Phones sold on police auctions may contain sensitive information

In the United States, items in police possession are often sold at auction if they go unclaimed. This includes cellphones that the police obtained through civil asset forfeiture, that were stolen, or that were turned in to lost-and-found. Thousands of US police departments partner with a website, PropertyRoom.com, to auction their items.

Over the course of several months, we purchased 228 cellphones from PropertyRoom to ascertain whether they contained personal information. Our results show that a shocking amount of sensitive, personal information is easily accessible, even to a “low-effort” adversary with no forensics expertise: 21.5% of the phones were not locked at all, another 4.8% used top-40 most common PINs and patterns, and one phone had a sticky-note from the police with the PIN on it.

This webpage summarizes our findings from analyzing the phones we purchased from PropertyRoom. We detail our findings in a forthcoming peer-reviewed paper to appear at the IEEE Symposium on Security and Privacy.

Recommendations for Law Enforcement

  • Follow established procedures for fully and properly wiping phones and other personal devices prior to selling them.
  • Better yet, do not sell secondhand devices; destroy them instead.
  • Remove all external notes and stickers prior to releasing phones from your possession.
  • Contact us if you have any questions, comments, or concerns.

Contact Us

What data did we find?

We obtained virtually all data off of 25% of the phones, including:

  • Browser histories
  • Sexually explicit photos and videos
  • Usernames and passwords to a wide range of services
  • Emails and text messages
  • Bank info and credit card numbers
  • Evidence of criminal activity
  • Identity theft victims' social security numbers and credit reports

Some of the phones we obtained had data from victims of identity theft. In that sense, the police auctions re-victimized these people by making their personal information available.

Recommendations for Users

  • Set up a PIN, pattern, or biometric login on your phone. Do not allow it to be unlocked just by opening it.
  • Turn on "Find My Phone" or an equivalent so that you can locate and remotely wipe your phone.
  • If your phone is stolen or lost:
    • Contact your local law enforcement to see if it was turned in to them
    • Remotely wipe your phone
    • Change your passwords for any service you might have used from your phone

Who are we?

We are cybersecurity researchers from the University of Maryland. We would like to work with law enforcement to better understand why this loss of private information is happening and how best to mitigate it. Please feel free to contact us if you are willing to speak with us.

More information

For more information, including full details from our analysis of the phones, our methodology, and our disclosures, please see our paper: