close
Security

Researchers discover privacy risks in cellphones obtained through police auctions.

Policing across the country consistently sells things that are held onto in criminal examinations or are unclaimed from lost-and-tracked-down inventories. Automobiles, jewelry, watches, and mobile phones are just a few of the items that end up at online auction houses.

Individuals searching for a deal can offer on cellphones in mass, grabbing up handfuls at absolute bottom costs for parts or different purposes. In the end, this makes money for the police departments, which is a win-win situation for everyone involved. Or, on the other hand, is it?

A new report by College of Maryland security specialists found that large numbers of the telephones sold at police property closeout houses were not cleaned of individual information as expected. The review, conducted over more than two years with cellphones purchased from the biggest police sales management firm in the U.S., revealed stores of individual data from past proprietors that were effectively available.

“The methods we used to catalog each phone we received, the procedures we used to access the phones, and most critically, what we would be legally compelled to do if we found any proof of child abuse, were all subject to strict standards.”

ulio Poveda, a second-year computer science Ph.D. student who was part of the research team.

Of the 228 telephones that the UMD group effectively bid on, 61 (27%) contained individual information like government-managed retirement numbers, Mastercard and banking data, visa information, photos of driver’s licenses, and then some.

“We were really astonished at the degree of individual data we found and the straightforwardness by which we could get to it,” said Dave Levin, an academic partner in software engineering who drove the UMD group.

Levin, a center employee in the Maryland Network Protection Center, first became keen on this point through an easygoing discussion with a partner. The first step was to collaborate closely with the university’s legal counsel and institutional research review board to determine the appropriate protocols required to view any personal data. Once it was determined that there was a security breakdown—whether it was because the police did not wipe the phones or because auction houses did not take the necessary precautions before shipping items to the highest bidder—Levin and several of his graduate students set out to investigate the scope of the issue.

“There were rigid rules set up—hhow each telephone we got was indexed, the cycles we used to get to the telephones, and in particular, what we would be legitimately expected to do in the event that we found any proof of youngster misuse,” said Julio Poveda, a second-year software engineering Ph.D. understudy who was important for the exploration group.
The UMD group found no proof of youngster misuse yet uncovered other data that was inadmissible for public dissemination, for example, portrayals of grown-up bareness and medication use.

A portion of the telephones they got to had been utilized in crimes like fraud, a disclosure Levin saw as especially upsetting.

“Maybe individuals that were survivors of wholesale fraud were being re-defrauded’ by having their own data accessible again so that anybody might see it,” he made sense of.

The UMD team found that sex workers had used some of the phones and that text messages between the workers and their clients were still there.

According to lead researcher and sixth-year computer science Ph.D. student Richard Roberts, “It’s important to remember that your phone does not just have your data; it also has data from anyone who has communicated with you.”

Earlier this year, Roberts presented the team’s research at the IEEE Symposium on Security and Privacy. He said that out of the 61 phones the researchers accessed, they found that over 7,000 people had had some kind of digital contact.

Levin, Poveda, and Roberts are all security specialists, yet they ruled against involving any sort of modern, advanced criminology in their review. “We needed to endeavor to get close enough to any cellphone information utilizing strategies that somebody on the road could utilize,” Roberts said.

The scientists were stunned at how simple it was. One of the telephones showed up with a tacky note and the telephone’s password on display, an extra from the beginning police organization that had legitimately hacked the telephone. PINs or passcode patterns on a number of other phones were simple to guess.

“Tragically, passwords like 1-2-3-4 are still in common use today,” Levin said.

The researchers contacted the auction house from which they purchased the phones in October of that year. PropertyRoom.com, which claims to be the largest police auction house in the United States and collaborates with over 4,400 law enforcement agencies, promised to conduct an investigation into the issue. Soon after that, the organization quit selling mass loads of telephones through and through for a brief period, then, at that point, began once more, provoking the specialists to buy another cluster.

Levin stated, “We discovered that PropertyRoom had begun wiping the phones but failed to wipe the phones’ [Secure Digital] cards, which in several cases had partial backups of the phones’ contents.”

The UMD researchers contacted the company once more to inform it of this oversight, but they received no additional response.

A resulting insightful report by a nearby TV station goaded the organization to distribute a message on its site expressing that it knew about the security concerns and was going to restorative lengths.

From a security point of view, Levin said, police organizations ought to try not to sell used cellphones. “Simply annihilate them,” he said. “[The police agencies] don’t receive that much cash consequently, and the expected harm far offsets any monetary motivating forces.”

He likewise recommended that individuals play it safe in the event their telephone is lost or stolen and turns out to be exchanged.

“Utilize your telephone under the presumption that another person could later turn into its legitimate proprietor,” Levin said. “Set a password that is difficult to figure out, limit the confidential data that is not difficult to get to, and remotely wipe your telephone assuming that it is lost or stolen.” Otherwise, our research demonstrates how simple it is for someone to gain access to a significant amount of your private information.

More information: Richard Roberts et al, Blue Is the New Black (Market): Privacy Leaks and Re-Victimization from Police-Auctioned Cellphones (2023). DOI: 10.1109/SP46215.2023.00167

Topic : Article