The government seems to be hot on the trail of smartphone kill switches. The question is whether the concept is a solid one.
InformationWeek reports that two recent proposals, one at the state level and one in the Senate, seek to make it possible for a carrier to render a lost or stolen device useless. The story points out that the Federal Communications Commission says that 30 percent to 40 percent of robberies in major cities are of mobile devices; the number in some cases can reach half. Consumer Reports, the story says, found that 1.6 million people had smartphones stolen in 2012.
The intended goal of the kill switch is, of course, to make such thefts are far less attractive to the criminals. Opponents say that while the goal is a good one, a likely unintended consequence is that the kill switch technology would attract hackers.
PCWorld paraphrases the objections of industry group CTIA, which submitted a filing on the issue to the FCC:
In one scenario, groups of mobile phones can be permanently disabled by sending multiple messages, such as by incrementing the MSISDN (the telephone number) or IMSI (the unique identity of the customer) or the IMEI (the equipment identifier), CTIA said in the filing. Subscribers will not even be able to make emergency calls, it added.
The CTIA has an alternative, described by TechSpot. While not as technically sophisticated, the federal registry approach comes without the kill switch baggage:
The cellular industry trade group, along with the FCC and four of the largest US carriers are pushing a national lost-and-stolen phone registry instead, which would be used as a blacklist to deny activation of stolen smartphones. That database went live late last year and the group believes legislation should build upon this initiative by criminalizing tampering with mobile device identifiers as a workaround to the blacklist.
Three approaches to smartphone kill switches exist, according to Marc Rogers, principal security researcher for Lookout. He outlines the three at re/code: Activation locks, persistent security software and software/hardware that can remotely “brick” a phone. Rogers’ conclusion:
There is never going to be a single silver bullet that stops smartphone crime. The most effective approach to a kill switch will use a number of locking, disabling and tracking technologies in combination, so that their strengths are magnified and their weaknesses are mitigated. The ideal approach will ensure that every time a device is wiped or reinstalled, it automatically authenticates with manufacturer or operator servers to reestablish the correct security software and settings. Once reactivated, this software protects the device while advertising its true ownership, which kills the opportunity for the thief to cash in on his crime. Meanwhile, the device should silently begin to call for help by transmitting its location to the authorities even after the SIM card has been removed.
The basic question is whether it is possible to engineer and secure kill switches in a way that doesn’t offer opportunities to crackers. That seems unlikely, since crackers are just as smart as the folks fighting them. In any case, the hope is that the question will be part of the debates about the legislation in Washington and Sacramento.
The Senate bill is “The Smartphone Theft Prevention Act” and was introduced by Amy Klobuchar, a Democrat from Minnesota. The California legislation was introduced to the state senate by Senator Mark Leno, a Democrat from San Francisco.