Schneier on Security
A blog covering security and security technology.
« Forever-Day Bugs |
| Password Security at Linode »
April 18, 2012
Stolen Phone Database
This article talks about a database of stolen cell phone IDs that will be used to deny service. While I think this is a good idea, I don't know how much it would deter cell phone theft. As long as there are countries that don't implement blocking based on the IDs in the databases -- and surely there will always be -- there will be a market for stolen cell phones.
Plus, think of the possibilities for a denial-of-service attack. Can I report your cell phone as stolen and have it turned off? Surely no political party will think of doing that to the phones of all the leaders of a rival party the weekend before a major election.
Posted on April 18, 2012 at 6:49 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Funny, it's ages that a system like this is already implemented in Italy and many other countries of Europe to block stolen phones.
We've had this in the UK (and most of Europe I think) for ages. It is sufficiently valuable to be worth doing, but obviously isn't perfect. It reduces the effective price of a stolen mobile, and means that many people don't have the contacts to fence them. I seem to remember hearing that there were big hassles when it was introduced in India - lots of ultra-cheap chinese made phones don't have unique IDs. As a result, this scheme effectively bans ultra cheap chinese made phones. That won't be a significant issue in the US.
What about removing phones off such a list for legitimate reasons like a phone is actually lost but later found?
If such a mechanism exists, how long before the bad guys learn how to use this to their advantage?
A blacklist like this has been working for years in Chile. I don't know of any studies on how effective it has been, but surely there are less phones offered in the informal market (excluding peer-to-peer transactions). However, just like stolen cars, they seem to be exporting them to Bolivia and other neighboring countries.
When you report a stolen phone, how do you prove that you are the legitimate owner of the phone? Could someone else report your phone as stolen, and thus lock you out of your own phone?
Not unless they know the - well in the UK it would be the IMEI number, I don't know what it would be under this system but I see no good reason it wouldn't be functionally analogous.
Exists too in France since years. People still get molested for their phones though, as iPhones still make for nice iPod Touches when they're forced off the GSM grid.
Interesting to see AT&T on this, when it's almost impossible to get them to disable a stolen phone. This service may not end the stolen phone market, but having to send the phone overseas to sell will be a major blow for most people.
Also, although this is implemented in EU, it really doesn't change much. First and foremost, although it's illegal, it's technically possible to change the IMEI number in most of the phones - and the more expensive the phone, the easier it is to do. Yes, this leads to duplicates, which will lead to GSM cells randomly dropping connections if the two devices are on the same network, but that's no concern to the fencer. Also, (at least in Poland), the only way to actually get your stolen phone on this list is to report theft through the police. I went through the procedure once - the IMEI I supplied was used to track the phone down (to a small village near the city where it got stolen) and that was the end of the case. The police neither did bother to check the lead further (as the phone was probably already sold) nor to actually file the request to disable the phone.
While working at a major EU&US telecoms operator ten years ago, I was told that the company didn't want to implement IMEI blacklists, as they reduced revenue. Stolen phones were usually associated with pre-pay accounts and high spend rates.
...and re IMEI changing: the same network had over 10,000 phones on the network with the IMEI set to a string of zeroes.
The problem with DBs like this is that they will almost certainly get used for other purposes.
For instance the "owner's" details need to be in the DB for the phone to be returned/reactivated.
Now think if an issurance company would be interested in those details?
Yup so there's a market for the information over and above that people think it will be used for.
Now have a think how the same info could be used in other ways to do with (supposed) Anti-terrorism / Anti-kidnapping anti-drugs.... or whatever the current political favourate too repelace "think of the children" phrase is...
Do not worry, little consumers...
I'm sure they've built a nice, clear, hassle free procedure for getting your legitimate phone off of this list it was erroneously put into.
Just like there's a nice, clear, hassle free procedure for getting off of the no-fly list. Or even seeing if you're on it.
In fact, I'm sure they're sure there's no way any mistakes will be made, so there needn't be any avenue for correcting any such mistakes...
On what other country they'd sell a stolen phone? Nearly every country where people have enough money to matter already implement such database.
Here at Brazil it worked. The number of stolen phones decreased a lot after it was implemented, and continued to decrease as phone prices came down. The trend only changed recently, with the popularization of smartphones.
There seem to be a few points of opposition:
1. Ship to a country without a blacklist, sell there.
This change would still effectively reduce the value of stealing a phone. If I see someone with an iPhone to their ear I can just snatch it, run, put it on Craigslist and collect $80 later that day if I want. Quick and easy. If I need to ship it to Mexico then it's at least a week before I get paid, realistically, and I'll probably only get $40.
2. Abuse by fraudulently reporting a phone as stolen.
Someone could also just call up Vercinguprint and cancel my service. Oh, wait, they can't because they don't know my password or billing information or mother's maiden name? If I can't shut off someone's service with a simple phone call why could I successfully report the phone stolen?
3. Fraudulently reactivating service by claiming the phone was later found.
Same as with fraudulently shutting off service I don't see why anyone but the owner would be able to reactivate the phone.
I don't think this is as ripe for abuse as you think. Realistically, if someone could abuse this new system they'd already be abusing the current system.
The only problem I do see is that someone could sell a phone claiming that it's clean and then later report it stolen, screwing over the secondhand buyer.
I think the problem is that the different countries DBs are not integrated. So if your phone is put in such DB in one country, it can still be sold in another.
As with cars, I prefer the easy route...ugly. If you really want my tracfone you can have it. You must need it much more than I do.
