Screaming Cell Phones

Cell phone security:

Does it pay to scream if your cell phone is stolen? Synchronica, a mobile device management company, thinks so. If you use the company's Mobile Manager service and your handset is stolen, the company, once contacted, will remotely lockdown your phone, erase all its data and trigger it to emit a blood-curdling scream to scare the bejesus out of the thief.

The general category of this sort of security countermeasure is "benefit denial." It's like those dye tags on expensive clothing; if you shoplift the clothing and try to remove the tag, dye spills all over the clothes and makes them unwearable. The effectiveness of this kind of thing relies on the thief knowing that the security measure is there, or is reasonably likely to be there. It's an effective shoplifting deterrent; my guess is that it will be less effective against cell phone thieves.

Remotely erasing data on stolen cell phones is a good idea regardless, though. And since cell phones are far more often lost than stolen, how about the phone calmly announcing that it is lost and it would like to be returned to its owner?

Posted on September 21, 2006 at 12:12 PM • 42 Comments

Comments

McGavinSeptember 21, 2006 12:41 PM

Car thieves know that car alarms are installed, but it doesn't deter them.

Yes, I know phones are different. Even if every phone thief knew about the "scream service", there is still a window of opportunity where the phone could be used, hacked, sold, or stripped.

TanukiSeptember 21, 2006 12:52 PM

I don't see the point of this service: here in Europe it's easy to record your mobile phone's IMEI code - then if your phone gets stolen pass the IMEI to the phone companies so they can deactivate the phone/prevent it being reactivated with a new SIM-card.

[Think of it as your phone number being an IP address and the IMEI being like a MAC-address for a phone; having the IMEI blocked prevents a new IP-address from being bound to that MAC-address]

Nato WelchSeptember 21, 2006 12:54 PM

I would tend to be more concerned that my mobile phone carrier has the ability to remotely erase all my data. Wouldn't this open up the risk of someone else claiming my phone was stolen, leading them to zap my phone?

Granted, they already have the ability to disable my phone service. But I'd actually be more comfortable handing my phone and its data to a random thief than to my wireless carrier and, by extension, anyone with a personal grudge against me, or identity thieves.

stacySeptember 21, 2006 12:59 PM

Lock down the phone, good idea; erase all the data, brilliant; trigger it to emit a blood-curdling scream, I can see the lawsuit now. Phone is lost in the back seat of a taxi, blood-curdling scream causes taxi driver to lose control of the taxi and crash into a minivan killing a pregnant woman and her four small children. Good plan! Where do I sign up?

Israel TorresSeptember 21, 2006 1:04 PM

1. Just because the data has been erased doesn't mean it isn't retrievable (still something is better than nothing).

2. Just like users that lock their own keys in their cars users make mistakes. Hopefully they are backing up their data locally in case they ever accidentally "lockdown" their phone. It would be less "secure" if the company was backing up the data for them I would think.

3. If the phone is purposefully stolen (it would have to be able to detect this) then you can just have it incinerate itself - woe is the thief.

(Xplode-A-Phone Technologies (c) would be best doing business somewhere offshore)

Israel Torres

Marc A. PelletierSeptember 21, 2006 1:04 PM

Quoth the cellphone:

"I'm lost. Will you find my mommy?"

In a convincing toddler voice, of course. :-)

I like that.

-- Marc A. Pelletier

dkSeptember 21, 2006 1:43 PM

Re auto alarms do not work:

In my insurance jurisdiction (BC), the most stolen cars are all older (before the introduction of factory installed alarms and immobilizers). Late model cars just do not make it into the top ten list. From a statistical point of view, auto alarms are very effective.

derfSeptember 21, 2006 1:46 PM

The following is not an actual recording of a live conversation with On-Star, but it could be...

"Hello? Phone company? This is Bruce Schneier. My cell phone has been stolen. Could you please erase all of the data on it? Yeah, and could you have it do that blood-curdling scream thing? Since Bruce is on live TV now...err...I mean...uhh...the thief should be close, so I may be able to hear where he went with it. Thanks!"

