Schneier on Security
A blog covering security and security technology.
« Malware that Foils Two-Factor Authentication |
| My Talk at Google »
June 28, 2013
Preventing Cell Phone Theft through Benefit Denial
Adding a remote kill switch to cell phones would deter theft.
Here we can see how the rise of the surveillance state permeates everything about computer security. On the face of it, this is a good idea. Assuming it works -- that 1) it's not possible for thieves to resurrect phones in order to resell them, and 2) that it's not possible to turn this system into a denial-of-service attack tool -- it would deter crime. The general category of security is "benefit denial," like ink tags attached to garments in retail stores and car radios that no longer function if removed. But given what we now know, do we trust that the government wouldn't abuse this system and kill phones for other reasons? Do we trust that media companies won't kill phones it decided were sharing copyrighted materials? Do we trust that phone companies won't kill phones from delinquent customers? What might have been a straightforward security system becomes a dangerous tool of control, when you don't trust those in power.
Posted on June 28, 2013 at 1:37 PM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Apple is adding this on-their-own: a user can lock their device so it can't be reactivated without their login, and (possibly) keep find-my-iphone working even after a phone wipe.
Here in EU (or at least most of it) you can already get phones remotely disabled (at least the GSM part) if you report it to the police and provide the IMEI serial number.
@: "1) it's not possible for thieves to resurrect phones in order to resell them"
I don't think this one is a must. It's also possible to remove the ink tags from clothing, but that doesn't render them useless as a deterrent measure. It is about reducing the risk, not eliminating it.
@: "2) that it's not possible to turn this system into a denial-of-service attack tool"
A bit scary, but I think it may not be as bad as it sounds. People can already lock various accounts to deny service illegitimately, kill internet service if someone is suspected of piracy, etc. So this threat is nothing new, it's just a bit evolved. I'm sure there would be widespread backlash if it happened too often in an unauthorized manner.
I guess the question to be asked is which risk do we prefer.
They can't seem to be able to cut off the non-prepaid plans when they go over the limits, e.g. roaming too near canada or mexico, or the phone gets stolen resulting in $10k phone bills (in "emergencies", a call to customer service with lots of identifying data to remove the cap). That would be a change that would benefit consumers too, but won't happen.
Right now stolen phones can't be reactivated (in the USA) - but you can theoretically use the wifi - but aren't there "wheres my phone" capabilities?
Why can't we design a system where each phone ships with cryptographic key or activation code that is required to activate an anti-theft kill switch? The end user of the phone is given the only copy of the key when buying a new phone. If the phone is stolen, they can be give the key to the carrier to transit and activate the skill switch. Otherwise no one but the owner has the key and it can't be abused.
Worse case scenario, the user is careless and tosses the key along with the manual and packaging. The only negative consequence of this is the thief gets a working phone, same as we have now.
There seems to be a difference between a "kill switch" and what I've heard described, which is more of an IMEI blacklist. Since it's pretty clear who the legitimate (initial) purchaser of a phone is, at least by account in the case of a prepaid, having a registry of IMEIs reported stolen shouldn't pose an objectionable security threat as long as the providers have appropriate incentives to restore service if phones are recovered. That approach isn't a "kill", it's admission control.
@Christopher Smith: There seems to be a difference between a "kill switch" and what I've heard described, which is more of an IMEI blacklist.
Very good point.
To be fair, I think the term "kill switch" is fine for casual use, because it is more commonly understood than blacklist. May not be completely accurate, but casually people have a general understanding.
It's like "identity theft." Identities aren't stolen, they are impersonated. But casually, most understand what it means well enough for discussion sake.
@Nicholas Weaver - but it's only a deterrent if it applies to all iPhones, is always used and all thieves know about it.
You need it to be common knowledge among thieves that a stolen iPhone is worthless, or at least only worth a small amount for parts
This is why I don't want a kill switch on my car. I don't want one that can be effected while a car is in motion, either, even if it means that cops could turn off a car they're chasing - the car then becomes an unguided missile, and that's just a bad idea. Sorry, kids, *I* get to decide if my car gets turned off or not.
But, honestly, in terms of a cellphone, if you report it stolen, it should become a brick. Not even you should be able to re-activate it. Phone providers become complicit in the theft if they re-activate a stolen phone under a new number, IMO.
I like the "Where's my phone?" apps that are available. There are some great stories of phone recovery out there. But I don't like the implications for tracking movements of innocent people - not even the implications for knowing if my son went straight home after school or detoured through Dairy Queen. The possibilities for abuse are just mind-boggling.
iPhone and Android-based phone thefts are a huge issue in my neighborhood. At a local safety meeting, the police stated that a large portion (likely over half) of the phones were destined to locations outside the US. That said, I'm not sure how valuable a carrier-based blacklist system would be.
@Q: If stolen phones are transported outside the US, there's probably no way to reliably invoke a nasty-type carrier-mediated kill switch anyway, and I don't think any other infrastructure is feasible as a default setup (though of course those rootkit-type user-installed antitheft systems might work).
It won't prevent theft. It might prevent phone theft. But thieves are still thieves and will steal something else. Thieves might even get angry and beat the victim when they find out the victim has a phone that could be bricked. Push a balloon in one place and it pops out another.
Telecoms will solely use this kill switch to disable phones that are unlocked or if the SIM is switched to another carrier. You can already add remote (and not very secure) kill switches to Android phones for free if you wanted.
This wont stop phone theft either, because the thief can just put the device in a makeshift faraday cage or turn on airplane mode, then image the drive and either steal data, reflash new system.img or they can change the IMEI with cheap Russian software like Z3 imei changer
Police here where I live are ramping up the fear about cellphone theft I suspect its a prelude for kill switch and other backdoors that are really for spying.
If they really wanted to prevent phone theft they would demand carriers sell fully encrypted phones and bootloaders that can only be accessed by a key the customer generates. That will never happen because then they cant spy
If they can kill it, I wonder if they can use the same principle to resurrect it? Not sure which is scarier. One makes your phone inoperable, the other makes it operable when you don't want to.
I'd only use such a kill-switch that I controlled both ends of. I'm not sure how that'd work. Perhaps having it try to contact a server I run every hours and only nuke itself if it gets back an answer saying "nuke yourself.". I'd rather no accidently DoS my own phone!
Or possibly write/run an app that nukes the phone if it gets a SMS with data, but again, that could accidently be triggered..
--That's what I was thinking, aluminum foil or a jammer. Take the battery out quick, sit on it for like a year. It'll still be worth like $100.
Yet we have this social problem of theft that means that people probably can't find decent work and are getting desperate; that will continue to exist. And we just get more control and tracking (at the hardware level!!), as if we don't have enough.
I'd be willing to bet a lot of the theft comes from people being careless and leaving their phone out, not from actual stickups. I've certainly had the opportunity to steal at least 5 phones w/ practically no risk.
Such a trustful world, eh Bruce? Makes me want to live in a cave.
The phone theft that goes on here according to carriers and cops is snatch and grabs usually on public transit by drug addicts. They also grab off patios and people waiting in line. Enabling a remote kill switch is totally useless.
The junkies hand the phone off to various organized crew members on the street who ensure airplane mode is on, stay awake is enabled to prevent screen lock (though can be easily bypassed, most only allow PINs), and either drop it in a stainless steel martini shaker for a good makeshift faraday cage or a proper cage bag they bought off the internet. They pay 1/4 if that of the value of the phone to the drug addict then take it back to a stash house somewhere that has a makeshift faraday caged room.
They siphon the data with carded forensic software or freely available other methods and tools, determine if anything is worth selling on crime forums like stored banking passwords and cards, or they use the online billing password on a separate device that can be used to buy more phones by sending instant credit to another account they control, then they walk in to a store with fake ID for that account, sign a phony 3yr contract and walk out with a new S4 or HTC One or have it mail ordered to a drop.
