
Mobile phones seized in US criminal investigations are being sold online with personal data like emails, bank details and nude photos intact. Security experts warn that the practice enables hackers to buy phones and commit the same crimes as the previous owner, with the same data and victims.
Various US states have laws allowing police forces to dispose of lost-and-found items if they aren鈥檛 collected within a certain time, as well as devices that were used in criminal investigations or seized from criminals.
and his colleagues at the University of Maryland bought 228 mobile phones that were being disposed of by different police departments from the auction site PropertyRoom, paying an average of just $18.
Advertisement
Although many of the phones were protected by a PIN, the researchers were able to access 61 of them: 49 weren鈥檛 locked at all and another 11 used common passcodes that were easily guessed. One phone even arrived with a police note listing the PIN, apparently having been broken into with used by law enforcement agencies to extract data from protected devices.
One phone, which the team believes had been used by an identity fraudster, had 24 credit reports stored inside, with the identity, bank account details, employment record and social security numbers linked. Other phones had stored credit card details, both stolen and not. Scans of five passports and 14 driver鈥檚 licences were also found. Several phones had images of government-issued IDs and some included communication between sex workers and clients.
As well as the financial and identity information, the team found personal data including nude photographs, messages to friends and family and web browsing histories.
鈥淚f these phones aren鈥檛 being handled properly, you risk creating this cycle of people who are already victims of identity theft or some other crime having their data recirculating,鈥 says Roberts. 鈥淚 think there鈥檚 a clear problem at the police department level, because PropertyRoom runs the largest online police auction house in the US, but it鈥檚 not the only place. So if this problem was trickling down to them, it鈥檚 likely trickling down through to other places too.鈥
Roberts says that these kind of phones should either be destroyed or comprehensively wiped. 鈥淣o one should have their information be sold in this manner, including people who did commit criminal acts. It鈥檚 not just their data; it鈥檚 everyone that they interacted with,鈥 he says. 鈥淲e have every text message they send to every person they know; we have every email they send to every person; we have their phone call history.鈥
The researchers also scoured online auction listings from a two-year period and found images showing written-down PINs, owners鈥 names and phone numbers and even evidence stickers detailing how the phones were obtained and the names of the officers involved in the cases.
at the University of Manchester, UK, says he either keeps or destroys his old phones, and that leaking personal information puts the owner at risk of fraud and other crimes. 鈥淚f it was OK to trade in this kind of equipment, there wouldn鈥檛 be a whole line of business designed to not only wipe devices, but to actually, in some cases, shred them into tiny little pieces,鈥 he says. 鈥淚f a company was caught doing this in the UK, they could face huge fines.鈥
A PropertyRoom spokesperson said in a statement: 鈥淧ropertyRoom.com has always had policies and processes in place to wipe working smartphones before going to auction and auction other non-working phones sold for parts only. We do our best to continuously review our processes to ensure they are keeping up with the fast-changing digital landscape. We have updated our processes to ensure that no smartphones or electronics will be auctioned on PropertyRoom.com that aren鈥檛 wiped, locked, reset to factory settings, or hard drives/storage drives removed and destroyed.鈥
Reference: R. Roberts et al, preprint ()