CatonicSeptember 21, 2006 1:56 PM

I want a piece of thermite installed in my cell phone that can be ignited by SMS message.

Bruce SchneierSeptember 21, 2006 2:09 PM

"I would tend to be more concerned that my mobile phone carrier has the ability to remotely erase all my data. Wouldn't this open up the risk of someone else claiming my phone was stolen, leading them to zap my phone?"

Backup your data.

You should be doing that anyway.

swiss connectionSeptember 21, 2006 2:40 PM

A friend of mine programs all cell phones he can get his hands on with the welcome message:

"You are not authorized"

It causes some strange looks on cell phone owner's faces.

Lourens VeenSeptember 21, 2006 2:42 PM

Even so, it's a potential DOS attack. Unless you know all your friends' phone numbers by heart, or carry around that backup in an accessible form at all times.

Richard BraakmanSeptember 21, 2006 2:53 PM

Cellphones can also break if you drop them, which is something I learned in the usual way. It's important to have the most important numbers available in some other way as well, if you're going to rely on them. For example, when I travel, I always have some contact numbers written down on a piece of paper that I keep with my tickets and passport.

paulSeptember 21, 2006 2:56 PM

I think a "please return me to my owner" thing would be nice, but since (ostensibly) carriers can track phones to within a few dozen meters, it might make more sense to delay the blood-curdling scream until the appropriate private or public authorities are within earshot.

(Meanwhile, yeah, the chances that this could be horribly horribly hacked seem enormous.)

somebodySeptember 21, 2006 3:06 PM

@Tanuki:
IMEI's can be easily changed, as they are mostly stored on the writable Flash Memory.

And, there is an easy Anti-Scream Hack: Take out the battery...

FredSeptember 21, 2006 3:45 PM

First, the "scream" can be disabled by disconnecting the speaker. Second, the entire process can be negated (or delayed) by either turning off the cell phone, or placing it in a Faraday cage. Of course, unless the physical phone and/or the data on the phone was the theif's target, these alone still don't buy them very much.

Pat CahalanSeptember 21, 2006 5:36 PM

@ derf

Don't mess with Bruce Schneier, he'll roundhouse kick you in the private key and you'll lose the ability to log in, ever, anywhere.

another_bruceSeptember 21, 2006 5:53 PM

i think phone owners should be able customize their own screams/loud messages in this instance.
fortissimo "i'm gay and i have a bomb!"

Mr GrumpySeptember 21, 2006 6:08 PM

My mobile phone policy:
1) Keep it turned off except when I want to use it or am expecting an important call.
2) It's a phone, not a camera, organiser, web browser, games or other gizmo.
3) The phone is there to enable me to call other people when I want. Nothing else.
4) I don't really care if I lose my phone because I don't store important data on it.
5) If I'm not driving, and I don't need to be in contact for work, the mobile stays at home (off).
6) Technology is for my convenience, not the other way around.
How did we ever get by before mobile phones?

I accept that (say) a journalist might really night one these electronic tags. For those who must carry a phone all the time and take important information in through the phone, I suggest that a bit of research to identify the system with best security should be a priority. Those unfortunate souls who have to wear these electronic shackles should also pay attention to Bruce's comment about data backup.

Bah humbug!

BriceSeptember 21, 2006 6:34 PM

Am I the only person that really wants to install this on my friends phone, then set it off at 2 am? :)

Mace SowellSeptember 22, 2006 1:14 AM

How about the phone automatically calling several numbers (chosen by the original owner) with a recorded message from the owner about where to contact him regarding the stolen phone. If it's internet capable it should send mail out to people, post a message to important places, include gps information on where it is at the moment, etc. sort of like:

http://en.wikipedia.org/wiki/Dead_man's_switch

Here's a program for Windows I found years ago which has the right idea:

Dead Man's Switch (free to download/use)
http://pcworld.com/downloads/file/fid,23183-order,1-page,1-c,alldownloads/description.html

"We use our computers for almost every aspect of our lives; shouldn't they help smooth our passing as well? Dead Man's Switch can protect or pass on your data and inform key persons of your untimely demise. You can set Dead Man's Switch to perform a number of tasks if you don't log on to your computer for a specified period of time. It can send out e-mail, encrypt or delete files, and post to web sites.

Remember to reset the time allowed on the switch before you leave on vacation. You don't want to scare anybody."

Something similar could (and really should) be made into a standard in cell phones, at the very least as an option, one you shouldn't have to pay extra for!

Mace SowellSeptember 22, 2006 1:16 AM

How about the phone automatically calling several numbers (chosen by the original owner) with a recorded message from the owner about where to contact him regarding the stolen phone. If it's internet capable it should send mail out to people, post a message to important places, include gps information on where it is at the moment, etc. sort of like:

http://en.wikipedia.org/wiki/Dead_man's_switch

Here's a program for Windows I found years ago which has the right idea:

Dead Man's Switch (free to download/use)
http://pcworld.com/downloads/file/fid,23183-order,1-page,1-c,alldownloads/description.html

"We use our computers for almost every aspect of our lives; shouldn't they help smooth our passing as well? Dead Man's Switch can protect or pass on your data and inform key persons of your untimely demise. You can set Dead Man's Switch to perform a number of tasks if you don't log on to your computer for a specified period of time. It can send out e-mail, encrypt or delete files, and post to web sites.

Remember to reset the time allowed on the switch before you leave on vacation. You don't want to scare anybody."

Something similar could (and really should) be made into a standard in cell phones, at the very least as an option, one you shouldn't have to pay extra for!

I like ice cream and the sound of seals barking in Latin.

MerijnSeptember 22, 2006 4:07 AM

The Dutch police has a similar system, which seems much more effective: the SMS bomb.

Once a phone is reported as stolen, the police gets the phone company to send SMS messages every few minutes saying "This device has been stolen. Purchase or sale is an offence - the police"

A prospective buyer can now simply demand that the phone be turned on for five minutes. If the phone was stolen, one of those messages will come in during that time.

http://www.theregister.co.uk/2001/03/28/police_in_mobile_phone_theft/

John MooreSeptember 22, 2006 5:49 AM

That last sentence reminds me of the gag in Red Dwarf with the AI robotic luggage rolling around a hotel lobby telling people that it lost its human and asking if they've seen him.

wmSeptember 22, 2006 6:40 AM

@Tanuki: "if your phone gets stolen pass the IMEI to the phone companies so they can deactivate the phone"

This deterrent is, unfortunately, only partially effective. Apparently the more enterprising thieves ship blocked phones abroad to some country whose mobile phone service providers don't bother deactivating stolen phones[1].

Still, even if it only deters the less enterprising thieves[2], that's better than nothing.

-----
[1] From the service provider's perspective, every phone stolen is another phone sold (when the original owner replaces it, either with their own money or the insurance company's). So discouraging theft isn't too high on their list of priorities if they can get away with not doing it.
[2] Less enterprising thieves, that is, who don't know a more enterprising thief to sell the phone on to...

PaeniteoSeptember 22, 2006 7:40 AM

@wm: "[1] From the service provider's perspective, every phone stolen is another phone sold (when the original owner replaces it, either with their own money or the insurance company's)."

Even worse: Every phone - stolen or not - creates revenue for them when used in their network.
Just because someone is a thief, he may very well pay his phone bill, so why block him?

Bruce would say that the costs of cellphone-theft are "externalities" to the provider.

another_grumpySeptember 22, 2006 8:38 AM

@Lourens Veen
> Unless you know all your friends' phone numbers by heart, ...

I know BOTH my friends' phone numbers by heart.

Mr Grumpy above in his 6 points has captured my thoughts on cell phones perfectly.

Mr PondSeptember 22, 2006 8:44 AM

Having had some experience of this, the "screaming phone" concept, as a denial-of-benefit" attack, would probably be quite effective in the vast majority of cases, particularly where opportunist phone snatching is concerned.

