A recent study conducted by the University of Maryland shows that countless smartphones seized from arrests and searches by US police forces are being auctioned online without being data-wiped, which can lead to crime victims being re-victimized. Among other things, the data found on the phones auctioned by police included information on criminals, as well as personal data about targets and victims of crime. PropertyRoom.com, the largest online marketplace for items seized in US law enforcement investigations, responded to the study by announcing that phones sold through its platform will be data-wiped prior to auction.
According to the study, researchers from the University of Maryland purchased 228 smartphones sold “as-is” from PropertyRoom.com, for an average price of $18 per phone. Of the phones they won at auction, the researchers found that 49 had no PIN or passcode, while an additional 11 PINs could be guessed using the top-40 most popular PIN or swipe patterns. The researchers concluded that many of the devices they won at auction had probably not been data-wiped and were protected only by a PIN.
Phones may end up in police custody for any number of reasons, such as its owner was involved in identity theft, and in these cases, the phone itself was used as a tool to commit the crime. The researchers found that among the data in the phones they accessed were victims’ data and, in some cases, criminals’ plans.
PropertyRoom.com’s response to the study was to announce that all mobile devices sold on the platform will be wiped of their data prior to auction going forward. An internal review was conducted by PropertyRoom.com after the researchers informed the auction site last year of their findings. The site stopped selling phones for a while, but then slowly reintroduced them. Researchers from the University of Maryland made sure they won every auction, and all the phones they received were subsequently wiped, except for four devices that had external SD storage cards in them that weren’t wiped.
PropertyRoom.com is the largest online auction house for police departments in the United States and obtains devices and resells them directly to auction-goers. In contrast, auction platforms like eBay mostly list items directly from sellers and do not possess the items they sell.
The University of Maryland team emphasized that they took care not to cause any further victimization by ensuring that none of the devices could connect to the Internet when powered on and scanning all images on the devices against known hashes for child sexual abuse material.
The researchers offered additional commentary on the matter, noting that: “We initially expected that police institutions would never auction these phones as they would enable the buyer to recommit the same crimes as the previous owner. Unfortunately, that expectation has proven false in practice.”
The study provides an interesting insight into the potential security implications of police auctioning off mobile phones and data, including sensitive information about victims of crime. With the additional measure made by PropertyRoom.com to wipe data from phones, it’s hoped that the risk to crime victims will be reduced.