Sunday, 21 July 2013

The phone theft debate continues...

A number of articles on mobile phone theft in the papers this weekend (20-21st July 2013). Regular readers will know that I've spoken quite a lot about phone theft in the past and at various events.

Snatch thefts are particularly high because the phone is 'active' at that point and not locked

The Daily Mail discusses the fact that Apple will publish the update later this year which will enable the "authentication lock" feature which will prevent the re-enablement of stolen phones after theft. It also mentions that GPS won't be able to be disabled and the phone wiped - common methods used by thieves to prevent tracking of phones and one which also encouraged snatches of 'active' devices.

In the Daily Telegraph, Boris Johnson apparently said "Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products".

This is badly off the mark - the problem is not the hardware security (this was addressed years ago and the work was acknowledged by the Home Secretary in 2008). The real problem is the export of devices - they are not blocked outside the UK so can continue to be used. This has nothing at all to do with hardware security, but it has everything to do with the ability to disable devices globally.

Other countries such as the US have only recently joined the party, claiming massive new street theft problems. The truth is this - phone theft will have always been a problem but it has only been recently that high profile violent robberies have forced them into action. What have the authorities been doing for the last ten or so years?

Apple's authentication lock is not a kill switch

The terminology being used by politicians and the media is incorrect - preventing access to services is actually the opposite of reaching out and telling a device to 'die'. Creating a real kill switch like that could in itself become a security problem. Imagine being able to turn off every phone in the world?

The reality is that the functionality for an "authentication lock" has only been technically possible in the past 5 years, because previously the manufacturer would have virtually no relationship with the customer. These days all the major OS providers ask users to sign up for an account with them to access services - and that's the key. A relationship with the end user means that they can take action because they know when that phone gets used post-theft.

In the past, this simply wasn't possible for the network operators. No operator (as far as I know) has presence in every country in the world, so it wouldn't usually see a phone if it had been exported. Yes, the IMEI (identity of the device) could technically be shared with a global database called the Central Equipment Identity Register, but that one piece of data is not reliable for many reasons including a rash of counterfeit devices in some countries. However if a phone has to connect home over the web, it allows a lot of information to be checked and even shared with the rightful owner. Although it is not fool-proof, it is the right thing to do as it makes the phone less attractive to a thief. It does raise a question for the Android manufacturers particularly. Will they now ask Google to provide this functionality for them, or somehow try and build it into their own anti-theft find-and-locate apps (which will not be as robust as putting this in at the OS level)?

Next steps

Assuming the industry gets this right (and I hope they do), the ball will be back in government and Police hands. With rising theft figures, it is very easy to blame the manufacturers and operators. In reality this is a complex and largely social problem - people are still going to snatch expensive mobiles and try to use them to pay for things / use their functions etc and sell them. There'll be a new, lucrative challenge for the cracking community to disable things like authentication lock. Up until 2011, the UK was the only country that had really done lots of things to help address theft in a proper manner including:

  • education for young people (youth-on-youth crime is very high)
  • posters in high crime areas like London
  • legal measures (making it illegal to change the IMEI number and possess the equipment to do so)
  • working with industry to harden devices (OMTP TR1)
  • encouraging industry to share information on theft (stolen IMEI numbers)
  • setting up a dedicated Police unit to target thieves

Mobile phone theft affects ordinary people - for that reason alone, politicians like Boris Johnson are going to continue to jump on what has been for years a populist bandwagon.

1 comment:

  1. Excellent post; it's good to see the UK taking a lead in this area!

    I wonder if we can say anything about the effectiveness of the various measures you list? Of course, the point of taking several measures is that you don't expect them all to be 100% successful, but it may be instructive to judge the effectiveness in hindsight.

    My guess would be that the most effective were education (including the posters), industry information sharing, and the dedicated police unit. On the others, has anyone been prosecuted for IMEI tampering? and, while it did encourage industry cooperation on phone platform security, has anyone actually implemented OMTP TR1?

    ReplyDelete