AnonymousSeptember 22, 2006 2:57 PM

@i3e:

"Passengers are using cellphones, on the average, at least once per flight, contrary to FCC and FAA regulations, and sometimes during the especially critical flight phases of takeoff and landing."

The report concludes from this that cellphone use is a significant risk. Which I find strange, since I would conclude the opposite.

In any case, if aircraft are vulnerable to such emissions, then that's a security flaw that needs to be patched. Surely it won't cost that much to harden those electronics a bit. At least, it won't cost that much compared to the money that's squandered on security theater these days.

We wouldn't want Tim the Terrorist to use his Nintendo DS to steer the airplane into a building, now would we?

[artificial hyperbole added for flavoring]

cell_numSeptember 22, 2006 3:26 PM

Catonic: I want a piece of thermite installed in my cell phone

You've already got it: the rechargable battery...

Paddy McGSeptember 25, 2006 7:13 AM

Similar theory applied to car alarms, in Phoenix Nights. Max the Bouncer has installed a device with a customisable recording, tailored to say "Get back, y'bastard, or I'll break your legs".

Most amusing!

mikeSeptember 28, 2006 5:10 AM

The phone is only a device. If it starts screaming, take the battery out.

Still doesn't stop you from taking out the sim (identity theft).

Is the data more important on it, or the stupid phone itself? Many smartphones (including mine) have corporate email, attachments, calendars, and contact details on there...

AnonymousOctober 3, 2006 10:31 AM

I really think that this new system might actually work! Though there may be some flaws or some who try to do whatever they can think of just to tap into the database of the phone that the stole,it will still be a new way to just maybe slow down the amount of cell phones reported stolen. We all need some type of change in order to be able to do something about how this world just so happens to handle things.

UmaOctober 8, 2006 10:58 AM

It's a great way let theifs know that they have a greater chance on getting caught, but there are also many flauds in this system.

1. What if the cellphone is stole without the owner realizing it, the thief could just remove the battery and go to it's home lock all the doors and windows and open the phone.

2. What if the cellphone was not stole you just call you phone so you can annoy anyone?

Sudgest the following for the better result of this service (my opinion)

1. Have the screeming cellphone have another power source inside the phone so that even the phone's battery is removed the cellphone would still attract many people for a LONGER time. ( the provider should contact the manufactures of phones for this one)

2. Or even have a Global Positioning device inside the phone so that you know where the thief is.

3. If all else fails I would really recomend this in my home country philippines. Once that phone is called by the service provider the phone will be DEAD. no way to re-install the software, in short making the phone USELESS. By this way not only thiefs are no longer hot for cellphones but also Gray units, 2nd hand cellphone, WIDE illegal deals of cellphones and Recondition cellphones are to be stoped. Yes it will waste millions or billions of pesos, but with the crime rate going down and more business will be declared in the goverment, taxes are collected more. It's like solving 2 problems at one move.

Dr BOctober 16, 2006 5:27 AM

All the stories I've been able to find say that, once the self-destruct message has been sent, the phone screams if the thief tries to change the SIM. But what if the thief removes the SIM *before* the victim can report the phone stolen? Can the self-destruct instruction still be addressed to the phone if the SIM has already been changed? Does anyone know?

If the thief can avoid the self-destruct message just by removing the SIM as soon as he's stolen the phone, that's a very easy way for him to get around the protection and maintain the phone's resale value.

abc03833January 1, 2012 7:24 PM

That's why I use iCloud for my iOS devices.
Step 1. Log on to www.icloud.com and click, find my iPhone.
2. Find the correct device on the map.
3. If stolen, turn on the passcode lock. (if not stolen and you just misplaced it around the house, skip to step 4.)
4. Enable play a sound and display message. The message could look like this:
Attention: This phone is propperty of John Doe.
If found, please cal (555) 555-5555
(the sound is NOT a blood-curdling scream)
5. If all else fails and you are sure that the guy with your phone wants your data, you can remote wipe your device.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..