Buying a used smartphone could put you at risk — here’s why

Many people sell and buy second-hand mobile phones as a way to make and save money, but what they may not realize is that this practice creates a major security risk.

An estimated three in 10 pre-owned smartphones sold in the United Kingdom could be vulnerable to hackers, a new study by U.K. consumer-watchdog group Which? finds, because the phones are too old to receive crucial security updates from manufacturers. 

“Consumers who want to make a sustainable choice or who don’t want to pay the steep price of many modern premium mobile phones may want to choose a pre-owned, refurbished version instead,” said Which? in a media release.

“Keeping devices in circulation in this way helps the environment, but with some phones losing important update support after a little over two years, this leaves future owners potentially using unsecure devices.”

Selling unsecure phones

In its investigation, Which? looked at pre-owned mobile phones that were being sold online via second-hand retailers in the U.K. such as CeX, Music Magpie and SmartFoneStore.

Of the three companies, CeX was found to have the greatest percentage of secondhand smartphones, with 31% of handsets in its online inventory ineligible for security updates from technology companies. (Unlike the other two outlets, CeX has brick-and-mortar stores as well as a website.)

Music Magpie came second, with 20% of its secondhand phones not supported by security updates. Only 17% for SmartFoneStore’s inventory was out of date.

Which? warned that all three firms “were reselling mobile phones that, unknown to customers, are vulnerable to hackers because manufacturers can stop providing vital security updates after a couple of years.”

The study noted that the Apple iPhone 5, Google Pixel XL, Huawei P10, Samsung A8 Plus and the Samsung Galaxy S7 were among the secondhand devices being sold, even though all were past the date that they would receive any further security updates. 

Clamping down

Since its investigation, said Which?, two of the used-phone retailers in question have taken steps to clamp down on the sale of insecure secondhand mobile devices. 

“In response to the Which? investigation, Music Magpie has removed the unsupported devices Which? found from sale,” said the Which? press release. “It also says that going forward, it will provide information to consumers if a product is no longer receiving security updates.”

“SmartFoneStore also issued an update, adding a warning on unsupported devices so consumers are aware before they buy them,” said Which?

However, it added, “CeX did not provide a comment.”

Jake Moore, a security specialist at ESET, told Tom’s Guide: “These devices will often work well or even perfectly on the surface, but with the right knowledge, hackers can cleverly make use of software vulnerabilities that have never been patched to target their victims with all sorts of attacks such as keylogging to steal passwords.

“Buyers must be reminded to check which operating systems are currently supported on each device before purchasing any phone as most models will only usually have a few years’ shelf life before an upgrade is due to hardware security patches.”