When you need to drop off your tech devices for a repair, how confident are you that they won’t be snooped on?

CBC’s Marketplace took smartphones and laptops to repair stores across Ontario — including large chains Best Buy and Mobile Klinik — and found that in more than half of the documented cases, technicians accessed intimate photos and private information not relevant to the repair.

Marketplace dropped off devices at 20 stores, ranging from small independent shops to medium-sized chains to larger national chains, after installing monitoring software on the devices. In total, 16 stores were recorded. (At four stores, the tracking software didn’t log anything, or the stores didn’t appear to turn the devices on.)

Technicians at nine stores accessed private data, including one technician who not only viewed photos but copied them onto a USB key.

  • beaubbe@lemmy.world
    link
    fedilink
    arrow-up
    55
    arrow-down
    4
    ·
    1 year ago

    Unsurprising. Most repair shops will ask for your PW to “test that the device works”. If it is for a battery change, or screen fix or whatnot, refuse to give it! It is not required. They can confirm the fix just by accessing the lock screen itself.

      • Suburbanl3g3nd@lemmings.world
        link
        fedilink
        arrow-up
        39
        ·
        1 year ago

        Samsung phones have this but apparently the Samsung diagnostic tool doesn’t work in the repair mode. Dumbest thing I’ve ever heard.

        I just use a secondary app to lock down all apps when it needs serviced then.

          • logicbomb@lemmy.world
            link
            fedilink
            arrow-up
            6
            arrow-down
            34
            ·
            1 year ago

            Yeah it’s great. When anything goes wrong, you can just throw it in the trash and get a new one.

            • winkerjadams@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              25
              arrow-down
              1
              ·
              1 year ago

              Like when I accidentally broke the glass on my camera bump and I was able to buy the replacement and fix it myself for under $20, right?

              • logicbomb@lemmy.world
                link
                fedilink
                arrow-up
                2
                arrow-down
                19
                ·
                edit-2
                1 year ago

                And you believe that’s because it’s an android? So anybody who buys an android phone can expect that nothing will ever go wrong with the hardware?

                Edit: To any morons downvoting, that’s literally what the person said. Here, I’ll quote them: “Nice thing about having an Android is I’ve never needed service”

                Literally saying that the reason they never needed service is that it’s an android. There is no other way to interpret the statement.

                  • logicbomb@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    arrow-down
                    7
                    ·
                    1 year ago

                    “Nice thing about having an Android is I’ve never needed service”

                    The grammar you’re using simply doesn’t mean what you’re saying it does. “Nice thing about having X is Y” means that Y is a benefit of having X. Your claim is that your never needing service is a benefit of owning an Android.

                    Now you’re claiming that the two things are not dependent upon each other? Like if I said, “Nice thing about having a pet fish is that the air pump for my fish tank is quiet.” That makes no sense, because my air pump being quiet is not dependent upon my owning a fish. You might as well say, “Nice thing about having an Android is that my mom packed a cookie in my lunchbox yesterday.” The reason that sounds wrong is that the grammar requires a dependency.

                    But the truth is, you understand the grammar well enough to know what it means. That’s why you wrote it that way. You just assumed that what you were thinking was right without really thinking about it.

    • ttr
      link
      fedilink
      arrow-up
      23
      arrow-down
      4
      ·
      edit-2
      1 year ago

      Shitty people will do shitty things. That said, if you don’t give your password, be prepared to have the technician test all sorts of stuff in front of you. The selfie camera, ear speaker, microphone, etc. sometimes are mounted on the screen. If there are problems, the tech will need to redo the repair. Not advocating for giving your pw, but be prepared for the process to be less convenient.

      Edit: My bad, should have clarified I’m talking about phones exclusively. If you’re worried about your computer, create a non-admin user and give them that password. If they had the skills to bypass that, they wouldn’t be working at a repair shop.

      • Crozekiel
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        If they had the skills to bypass that, they wouldn’t be working at a repair shop.

