A new study found that countless smartphones seized in arrests and searches by police forces across the US are being auctioned online without first having the data on them erased, a practice that can lead to crime victims being re-victimized, a new study found. In response, the largest online marketplace for items seized in US law enforcement investigations now ensures that all phones sold through its platform will be data-wiped before the auction.
Researchers at the University of Maryland last year purchased 228 smartphones sold “as-is” from PropertyRoom.com, which bills itself as the largest auction house for police departments in the United States. Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they could guess an additional 11 PINs using the top 40 most popular PIN or swipe patterns.
Phones may end up in police custody for any number of reasons — such as its owner was involved in identity theft — and in these cases, the phone itself was used to commit the crime. “We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner,” the researchers explained in a paper released this month. “Unfortunately, that expectation has proven false in practice.”
The researchers said while they could have employed more aggressive technological measures to work out more of the PINs for the remaining phones they bought, they concluded, based on the sample, that a great many of the devices they won at auction had probably not been data-wiped and were protected only by a PIN.
Beyond what you would expect from unwiped secondhand phones, every text message, picture, email, browser history, location history, etc., the 61 phones they could access also contained significant amounts of data about crime, including victims’ data.
Some readers may wonder, “Why should we care about what happens to a criminal’s phone?” First off, it’s not entirely clear how these phones ended up for sale on PropertyRoom. “Some folks are like, ‘Yeah, whatever, these are criminal phones,’ but are they?” said an assistant professor of computer science at the University of Maryland. “We started looking at state laws around what they’re supposed to do with lost or stolen property, and we found that most of it end up going the same route as civil asset forfeiture,” UofM continued. “If they can’t find out who owns something, it eventually becomes the state's property and gets shipped out to these resellers.”
Also, the researchers found that many of the phones clearly had personal information regarding previous or intended crime targets: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that belonged to sex workers; their phones contained client communications.
An overview of the phone functionality and data accessibility for phones purchased by the researchers.
One phone had full credit files for eight different people on it. They found a screenshot on another device that included 11 stolen credit cards purchased from an online carding shop. On yet another, the former owner had been active in a Telegram group chat that sold tutorials on running identity theft scams.
The most interesting phone from the batches they bought at auction was one with a sticky note attached that included the device’s PIN and the notation “Gry Keyed,” no doubt a reference to the Graykey software that is often used by law enforcement agencies to brute-force a mobile device PIN. “That one had the PIN on the back,” the researchers said. “The message chain on that phone had 24 Experian and TransUnion credit histories”.
The University of Maryland team said they took care in their research not to further the victimization of people whose information was on the devices they purchased from PropertyRoom.com. That involved ensuring that none of the devices could connect to the Internet when powered on and scanning all images on the devices against known hashes for child sexual abuse material.
It is common to find phones and other electronics for sale on auction platforms like eBay that have not been wiped of sensitive data, but in those cases, eBay does not possess the items being sold. In contrast, platforms like PropertyRoom obtain devices and resell them at auction directly.
PropertyRoom did not respond to multiple requests for comment. But the researchers said sometime in the past few months PropertyRoom began posting a notice stating that all mobile devices would be wiped of their data before being sold at auction. “We informed them of our research in October 2022, and they responded that they would review our findings internally,” MofU said. “They stopped selling them for a while, but then it slowly returned, and we ensured we won every auction. And all of the ones we got from were indeed wiped, except four devices with external SD [storage] cards in them that weren’t wiped.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings