Verizon customer says refurbished phone was remotely wiped via MDM
Ars Technica reports Verizon admitted it sent a customer a demo phone enrolled in its mobile device management system.
By James Whitfield · Staff Writer
3 min read
Verizon acknowledged to the Federal Communications Commission that it mistakenly sent a customer a store demonstration phone still enrolled in Verizon’s mobile device management system, according to documents reported by Ars Technica. The case raises privacy and data-loss concerns because the customer says the phone was later reset remotely, wiping personal information.
Tom Collery, a San Francisco Verizon customer, told Ars Technica he contacted the carrier in February about dropped calls and other network problems. Verizon sent him a replacement Samsung Galaxy Z Flip7 that was supposed to function as a customer device, but Collery said it later showed signs that it was controlled through an enterprise management profile.
After using the replacement for about two weeks, Collery said, the phone began restarting and installing security updates repeatedly. It then returned to a factory-reset state, and when he tried to sign in to Google and Samsung accounts, the device told him to contact an IT administrator, according to his account cited by Ars Technica.
The phone displayed messages saying it was managed, owned by Verizon and protected with BricTECH, a system used for Android device management, Ars Technica reported. Mobile device management tools are commonly used by companies to administer employee or demo phones, including the ability to push commands to devices.
In an April 2 letter to the FCC, Verizon’s executive relations department said Collery had received a device later identified as a demo phone with an MDM registration connected to Verizon. The company called the incident a procedural lapse and said it had been referred for an internal investigation, according to Ars Technica.
Verizon told Ars Technica only that it was aware of Collery’s concern and was working with him directly. The company did not answer detailed questions from Ars Technica about how the phone reached a customer or what steps it would take to prevent a repeat.
Collery told Ars Technica he lost contacts, messages, photos, videos and documents, including some health-care work information and personal family media. He said backups to his Google and Samsung accounts were not as current as he had believed.
Verizon provided Collery with more than $400 in credits and a second refurbished phone that did not have the MDM profile, according to Ars Technica. The company also let him keep the managed phone, which Collery said he wanted as evidence.
Cooper Quintin, a senior technologist at the Electronic Frontier Foundation, told Ars Technica the episode should prompt scrutiny of Verizon’s refurbishment process. Quintin said a properly refurbished phone should be reset to a like-new state and said the failure to remove an MDM profile raises questions about whether other used devices could retain data or controls from prior use.
Verizon’s FCC letter said certified replacement devices come directly from the manufacturer and are meant to meet strict quality standards, Ars Technica reported. The letter also said the carrier considered the matter resolved after compensation had been issued.
Collery has not accepted that conclusion. Ars Technica reported that he asked Verizon for records showing what data the MDM software may have collected and what commands were sent to the phone. A Verizon executive relations representative told him in a May 12 email that the company would need a legal order to provide MDM details, according to Ars Technica.
Collery told Ars Technica he has made a data request under the California Consumer Privacy Act, submitted a notice of dispute to Verizon and is weighing arbitration or small claims court. He also said the network problems that led him to seek help from Verizon remained unresolved after the replacement phones.
This story draws on original reporting from Ars Technica.