        What are you talking about? I worked at a geek squad back in college days and no one there needed your admin password to get into your computer. We’d just remove the password. The only reason we asked for your password was so you’d get your computer back with the password still on it, lol…

        I’m more shocked that none of the techs found the monitoring software and assumed it was something malicious and disabled or removed it…

        • ttr
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Bitlocker? FileVault? If you’re cracking those, why the fuck are you working at a Best Buy?

          • mob@sopuli.xyz
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Bitlocker or Filevault for the pin/password to get onto your computer? I don’t think that’ll be a common scenario. I also imagine they bypass the whole password thing, rather than cracking the actual password.

            • Crozekiel
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Yup. A majority of the time people didn’t have any of that setup anyway. But also most of windows security is centered around external attacks over a network, not someone actually having your computer so there are lots of ways to just remove the password if you can plug in a flash drive or insert a CD.

              If someone actually security conscious brought in a computer truly locked down, we would have had a tough time of it, but people that know how to do that aren’t bringing their computer to geek squad to be fixed, so it’s a catch 22.

              • mob@sopuli.xyz
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Yeah I had a buddy who bought a PC that had a BIOS password on it(which now I realize was probably stolen… but it was like a big box store 2010 desktop which is weird to steal) I was surprised with how easy it was to bypass that, and gain access with a flash drive and 3 minutes of googling

        • themoonisacheese@sh.itjust.works
          link
          fedilink
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          Phones. Also technicians aren’t that amazing most of the time, if you drop off your thing at the place you bought it they might know the procedure to change a screen but that’s it.

          • Ghoelian@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            Also, even on laptops/desktops this might not always be possible depending on the bios configuration. Corporate devices for example might have the bios and booting from untrusted media locked down.

              • lud@lemm.ee
                link
                fedilink
                arrow-up
                3
                ·
                1 year ago

                Yeah, absolutely not.

                One user got his work iPhone replaced in the apple Store by himself and never told us. Obviously no work apps or anything got installed properly.

                And the work phones aren’t even ours, they are leased 🤦 That was a pain in the ass.

    • CubitOom@infosec.pub
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      1 year ago

      If someone has physical access to your device, they also have the ability to access your files without your password. Unless you are using sophisticated full disk encryption, but that makes it more time consuming to gain access.

      • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        I wish Android still had full-disk encryption. It was dropped in Android 10 for file-based encryption, but as far as I know the keys are just somewhere on the device. But I am not sure about that. Like 10%.

        • Snowplow8861@lemmus.org
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          They’ll be in a hardware security module, just like the computer should be storing encryption keys with the tpm. Tbh I don’t know what’s actively implemented but definitely on the devices I manage in MDM they’re non-compliant without that. I’m sure you probably can get cheap devices without though. Just like you can get home level laptops without tpm.

    • Bizzle@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      A lot of times, the camera/earpiece speaker/microphone cables are really fragile and tolerances are tight. The phone isn’t designed to be opened. You should, therefore, make sure they work after the repair by making a test call.

    • RunningOutOfViolence@lemmy.ca
      link
      fedilink
      arrow-up
      6
      arrow-down
      4
      ·
      1 year ago

      You almost always need to the password to test a phone thoroughly. You can see that the screen works on the lock screen, but what about the front facing camera, and secondary microphone that are attached to the screen and need to be transferred, or replaced if you do it like Apple. On newer iPhones the slightest defect can cause face id to not work. On laptops it depends. Sometimes live USBs don’t have the right drivers to test all the hardware. When you assume things are simple you’re usually wrong.

      • Traister101@lemmy.today
        link
        fedilink
        arrow-up
        6
        arrow-down
        3
        ·
        1 year ago

        Weird that you’d mention the cameras, one of the only things you can access from the lock screen.

        For everything but data recovery you can get by fine without a password. You aren’t gonna have a hardware issue that makes Facebook slightly slower, your device won’t turn on.

        • RunningOutOfViolence@lemmy.ca
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Incorrect. On most devices after the power is cycled you can’t use the camera on the lockscreen. You have to enter the password once before that feature is enabled. And if you’re doing a screen replacement you need to power it off or you risk frying the backlight. How many cellphones have you repaired? 1? Hundreds? Thousands? It was my job for years, and my point is just don’t assume things are simple.