Read a summary of this article on FAST.
FAST
SINGAPORE: Almost everyone with a mobile phone or laptop may have had to take their device in for repair at least once. But how many have given any thought to all their data stored on it?
When the programme Talking Point sent 40 devices to different shops for repairs, it found that 12 of them — three phones and nine laptops — had been snooped on in the process.
A screen recording programme caught repair technicians searching through photo albums and the My Files application and attempting to access personal accounts like Snapchat, OnlyFans and Gmail.
One laptop revealed a particularly egregious breach: Photos and documents, including payslips and password information, were copied onto an external USB drive.
Some repairmen tried to cover their tracks; on four devices, the browser history and activity logs were deleted. One repairman even viewed a device’s photos using Microsoft Paint 3D, exploiting the app’s lack of a recently viewed file history.
A decoy payslip and passwords were among the folders one technician accessed and copied.
But all these actions were secretly recorded in an investigation masterminded by the NUS Greyhats, an information security interest group from the National University of Singapore.
They loaded the 40 devices with a fake profile under the alias “Jessica Lim”, complete with files such as personal photos, a curriculum vitae and login credentials.
To create a plausible repair scenario, the team disabled Wi-Fi drivers, a problem that could be fixed without accessing personal folders.
“You have to go to the device manager and check for missing drivers and just install them back,” NUS Greyhats member Lee Kai Xuan said. “So if (the technicians) are found looking at any … sensitive information, that’s purely on them.”
“We’ve tried to replicate a standard young adult desktop,” said NUS Greyhats member Lee Kai Xuan.
Yet, after resolving the bogus problem, three in 10 of them snooped.
Previously, a mobile technician made the headlines when he was sentenced in 2023 to three months and six weeks in jail for forwarding intimate images of a customer’s fiancee to himself via Telegram and obstructing justice when confronted.
Over the past 14 years, the number of phone and computer repair companies in Singapore has grown from about 460 to about 1,020 as of last year. Just how safe are our personal data in the hands of repair technicians?
The range of harms that access to personal information can cause is broad. In its mildest form, technicians might casually snoop through a customer’s device without malicious intent.
WATCH: Are phone (and laptop) repair shops spying on you? | Talking Point special (44:59)
“A bored technician at work might just use it for some fun experiments,” said Siddhant Shrivastava, the cyber tech lead at the Singapore University of Technology and Design’s iTrust Centre for Research in Cyber Security.
These include using files to test new artificial intelligence tools or challenging themselves to access password-protected folders.
As ethical boundaries erode, however, the risks become more serious. Some technicians could exploit customers’ personal information to obtain money from their friends or family.
Shrivastava demonstrated this using Talking Point producer Dynn Othman’s damaged MacBook. With Dynn’s WhatsApp and Telegram accounts linked to the laptop, there was an opportunity for Shrivastava to repair it and show the consequences of having data exposed.
Siddhant Shrivastava dives into the depths of a snooper’s mind for Talking Point.
“It was possible to just take one video clip and, within two minutes, create fake Dynn’s voice, with all the inflections … that Dynn likes to use,” Shrivastava highlighted as he played this AI-generated message mimicking Dynn:
“Hey, Steve! I’m a bit broke. Can you spare 100 bucks? I’ll pay you at the end of the month.”
By inputting text, a scammer could use the AI-generated voice to send audio files or messages to Dynn’s contacts.
“The stealthiest possible technician would try to make sure that these attacks or these scams are initiated when the real Dynn isn’t available,” Shrivastava added.
The worst offenders could leverage access to a large amount of personal data to blackmail their victims. “These tools (that I’ve used) are designed for the layperson,” said Shrivastava. “One doesn’t have to be a super hacker.”
“That sounds like him all right,” Talking Point host Steven Chia said as he listened to the AI-generated voice of Dynn Othman.
Talking Point’s investigation did not stop at uncovering breaches — the team took the findings to the repair shops. The responses were as varied as the infractions themselves.
Several shop owners dismissed the snooping as commonplace in the industry and insisted that they were not responsible for the actions of outsourced technicians.
One owner went so far as to say that customers who do not want their pictures to be seen should delete them before getting their devices repaired.
Another shop owner offered a full refund, instructed the worker to apologise but treated the incident “very casually, like it wasn’t a big deal”, observed Talking Point host Steven Chia.
“A lot of laughing and smiling, so I somehow don’t think anything’s going to change here.”
The Talking Point team confronting a repair shop worker.
Some shops denied the allegations outright, while others offered more apologetic remarks. As for the technician caught transferring personal documents and photos to an external USB drive, he tried to justify his actions.
“I just wanted to see if (there was) anything important … because I wouldn’t want to mess with something that’s very confidential, like some government stuff,” he said.
“I tried to clone it to another SSD (solid-state drive). Then I put it on my test bench to see whether it’s the Windows issue.”
His story began to unravel, though. Earlier, he had told a producer the issue was hardware-related, not software-related. He eventually admitted to “trying to play (around with accounts) sometimes”. He said: “I’m just playful sometimes.”
