You’ve had a bad morning. What started off as a perfectly normal day took a turn for the worst when your brand-new phone slipped out of your pocket and the screen shattered on the pavement.
After a quick Google search, you find the certified Apple store or reseller in your neighborhood is charging a pretty penny for screen repairs.
But after scrolling for a few more minutes, you find a small third-party repair shop down the street that can do it for less than half the price. What a bargain!
Or is it?
The truth is, while many independently owned repair shops might be completely legitimate operations, there are more and more popping up that can and will hack your mobile phone while repairing it. And the problem is, it’s REALLY easy to do.
There are a lot of things that can go wrong when you trust your sensitive data to a stranger and leave your most frequently used device in their hands for any amount of time. With mobile phones, there are two primary ways they can gain access to your information.
1. Asking for your pin/password
This one is the most obvious, and the easiest to avoid. Some technicians at repair shops will blatantly ask you for your pin or password so that they can test the phone. You should NEVER give them this information. At most, you can enter your code into their phone for them to test it while you are there.
If you do give them your pin or password, they can easily copy your personal data – messages, photos, and in some cases even session IDs and that way gain continuous access to your social media and other accounts. While you might not even be aware that anything has changed, in the long term, these nefarious hackers can exploit your personal data for their own personal gain, or sell the data to other third parties.
Not to mention, for extended access to your personal data, a shop owner could choose to install a piece of software to gain access to your phone whenever they want (spyware). Again, you might not notice anything has changed, but in the background, a complete stranger might be utilizing your personal data or even your phone’s resources for their own purposes.
Bottom line: Do not give ANYONE your pin or password. If a shop owner or technician insists this is necessary, take your business elsewhere.
2. Installing a malicious chip under your screen
The second method is a bit more complex and much harder to detect. Researchers have shown how relatively simple it is for repair technicians to install secret microchips when replacing your screen. These chips are completely undetectable to you, your phone’s OS, anti-malware applications, or conventional testing methods. In fact, the booby-trapped parts are indistinguishable from the originals, and cost as little as $10 to obtain and install!
Once installed, these “keyloggers” can record keystrokes, input patterns, take and send pictures back to the hackers, and even install malware on your phone. Since they’re so hard to detect, it’s highly unlikely you would notice anything wrong until your sensitive data has been compromised and it’s too late.
So how can you avoid untrustworthy repair shops from installing malicious chips into your phone? Only use repair services directly from or certified by the manufacturer of your mobile phone. In this case, certifications are your best protection against hackers.
The point of this article is not to instill panic and add to your stress level the next time you need to get your phone repaired. However, we at Citadelo take data security VERY seriously, and keeping your personal data safe is one of the most fundamental requirements for overall data security. It is crucial to carefully consider who you are giving access to your devices, what kind of access you are giving them, and what they could do with that access when you’re not around.
The next time you need to get your phone repaired, take it directly to the manufacturer or at least take the extra time to verify whether the shop you are planning to use is certified. If not, strongly consider whether or not saving a few bucks on a one-time repair is worth compromising all of your personal data. We strongly believe that minimizing security risks is invaluable, and it’s far more worthwhile to spend the extra money to protect your sensitive data.