Laptop Repair, Customer Beware

by bTrack3r2003

Throughout the course of laptop ownership, users eventually end up with a broken piece of equipment.

If you're lucky enough to be within your limited warranty, you may consider getting the computer repaired.  A select few companies offer in home repairs (cough... Dell... cough), so, more likely than not, the resort is to neatly package up your precious piece of machinery (after wiping it of any incriminating information, of course) and ship it off to the repair center.  This whole arrangement is both irritating and dangerous due to a security hole which exposes sensitive customer information to the public.

I made this discovery through my experience with ASUS laptop repair.

Several comfortable months away from the end of my warranty, my ASUS gaming laptop started acting up, so I promptly called the service center and opened a repair ticket.  After sending in my laptop, I was conveniently given a Return Merchandise Authentication (RMA) number to check my repair status.

Several days later, I navigated my browser to support.asus.com/repair/repairstatus.aspx.

Here I selected my country and was brought to a neat little online application.  I was prompted to enter my RMA number or phone number or serial number.

Or, normally, applications such as this require two credential authentications, but I continued on and checked my status, but found no activity on my ticket.

Unsatisfied with the lack of action on ASUS's part, I wondered whether other users shared my same predicament.  I altered my RMA number by one value in the negative direction and, lo and behold, some schmuck from Idaho also had no activity.  On this page, the customer's name, six-digits of the phone number (NPA) NXX-XXXX, a large portion of the serial number, and the start date of the ticket were displayed.

This is where I started really exploring to see how much information ASUS was willing to hand out.

I continued to alter the RMA numbers to earlier and earlier dates until I finally found a completed ticket.  Along with pieces of information, a tracking number was given to allow users to see when their laptops would arrive.  With a quick jump to FedEx tracking I could see exactly where this user's laptop was headed, the expected day of arrival, as well as the weight of the package and other details.

The possibilities of exploit here are endless.

An unethical person could scrape together enough information to perform some satisfying identity theft.  Or perhaps, knowing a delivery address and date, one could stake out the drop and snag a refurbished laptop.  Many of the FedEx forms that were marked delivered stated that no signature was given or that the package was "left at door."

In response to this major security hole, as well as breaches of data privacy statutes, I sent an anonymous letter to ASUS making them aware of their situation and recommending a two-credential authentication change as a solution to the problem.  It is a shame that I had to write to them anonymously, but the stigma against hackers is painfully illustrated here.  We must hide our creative and specialized work for fear of repercussions, while in the end (and beginning) we are only helping.  But I digress.

Hopefully, by the time anyone sees this article, the solution will be implemented.

But there is the possibility that many companies who offer this same service will have the same kind of issue.  In the words of Turgon in his "The Geek Squad" article 25:2, "I am no whistle blower or disgruntled employee, but corporations like [ASUS] are reactionary.  They only act on behalf of customers or employees when they get in trouble.  When all other methods fail, I turn to the community!"