So California, with the best of intentions as always, is trying to pass a law saying all smartphones sold there have to have a “killswitch” - a feature that will allow the carrier to kill the phone dead as a rock. The theory is that this will make smartphone theft (which is now 40% of robberies, apparently) pointless.
Okay, good on paper. You get held up, they take your iPhone, you call AT&T, the phone is turned into a brick. Sooner or later da bad guyz stop taking smartphones.
However… aren’t nearly all stolen phones re-chipped and re-serialized to hide their identity? It’s already possible to find a stolen phone within minutes by looking for its IMEI number on any network, so my understanding is that experienced phone thieves (1) immediately pull the battery, switch the phone off or put it in an RF-proof container to get it off the network, and (2) sell it to someone who will rechip or reprogram it. When it reappears live, it’s no longer traceable.
How could any extension of embedded ID work, then? If phones have to be mass-produced and then programmed or burned with their individual ID, someone else can hack or re-burn that information later. Adding this “kill switch” feature would depend on being able to identify the stolen phone 5 minutes or more after theft, plenty of time for the phone to disappear into an RF hole.
About the only use tracing and cutting off a phone now achieves is cutting the carrier’s losses due to punk theft and expensive or crime-related calls; not one in 100 is going to be tracked down and recovered. So “bricking” a phone remotely means the thief has to leave the phone active, not rechip or reprogram it, and whatever the “kill switch” does has to be beyond the ability of already-skilled hacker/reprogrammers to fix.
As I said, good intentions… but do they completely ignore reality here?
With iOS 7, Apple has introduced “iCloud locking,” which so far has proven to be uncrackable. When the phone is locked this way, one must authenticate with the iCloud server to register the phone. A locked phone can not be used, even as an “iPod touch.”
Has this stopped thieves?
I doubt it.
Both the thieves and their customers are too stupid, and they don’t take the time to ID the potential theft target first.
For that matter, did car stereo PIN entry reduce car stereo thefts? I doubt that, too - it’s the same thing.
There is no re-chipping or reprogramming trapdoor?
ETA: I accept that if a phone is left with an embedded serial number, it can be effectively blocked, locked or traced. But reprogramming is a whole industry these days, and even dim thieves know they have to sell phones to someone who can make it resalable.
Reprogramming the IMEI isn’t necessarily as easy as it sounds. In a well architected system, it may not be possible.
I’m not sure what you’re suggesting with rechipping it. There are a ton of chips in the phone. The one with the IMEI stored in it likely is the flash part, which also contains the OS. If you have access to another flash part with a valid OS, it’s probably attached to another phone.
ETA: The IMEI is often stored in either one time programmable space (enforced by hardware fused), or in a signed area. To change it in a signed
area involves being able to create a new signature, which requires having access to the signing key.
I, on the other hand, would think about the possibility the killswitch works too well–that the systems are hacked and that teenagers all over (and teenagers at heart) will have great fun killing the cell phones of their enemies, friends and random strangers.
I’ve seen a whole long list of “impossibles” in that vein.
Do you know how the Videocipher II was cracked? The video scrambling system implemented on satellite TV? It was considered highly secure because the codes and algorithms were burned onto a PAL and not accessible from outside the chip. The hackers drilled holes in the chip casing and used micro-droplets of mercury to connect probes to the chip itself and reverse-engineer the coding.
Nothing since then has surprised me. If one person can do it, using any tools whatsoever, in or out of a manufacturing facility, another one can figure out how to copy the process.
That said, there’s also overseas sales, which I understand are huge for high-end phones. I am not sure there’s any agreement to scan IMEI codes overseas, especially in Eastern Europe and Asia.
Isn’t the key to the above the concept of “experienced” phone thieves?
Are the majority of muggings that include the taking of cell phones done by experienced phone thieves, or done by people who just see the phone as an extra quick $30?
True enough. Informally, I’ve always discussed security goals as preventing it from being mass produced/hacked. You can change fuses and such if you try hard enough.
I’m not aware of any scheme that currently allows someone to reprogram the IMEI of any of the devices I worked on, without access to security systems well within corporate walls. And even then, it’s isn’t always *currently *possible.