Being able to blacklist IMEIs has been a required feature of GSM MSCs for ever (at least since release R97, the earliest I worked with), but no network we ever worked with had it turned on. As !self says, the problem isn't technology, it's the lack of cooperation across provider boundaries and general provider disinterest. After all, why should they care if your phone is stolen? They can always sell you a new one. Or phone insurance.
"No One" is right, the phone companies are at least capable (if they bother) of making abuse a non-problem -- at least for people who give their names and addresses when they subscribe. Of course, if you buy a prepaid handset at Longs or Radio Shack and it gets stolen, you're always going to be out of luck. That's the price you have to pay for anonymity.
If networks don't care that your phone is stolen, governments need to compel them to care.
On the other hand, it seems to me there's a better fix for the problem than a blacklist: Embed into phones a good, unbreakable password-lock mechanism (similar to that secure thumb drive Bruce told us about recently) so that NO ONE can use your phone without the password. (If I were designing the hardware I'd also let you set a "duress" password that works for an hour or two, then can't be used again.) This would also protect any sensitive/personal data you may keep on your phone or tablet or whatever they call the next toy.
I'd honestly rather accept the bother of reporting my phone stolen and having it blacklisted than the bother of having to type in a password whenever I want to access the thing.
My data's not that important - if it was I wouldn't be walking around with it on an unencrypted file in my pocket....
Wow, some of you like to make a mountain out of a mole hill.
A blacklist scheme has been operating for years here in Australia.
The only way to get a phone onto the blacklist is to be an account holder with one of the carriers, AND to have already had that phone on the carrier's system. (e.g subsidy/contract phones, purchased outright from carrier, prepaid).
The only way to get a phone off that list is through the reporting carrier.
The argumemt of "but they can still ship the phone to another country" is ignoring the fact that most phone thefts are opportunistic. Your average criminal just wants to cash it in asap.
Making the process more risky and difficult results in a decaluation of the stolen phone.
Sure, they can ship it to another country, but you need to do more work for that. Also, you have an entire carrier (Verizon) who have phones incompatible with almost every other network in the world. (CDMA)
I think the political party trick will work right up until the moment when people discover the value of prepaid cell phones. "Oh, Bob's phone is dead? OK, I'll call Bob's backup phone number." After a while they solve the problem the same way dope dealers solved it.
What a crock, Bruce needs to learn a little more about the topic before commenting.
The movement to have phones shut-down based on "stolen phones" being identified is a red herring. What is wanted is a method to regulate / account for the cell phones being produced by Chinese "White brand" makers. Typically these phones do not ship with unique IMEI's. So the big phone makers, IP owners, think Nokia and Qualcomm, want a way to guarantee they get every penny they feel they are entitled too. Extending the concept of a National patents to an international patent is so bogus it is not worth commenting on BUT intentionally adding conventions that enable collection on these bogus patents IMHO boarders on criminal malfeasance
Why wouldn't this increase the threat of the attacker killing the owner of the expensive cellphone? If they are dead no reporting of the lost phone, right?
@R w P Talk about exaggerating.
1.) Murders are investigated and missing phone would be the first lead. The cops would have the phone buyer after the first call and then they would proceed to seller.
Too much risk, too little payout.
2.) Such blacklists are implemented in most western countries and abuses are rare. Mostly because the phone owner has to identify himself with id, password, contract or all of the above.
Yes, the attacker can falsify the above information, but if he is able to do so, he is able to do better crimes than stole phones. For instance, he could have already cancelled your insurance, contract with electricity company or whatever that will hurt you more then just a phone.
The company that should be blacklisting is apple; not AT&T or Verizon. That would end the problem of moving to China or off the grid.
I agree with your points about cell phone thiefs looking into making some quick money and that having to ship the phone to another country would reduce the appeal of theft.
On another hand in most countries around the world getting the phone, or a bunch of them, into another country is not as much of a hassle as it would be in Oz.
Besides that out of these countries we have quite a few that mainly utilize the GSM standard and, perhaps more importantly, in which the average wage is so low that the cell phone value in comparison is quite high (considerably better ratio than in Oz).
Wrong procedure just using the list to turn off phones.
Correct procedure: Report stolen phone to police. Police issue intercept request to telcos. Police use information provided by telcos (phone location, numbers called, voice mail etc.) to convict thief.
Yes, to complicated for the odd stolen phone but can be used to infiltrate professional criminal organisations.
@R w P: There are easier ways to make a buck than killing for a cell phone. They'd probably move onto purse and laptop snatching instead.
I love reading stuff like this. It makes me really glad that I've never owned a cellphone. Then again, there are so few of us left who know how to solve a problem by doing something other than shouting into your hand.
What is really interesting about this article is the reaction.
A bunch of commenters disliked the idea, and immediately raised a cloud of objections about why it was a terrible idea.
Apparently, they are all unaware that this scheme has already been implemented for years in many other regions of the world, including Australia, most of Europe and most of South America. And in all the places it was implemented, it worked extremely work, cost little, and none of the predicted dire consequences occurred.
So really, the posting tells us little about cellphone security; it tells us a great deal more more about the way people reason and argue in blogspace.
Roger, excellent argument.
My contribution : now it seems there are a lot of software capable of changing IMEI, so this blacklists are going to end soon.
I would like to know something about the actual implementation of this IMEI and how it was possible to circumvent it, but difficult to find any info for the moment.
Please, Sir, am interested in this discussion and my phone just got stolen as at June 12, and i don't have the IME Nob.
Also, How can i get it or track the phone back. Am in Nigeria.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.