The results of an investigation carried out by Sky News should be enough to worry anyone who is put in the unfortunate position of having to entrust their computer to a stranger.
Researchers from Sky News set up a laptop with a keylogger and webcam enabled surveillance software. They gave the laptop a very common, easy to diagnose and remedy fault, by slightly unseating a memory chip. The laptop was then taken to various computer repair shops around London and the results monitored.
Almost unsurprisingly some of the shops gave misleading diagnoses and overcharged for the repairs. I say unsurprisingly because this immediately puts me in mind of all the well-known horror stories about car repairs rip-offs.
Knowledge = Power = Money and it is certain, and now proven, that some people will abuse their position of power to maximise their financial return.
More worrying though was the subsequent data theft from this rigged laptop that followed once it had been repaired. The laptop was also honeytrapped with a collection of lady-in-a-bikini photos and personal data including bank logins and passwords for online services. This data was reportedly copied onto a USB stick by staff at one of the shops and the banking logon details were also used to try and access the online banking service.
This is far from being a localised issue as the Edison Chen sex photo scandal over in Hong Kong proved earlier this year, where as ABC News put it:
“Say Britney Spears, Lindsay Lohan, and Paris Hilton took it all off for Justin Timberlake and his camera, who promised the tabloid queens that no eyes but his own baby blues would ever see evidence of their tryst. Say J.T. kept some of those photos on his laptop. Say that laptop fell into the wrong hands.
You might have a sex scandal on the level of what’s rocking Hong Kong right now.“
An important lesson to take from all this (other than the “never trust a tradesman” one I mean) is the need for a secure place for people to store their personal data.
More and more enterprises are making investments in various types of device encryption technologies, but these kinds of stories demonstrate the need for this technology to filter into consumer and small business products as well.
As information becomes more digitised, like the photos and the logins; and computers ever more portable (think netbooks and PDAs) the potential for mischief grows. The odds of a mobile device being handed over to a third-party for service or repair are increasing. If that device contains personal or corporate sensitive information then we need to provide people with technologies that enable them to keep their own data secure while still allowing the repair shop access to the machine to diagnose faults.
Importantly, if the problem is a software related one, then this security cannot be achieved through full disk encryption which is an all or nothing encryption methodology.
Consumer security suites need to offer people the ability to keep their most sensitive data in a secure location on the hard drive, while still allowing the engineers to get their heads under the digital bonnet to fix software related issues.
Perhaps more crucially, we as consumers need to start actually using the features we pay for.