use,” Roberts said.
The researchers were shocked at how easy it was. One phone arrived with a sticky note attached with the phone’s passcode in plain view, a leftover from the originating police agency that had already legally hacked the phone. Multiple other phones had PINs or passcode patterns that were easy to guess.
“Sadly, passcodes like 1-2-3-4 are still in common use today,” Levin said.
Last October, the researchers reached out to the auction house where they purchased the phones. The company—PropertyRoom.com, which bills itself as the largest police auction house in the U.S. working with more than 4,400 law enforcement agencies—promised to investigate the problem. Shortly after that, the company stopped selling bulk lots of phones altogether for a short period, then started again, prompting the researchers to purchase another batch.
“We found that PropertyRoom had started wiping the phones but failed to wipe the phones’ [Secure Digital] cards, which in several cases had partial backups of the phones’ contents,” Levin said.
After pinging the company again to inform it of this oversight, the UMD researchers received no further response.
A subsequent investigative report by a local television station prodded the company to publish a message on its website stating it was aware of the security concerns and was taking corrective measures.
From a security standpoint, Levin said, police agencies should avoid auctioning used cellphones. “Just destroy them,” he said. “[The police agencies] don’t get that much money in return, and the potential damage far outweighs any financial incentives.”
He also suggested that people take better precautions in the event their phone is lost or stolen and ends up being resold.
“Use your phone under the assumption that somebody else might later become its legal owner,” Levin said. “Set a passcode that is hard to guess, minimize the private information that’s easy to access, and remotely wipe your phone if it is lost or stolen. Otherwise, our study shows just how easy it is for someone to gain an incredible amount of access to your private information.”
Maryland Today is produced by the Office of Marketing and Communications for the University of Maryland community on weekdays during the academic year, except for university holidays.
Faculty, staff and students receive the daily Maryland Today e-newsletter. To be added to the subscription list, sign up here:Subscribe