Bonus: maybe the theft victim is wealthy and they can extort them from the stored pictures or emails/texts from mistresses.
IMEI is changed, then re-flash the phone either with their own backdoored o/s and sell it for later ID theft, or reset back to default build and sell it.
Unless you keep another phone handy to instantly kill switch the stolen phone seconds after they snatch it ,you're screwed and even if you did kill the phone nothing to stop them from re-flashing or resetting the device back to manufacturer default build to be sold. Investment to do this: minimal.
How do I know they do this? Because that's what I would do if I was a meth addicted dimebag ex-con running a petty street stealing crew that snatched phones off the subway. If they aren't already doing this, they will be after the first few arrests and they figure out faraday cages. This kill switch is useless to protect against the crime the police here are trying to sell us on in order to force carriers to make them a backdoor which we all know will be used for surveillance instead or the first step for carriers to start remotely bricking devices that have been unlocked.
Forgot to note, the same z3x team that hacks imei firmware will defeat this remote kill hardware benefit denial solution pretty easily. There's also plenty of leaked manufacturer software floating around like Samsung's Odin, this will get leaked too.
I'm also positive there will be a Defcon presentation after they roll this out of how they figured out how to spoof the remote kill requests to start denial of service attacking phones. If there's secure keys involved then gangsters will either bribe people who work there to hand them over, or carriers will use a default key that will be leaked.
Interesting that law enforcement doesn't want laptops to have the same remote kill switch yet they get stolen just as much. Guess it's easier to build spying backdoors into the small handful of major handset manufacturers than it is every laptop company on earth.
I can see that this may help reduce theft where the phone is the target BUT anecdotally in the majority of street crime cases the thief throws away the phone later - taking it is a delaying tactic to delay the victim cancelling credit/debit cards which have been taken for long enough that they can be used once or twice to get ready cash.
The use of chip & pin technologies has helped to reduce this problem, but now we're all being persuaded that contactless/near field payment systems are "hip and trendy"** the problem is coming back.
** and yes I find the "retro is cool" trends in adverts to be irritating too !
We already own a personal device implementing paranoid security rules.
The result: zero flexibility for legitimate users needing to go beyond the standard parameters of the service for an emergency, and zero deterrence for thieves that knows the means to sqeeze every possible buck out of the card before getting it blocked, exploiting all loopholes that even legitimate users ignore, making the credit card theft possible and profitable.
My 2 c: when security / freedom tradeoff worsen, it strikes far before honest citizens rather than criminals that are more aware about how circumventing the system.
Mass security systems always failed that way, becoming more inconvenient and costly than properly targeted intelligence, surveillance, prevention and investigation.
"Find my iPhone" would be a lot more attractive (just for those times we forget where we left it) if it didn't require switching to iCloud, or iCloud didn't pose unacceptable risk to all devices synced to that AppleID. I'd be delighted to hear that is (no longer?) true, but the local Geniuses emit only bafflegab.
As for "a unique key given only to the buyer", how the heck do you ensure that? That is, how does a customer of a major manufacturer and carrier ensure that their desires are more relevant to those entities than the desires of various TLAs, or even business partners? Laws clearly don't work for that. Nor does a constitution, in countries that have one.
<pacinovoice>Trust! ..... It's a bitch!</pacinovoice>
1. Imagine how Occupy Wall Street would have gone down if all the mobile phones from out of town suddenly got kill switched. A government could use metadata about normal roaming patterns to identify people who don't normally visit Wall Street and disable only those phones. "A Protest? What protest?" Meanwhile, the banks on Wall Street grind on unaffected.
2. Like needing ID to fly on a plane ticket benefitting airlines by stopping resale of un-needed tickets; this will probably become more about phone companies being able to disable phones to force people to buy new phones on new plans. Missed a payment on your plan? Phone disabled. Buy a new one.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.