It may be unsettling, but technicians accessing personal photos and documents seems to be a grey area in the law. Sometimes they may be simply conducting broad searches for JPEG files or videos, looking for clues to the device’s issues.
There is also no universal standard for data handling in repair shops. While some established shops may follow strict protocols, smaller shops might not require customer consent before snooping through personal data.
The situation crosses over into data theft, however, when technicians download, extract or retain personal information without the customer’s knowledge.
That is where the Computer Misuse Act comes into play. Unauthorised access to computer material such as personal data can lead to a jail sentence of up to two years and/or a fine of up to S$5,000 for first-time offenders.
Things get more serious when data is exploited for other purposes. For instance, if a technician accesses any data to commit an offence, the fine can be up to S$50,000 and the jail term up to 10 years.
Mister Mobile, a mobile phone retail chain with repair services, requires employees to acknowledge Singapore’s data privacy regulations and the consequences of violations, said founder Alan Tan.
Using personal information for identity theft or to damage a person’s reputation could lead to action under the Protection from Harassment Act too. If the harasser is identified, protection orders may be issued.
Enforcement aside, consumers can take precautions by transferring important data to external storage, like thumb drives and hard drives, before taking their device in for repair.
In fact, backups should be done regularly, and consumers can consider using cloud storage so sensitive data is not stored on the device, suggested Seow Chun Yong, assistant director of cyber adversarial emulation at Ensign InfoSecurity.
If a device fails unexpectedly, he advises removing the hard disk or SSD before the repairs. “You can ask (some repair shops) to remove it for you. Alternatively, we (can) ensure that we’re there to supervise most of the operation.”
Ensign InfoSecurity’s Seow Chun Yong sharing tips on protecting device data before any repairs.
He also advised against using automatic login features for convenience. “It’s against a lot of good security practices,” he said. “You should be logging in frequently to make sure that (your device) is always checking whether it’s the right user.”
And avoid providing admin credentials unless necessary. Technicians with this access not only can view files, but also can install software without your knowledge. If certain operations require a password, the technician should ask you to log on in person.
While it is difficult to completely prevent the downloading of files, encrypting them can render the data useless. Consumers can use software such as 7-Zip, a free, open-source file archiver for Windows, with similar alternatives available for Mac computers.
“If anyone tries to open or look at that file, even at the code level or the byte level of it, it’ll be gibberish,” Seow said.
Watch this Talking Point special here. The programme airs on Channel 5 every Thursday at 9.30pm.
Source: CNA/fl(dp)
Stay updated with notifications for breaking news and our best stories
Download here
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app
Join here
Continue reading...
FAST
SINGAPORE: Almost everyone with a mobile phone or laptop may have had to take their device in for repair at least once. But how many have given any thought to all their data stored on it?
When the programme Talking Point sent 40 devices to different shops for repairs, it found that 12 of them — three phones and nine laptops — had been snooped on in the process.
A screen recording programme caught repair technicians searching through photo albums and the My Files application and attempting to access personal accounts like Snapchat, OnlyFans and Gmail.
One laptop revealed a particularly egregious breach: Photos and documents, including payslips and password information, were copied onto an external USB drive.
Some repairmen tried to cover their tracks; on four devices, the browser history and activity logs were deleted. One repairman even viewed a device’s photos using Microsoft Paint 3D, exploiting the app’s lack of a recently viewed file history.
A decoy payslip and passwords were among the folders one technician accessed and copied.
But all these actions were secretly recorded in an investigation masterminded by the NUS Greyhats, an information security interest group from the National University of Singapore.
They loaded the 40 devices with a fake profile under the alias “Jessica Lim”, complete with files such as personal photos, a curriculum vitae and login credentials.
To create a plausible repair scenario, the team disabled Wi-Fi drivers, a problem that could be fixed without accessing personal folders.
“You have to go to the device manager and check for missing drivers and just install them back,” NUS Greyhats member Lee Kai Xuan said. “So if (the technicians) are found looking at any … sensitive information, that’s purely on them.”
“We’ve tried to replicate a standard young adult desktop,” said NUS Greyhats member Lee Kai Xuan.
Yet, after resolving the bogus problem, three in 10 of them snooped.
Previously, a mobile technician made the headlines when he was sentenced in 2023 to three months and six weeks in jail for forwarding intimate images of a customer’s fiancee to himself via Telegram and obstructing justice when confronted.
Over the past 14 years, the number of phone and computer repair companies in Singapore has grown from about 460 to about 1,020 as of last year. Just how safe are our personal data in the hands of repair technicians?
FROM BUSYBODIES TO BLACKMAILERS
The range of harms that access to personal information can cause is broad. In its mildest form, technicians might casually snoop through a customer’s device without malicious intent.
WATCH: Are phone (and laptop) repair shops spying on you? | Talking Point special (44:59)
“A bored technician at work might just use it for some fun experiments,” said Siddhant Shrivastava, the cyber tech lead at the Singapore University of Technology and Design’s iTrust Centre for Research in Cyber Security.
These include using files to test new artificial intelligence tools or challenging themselves to access password-protected folders.
As ethical boundaries erode, however, the risks become more serious. Some technicians could exploit customers’ personal information to obtain money from their friends or family.
