A used phone may seem like the perfect gift for the shopper who is both budget and environmentally conscious, but cybersecurity experts warn that used devices can come with risks.
Canada’s resale market for used electronics such as phones, laptops and smart appliances has reached about $222 billion (U.S.) and is projected to grow 3.8 per cent annually until 2032, according to market research from UniverCell Canada, a resell platform that sells and repairs used smart devices.
The growth, according to the company’s analysis, is driven by the soaring prices of new devices as well as consumer desire to shop in a way that’s environmentally sustainable.
A recent survey by Mastercard of consumers in the U.S., Canada, U.K. and United Arab Emirates found that 82 per cent of millennials and gen Z said they planned to buy second-hand gifts, including electronics, for the holidays this year.
Navigating the devices we use every day can seem intimidating. Invisible threats such as hidden accounts, malicious software and altered firmware could put the privacy of buyers — and sellers — in jeopardy.
Experts in technology and cybersecurity shared the most common risks associated with second-hand devices, as well the ways that people can protect themselves — and the recipients of their gifts — this season and beyond.
Which devices are susceptible?
“Anything that can connect to the internet and transmit information is a potential threat,” says Montreal-based cybersecurity expert Terry Cutler.
Cutler says that devices such as cellphones, laptops, door cameras and fitness trackers can transmit whatever information those devices are capable of collecting.
Potential risks
“A lot of electronic devices these days contain personal data,” says Andy Davis, a researcher at NCC Group, a cybersecurity firm based in Manchester, U.K. “If you don’t clear it before you sell a second-hand device, you’re exposing yourself.”
Contacts, locations visited, and old accounts are some of the data that Davis says sellers might leave behind on a phone.
For those that purchase a device, Cutler says they may not be able to detect hidden accounts, potentially allowing the previous owner to log in and access a device remotely.
Malware is malicious software designed to gain unauthorized access to a device. Common uses include spying, stealing personal information, holding data hostage, or simply causing damage to a device.
“Phones and laptops can be resold after being compromised,” warns Cutler. “In rare cases attackers intentionally preload spyware or credential-stealing apps that can read your email, access the camera and activate the microphone at anytime and from a distance.”
“A lot of smart devices still use factory usernames and passwords,” says Cutler. “If they weren’t changed or weren’t wiped properly, then someone could reconnect to them.”
Using common factory passwords such as “password” and “admin” is an easy way to get hacked, according to Cutler.
“Jailbreaking” a device is the process of unlocking an operating system (like on an iPhone) by removing software restrictions and altering the device’s firmware.
Firmware is the permanent software embedded in a device that acts as a bridge between the hardware — the physical parts of a device — and the software — the instructions that tell the hardware what to do.
When the firmware of a device is altered, Cutler says it can introduce “backdoors” — hidden, undocumented entry points to a computer system that bypass normal encryption.
Imitation hardware is a bait-and-switch tactic where consumers are duped by outer packaging that belies a degraded or lesser internal device.
Davis says he’s seen this with memory sticks: someone takes apart a cheap, low-storage memory stick and inserts it inside the shell of a more expensive device with higher storage.
How to secure your used devices
“We always recommend that if you are going to buy or sell a device that might have sensitive data, you do a factory reset,” says Davis.
A factory reset, according to Davis, not only resets a device’s data, but often installs the latest version of firmware and overwrites malware.
Users can perform a factory reset by going into a device’s settings, finding and executing the command for “reset” or “erase all content.” For devices without screens, this often involves logging in to an auxiliary app or account to perform a reset.
A U.K. investigation of second-hand smartphones found that 31 per cent were no longer able to receive software updates.
Before making a purchase, Davis recommends checking whether a specific device is still capable of accepting updates. For devices that are more than a few years old, he says, the vendor may no longer provide software updates.
“If you can’t get software updates, you’re going to get exposed to all kinds of potential malware whenever you connect to the internet,” says Davis.
Advice for devices new and used
“Change your passwords and enable multifactor authentication, when possible,” says Davis. “It’s an easy thing that will prevent phishing attacks and unwanted access to apps and online platforms.”
