Mobile Phone Theft: An unsolvable problem?

Last night I gave a talk as part of Oxford University's Information Security and Privacy Programme. I decided to talk about the problem of mobile phone theft as it is something I have been involved in tackling for a number of years, mainly on the handset security side. I still work with the UK Police now on some of these issues. It really is an increasing issue that doesn't look to have an obvious solution. Future technologies will provide another incentive to steal a device so it is clear that further effort must be put into addressing theft. There are many different reasons why someone would want to steal a phone and what they subsequently will do with it. On the industry side, network operator customer service management is difficult, particularly when people are lying to you. Getting all network operators in the world to share accurate information to the Central Equipment Identity Register (CEIR) is a tough call, even if they were interested in doing it in the first place.

I got some great feedback on twitter when I said I was going to give this talk. Two in particular stood out -  @realbelahzur wrote this blog and focused on one particular aspect - the theft of service, how far a network operator has to go and the responsibility a user must also take in keeping their own property safe. @paul_clarke pointed me at his blog about his experience of blocking and unblocking a phone.

The slides and notes from the presentation are re-posted here. Please feel free to tweet me and leave comments on your theft experiences and ideas for helping to deal with / manage the problem.

Mobile Phone Theft: An unsolvable problem?

View more presentations from David Rogers.

15% off Cloud Security Umbrellas

Those of you who were at the Informa Cloud Mobility will remember my "Dark Clouds and Rainy Days, The Bad Side of Cloud Computing" talk. Because it is nearly winter and it will probably rain, and of course because I'm incredibly generous - you can now get 15% off the absolutely awesome "Cloud Security" umbrellas in the mobilephonesecurity.org shop. You can choose all sorts of colours as long as it's black ;-)

So head over to the shop and use the discount code RAINBOW to get your 15% discount, it is only available this week!: http://mobilephonesecurity.spreadshirt.co.uk/umbrella-small-A16948594/customize/color/2

* Update: I've added a larger size golf umbrella here too!: http://mobilephonesecurity.spreadshirt.co.uk/cloud-security-umbrella-2-A17690342/customize/color/2

Roman Code Cracking with Mobile Phones at Bletchley Park

My slides from the fantastic Over The Air event at Bletchley Park are now up on slideshare, along with the solutions to the code breaking challenge within. If you have a spare few minutes, why not have a go? All the battles mentioned are on wikipedia if you want to look them up as I went through them verbally. Well worth a read to see how close Julius Caesar came to defeat, a few times. The mobile phone message in all of this is getting developers to secure their applications properly.

Hacking Roman Codes with Mobile Phones

View more presentations from David Rogers.

Guest Blog: Security and pragmatism - the need to be sensible and how SUMO® can help

Stuart Lyle who works for a network operator in the UK has kindly written a guest blog for me today on the latest issue to hit Android. More details on Stuart can be found at the bottom of the post.

Stuart Lyle

The “issue du jour” in the security industry today seems to be the HTC security vulnerability – more info on the BBC website or a more detailed view at Android Police.

This is a very real, very valid vulnerability and HTC have made what I would professionally describe as a cock up. Other vendors have undoubtedly done worse and will do worse in the future. One can also have a very long debate as to whether or not the guys at Android Police have acted responsibly in publicly disclosing this so soon after private disclosure to HTC. I‘m not going to get drawn into that debate – I’ll leave that one to others who have more valid opinions.

My take on the whole issue is one of moderate indifference. I read it yesterday, got a bit concerned by it and then I shrugged my shoulders and uttered a noise I can only describe as “meh”. I can’t change the problem and I can’t fix the problem so I have to view it pragmatically and sensibly and consider the broad questions of what is the impact to me and what is the impact of it on customers.

Impact to me? Well, I don’t use a HTC device so, harsh as it may seem, I’m all right Jack! My data and my behaviour aren’t going to be compromised, at least not through this vulnerability anyway.

Having done some reading and some checking, it would seem that some of the handsets referenced in the disclosure aren’t on the open market and those that are available have not been available for long. This is also good. That means that there aren’t going to be millions of these devices in use by customers. That starts to make me more comfortable in terms of impact. It would also seem, through some conjecture by boffins who know this sort of stuff, that it will be easy to fix. Again, more comfort. I’m almost relaxed now. Almost.

Do you see what I’m doing here? It’s not rocket science - I’m pragmatically trying to work out if this is really something I need to invest a whole heap of my effort in.  I’m asking myself how important this really is to me, my life, my business and my customers. My response, given the limited resources I work with, has to be commensurate to the risk that it causes and the impact of that risk should it come to pass. I can rant about how HTC have been a bit daft here all I like (and many on the Internet no doubt will) but it’s not something I can directly influence or change easily.

Some of the thought processes I’m going through here are described in a great book I read recently. I gave a copy of the book to all of my security team (I’m not that generous, I’ve got a small team!). It’s called “Shut Up, Move On” by Paul McGee – or SUMO®. It describes a method and tools for dealing with challenge or change and part of it is really about how we can react to adverse solutions with a positive attitude. I’d encourage anyone to buy and read the book and think about how those techniques are also relevant in a security context. I’d particularly also encourage you to download the “7 Questions SUMO® cartoon” PDF from Paul’s web site - and think about how those questions can be helpful when faced with a security threat like this one. You might find it useful, you might not. I certainly do.

In any event and irrespective of how we, as a security community, react to the incident what is really important now is how HTC respond to this; both technically and publicly. I was somewhat disheartened to see the quote from them on the BBC article – “HTC takes our customers' security very seriously” – as it’s just a very old, very standard stock response line and it doesn’t fill me with confidence. Crisis response and the effect that a bit of bad PR can have on brand is, however, another job for another blog another time.

About Stuart

Stuart Lyle CEng CITP MBCS AMBCI CISA CRISC

Stuart has been working in the mobile industry for 15 years and has, throughout that time, worked in a variety of roles across fraud, security, risk, continuity and compliance. Currently leading a small but focussed security team at a UK mobile network provider, Stuart also holds the position of industry vice chair at the Network Security Information Exchange within CPNI and has also chaired a local collaboration forum for Business Continuity across the Berkshire region. You can find out more about Stuart on his AboutMe page. Stuart is a guest blogger on this site in a personal capacity – these views and comments are all his and not those of his employer.