Buying phones at an auction is a great way to save some of your hard-earned money — whether you’re looking for the best Android phones or a new iPhone. It can be online bidding on platforms like eBay or an in-person affair like a customs office sale. But one place you should never pick up a phone from is a police auction.
The folks at the Department of Computer Science at the University of Maryland purchased 228 phones seized and subsequently auctioned by the police and found that most of them had not been properly wiped. While that may seem harmless, it’s a tsunami of risks for an average phone user.
The auctioned cell phones contained personal information and, in some cases, disturbingly sensitive details such as images depicting drug abuse and nudity. Data gleaned from these auctioned phones revealed that some of them belonged to members of organized crime gangs, stalkers, sex workers, and registered sex offenders.
A healthy bunch of these auctioned phones used some of the most commonly phished passwords, like 1234. Furthermore, “out of the 61 phones the researchers accessed, they determined that there had been some form of digital contact with more than 7,000 people,” says the team behind the research, which has been published in the IEEE journal.
“Our results show that a shocking amount of sensitive, personal information is easily accessible, even to a “low-effort” adversary with no forensics expertise,” says the research brief. All these phones were auctioned by PropertyRoom.com, which works with over 4,000 police departments across the country.
Of all the phones tested by the experts, 21.5% didn’t even have a passcode, while some contained a partial backup of all the data belonging to the phone’s previous owner. It isn’t hard to guess that a phone being auctioned by police may have been a part of criminal activities in the not-too-distant past.
Some of the phones tested by the team had clear evidence of criminal activity.
The team says this is “the first study of phones sold at police auctions.” While that is remarkable in itself, what’s truly astonishing is that accessing the data stored on these phones didn’t require any overtly sophisticated break-in tools like Cellebrite or GrayKey that law enforcement agencies use.
While analyzing these auctioned phones, the team came across sensitive and personally identifiable information — such as web browsing history — on a quarter of all the phones. In addition to it, they were also able to extract sexually explicit multimedia content, log-in credentials for a wide range of services, emails, text messages, credit card details, banking information, social security numbers of identity theft victims, and credit reports, among others.
The team was able to access all the data on “21.49% of the phones merely by turning them on,” while in six instances, the phones came with a sticky note with the password written on it. Only 5.3% of the devices bought from the auction arrived with all their data wiped out.
Needless to say, you should avoid buying phones from police auctions, online or otherwise. As for the law enforcement agencies, the research team suggests they should simply destroy confiscated cell phones instead of auctioning them as the financial incentives of such a sale are minimal, but the risks are extremely high.