Shrivastava demonstrated this using Talking Point producer Dynn Othman’s damaged MacBook. With Dynn’s WhatsApp and Telegram accounts linked to the laptop, there was an opportunity for Shrivastava to repair it and show the consequences of having data exposed.
Siddhant Shrivastava dives into the depths of a snooper’s mind for Talking Point.
“It was possible to just take one video clip and, within two minutes, create fake Dynn’s voice, with all the inflections … that Dynn likes to use,” Shrivastava highlighted as he played this AI-generated message mimicking Dynn:
“Hey, Steve! I’m a bit broke. Can you spare 100 bucks? I’ll pay you at the end of the month.”
By inputting text, a scammer could use the AI-generated voice to send audio files or messages to Dynn’s contacts.
“The stealthiest possible technician would try to make sure that these attacks or these scams are initiated when the real Dynn isn’t available,” Shrivastava added.
The worst offenders could leverage access to a large amount of personal data to blackmail their victims. “These tools (that I’ve used) are designed for the layperson,” said Shrivastava. “One doesn’t have to be a super hacker.”
“That sounds like him all right,” Talking Point host Steven Chia said as he listened to the AI-generated voice of Dynn Othman.
Talking Point’s investigation did not stop at uncovering breaches — the team took the findings to the repair shops. The responses were as varied as the infractions themselves.
Several shop owners dismissed the snooping as commonplace in the industry and insisted that they were not responsible for the actions of outsourced technicians.
One owner went so far as to say that customers who do not want their pictures to be seen should delete them before getting their devices repaired.
Another shop owner offered a full refund, instructed the worker to apologise but treated the incident “very casually, like it wasn’t a big deal”, observed Talking Point host Steven Chia.
“A lot of laughing and smiling, so I somehow don’t think anything’s going to change here.”
The Talking Point team confronting a repair shop worker.
Some shops denied the allegations outright, while others offered more apologetic remarks. As for the technician caught transferring personal documents and photos to an external USB drive, he tried to justify his actions.
“I just wanted to see if (there was) anything important … because I wouldn’t want to mess with something that’s very confidential, like some government stuff,” he said.
“I tried to clone it to another SSD (solid-state drive). Then I put it on my test bench to see whether it’s the Windows issue.”
His story began to unravel, though. Earlier, he had told a producer the issue was hardware-related, not software-related. He eventually admitted to “trying to play (around with accounts) sometimes”. He said: “I’m just playful sometimes.”
PROTECTING YOUR DATA
It may be unsettling, but technicians accessing personal photos and documents seems to be a grey area in the law. Sometimes they may be simply conducting broad searches for JPEG files or videos, looking for clues to the device’s issues.
Related articles:
There is also no universal standard for data handling in repair shops. While some established shops may follow strict protocols, smaller shops might not require customer consent before snooping through personal data.
The situation crosses over into data theft, however, when technicians download, extract or retain personal information without the customer’s knowledge.
That is where the Computer Misuse Act comes into play. Unauthorised access to computer material such as personal data can lead to a jail sentence of up to two years and/or a fine of up to S$5,000 for first-time offenders.
Things get more serious when data is exploited for other purposes. For instance, if a technician accesses any data to commit an offence, the fine can be up to S$50,000 and the jail term up to 10 years.
Mister Mobile, a mobile phone retail chain with repair services, requires employees to acknowledge Singapore’s data privacy regulations and the consequences of violations, said founder Alan Tan.
Using personal information for identity theft or to damage a person’s reputation could lead to action under the Protection from Harassment Act too. If the harasser is identified, protection orders may be issued.
Enforcement aside, consumers can take precautions by transferring important data to external storage, like thumb drives and hard drives, before taking their device in for repair.
In fact, backups should be done regularly, and consumers can consider using cloud storage so sensitive data is not stored on the device, suggested Seow Chun Yong, assistant director of cyber adversarial emulation at Ensign InfoSecurity.
If a device fails unexpectedly, he advises removing the hard disk or SSD before the repairs. “You can ask (some repair shops) to remove it for you. Alternatively, we (can) ensure that we’re there to supervise most of the operation.”
Ensign InfoSecurity’s Seow Chun Yong sharing tips on protecting device data before any repairs.
He also advised against using automatic login features for convenience. “It’s against a lot of good security practices,” he said. “You should be logging in frequently to make sure that (your device) is always checking whether it’s the right user.”
And avoid providing admin credentials unless necessary. Technicians with this access not only can view files, but also can install software without your knowledge. If certain operations require a password, the technician should ask you to log on in person.
While it is difficult to completely prevent the downloading of files, encrypting them can render the data useless. Consumers can use software such as 7-Zip, a free, open-source file archiver for Windows, with similar alternatives available for Mac computers.
“If anyone tries to open or look at that file, even at the code level or the byte level of it, it’ll be gibberish,” Seow said.
Watch this Talking Point special here. The programme airs on Channel 5 every Thursday at 9.30pm.
You may also be interested in:
Source: CNA/fl(dp)
Get the CNA app
Stay updated with notifications for breaking news and our best stories
Download here
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app
Join here
Continue reading...