The goal would be to make the task so difficult that the cost exceeds the used price of the phone. This is also a different scenario : with satellite tv, stealing the key from one decoder in principle lets you mass produce decoders that can give you sat tv for free. If each individual phone uses a locked down system on a chip, in principle it could be too expensive to replace. Security schemes aren’t pointless - it just takes enormouse effort to get them right.
Last I heard, a few years ago directv finally was using cards that no one had cracked for several years. That is defacto a secure system. Of course, people can just stream pirated sattv on the internet now…
Amateur, I was trying to respond to my post on an iphone’s tiny keyboard, ironically.
So the principles of the scenario are as follows :
A smartphone has a chip in it that does almost all of the digital logic. The CPU, GPU, memory, I/O : it’s all in the same part.
There’s 2 possible ways to kill the phone.
You can broadcast a signal, signed using a private key, instructing a phone with a specific serial or IMEI number to brick itself permanently until given a signal, signed with the same or different private key, to rescind the bricking. This poses a risk that the private key could be stolen somehow, and used to brick many phones at once. The way you secure the mechanism to do this is you embed the code to implement this feature at a low level in the software used on the phone. You sign the code with a private key, and the system on a chip in the phone will not load an OS not signed with this key. However, the widespread prevalence of jailbreaks is due to every current implementation having holes.
You can make agreements with all 4 wireless providers in the U.S. to blacklist any phone with an IMEI on a “stolen” list. This is safer, and you can maintain a parallel “whitelist” of IMEIs that stop someone from changing their phone’s IMEI easily.
As you point out, the cell phone thieves could in fact put their stolen phones into a foil bag (like the anti-static bags circuit boards come in) and this signal would not get through. The thieves could ship their phones to a market where this signal is not being broadcast and resell them there, or where the IMEI blacklist is not being enforced.
However, this ups the ante considerably. Right now, all a thief has to do is grab a phone and go on ebay or craigslist and sell it. There is no way for the rightful owner of the phone to do anything if the phone were reflashed to remove any “track my phone” applications.
Both these solutions have logistical problems, and any specific implementation can have holes in it. However, this is not at all the same impossible to solve problem as, say, preventing movies from being pirated. A cell phone requires the consent of the wireless providers in order to work, and there already exists a locked down ID system (IMEI) that has been secured extremely well. If it weren’t, thieves would be routinely cloning other’s phones and using their accounts to make untraceable phone calls.
I’d be more afraid of such a killswitch being used by the cellphone company agains you!
You get disgusted with the poor quality AT&T cellphone service and decide to switch carriers, and take your expensive cellphone (which you paid for) to another carrier, and AT&T triggers the killswitch in the phone. But will un-kill it if you pay them a hefty fee. Which is legal, because you agreed to it – it was in the fine print of the 14-page contract covering your account.
You have a billing dispute with AT&T, and refuse to settle it on their terms – so they trigger the killswitch on your phone.
You are unhappy with AT&T’s poor service, and write a bad review of them in an online forum, or even file a complaint with your state’s Public Utilities Commission – so they trigger the killswitch on your phone.
Again, they can make this legal by including it in the fine print of your service contract. Most of those cintracts allow them to retroactively add this, even if it wasn’t in the contract when you signed it.
They can do much of this already, by shutting off your cellphone service. But they usually can’t dead-brick your expensive phone itself. This killswitch would make it uch easier for them to do that. I don’t like that idea.
They could do more of it at the moment by blocking the IMEI (which would not kill the computing functionality of a smartphone, but would prevent an ordinary consumer from just connecting it with a new provider).
I think I agree with t-bonham. Within a year, the primary use of killswitches would be the cellphone carrier blackmailing/getting revenge on customers. All the major carriers would do it, and yeah there’d be a few that don’t, but those would be the small-time carriers that have like 4 towers in the entire country.
I would only support it if I owned the killswitch on my phone and not the carrier. Because it’s my phone, not theirs. (I’m tired of “ownership” these days being watered down to “renting someone else’s stuff for awhile until it’s time to upgrade to somebody else’s newer stuff”.)
The problem then is that if you buy a secondhand phone, the guy who used to own it may still have the ability to kill it. If you try making a “transfer killswitch” app in software, then the whole idea is worthless, because they could just reflash the software.
