Mobile // Mobile Business
News
8/29/2014
09:33 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

California Smartphone Kill-Switch Law: What It Means

Do you understand the consequences of California's new smartphone anti-theft law? Our FAQ will clear up the confusion.

8 Things We Want In iPhone 6
8 Things We Want In iPhone 6
(Click image for larger view and slideshow.)

On Aug. 25, California Governor Jerry Brown signed Senate Bill 962, which requires "kill switches" on smartphones sold in California, starting July 1, 2015.

The bill narrowly failed a vote in the California State Senate in April because of concerns it would be bad for business. It passed when revisited in August. In an effort to avoid the imposition of a mandatory kill switch requirement, CTIA-The Wireless Association, a wireless communications trade group, proposed a voluntary agreement to include "a baseline anti-theft tool" in US smartphones that could be either pre-loaded or downloaded.

But New York attorney general Eric T. Schneiderman and San Francisco district attorney George Gascón urged that the kill switch be enabled by default. And that's essentially what California's law requires, unlike the smartphone anti-theft law passed in Minnesota earlier this year.

The law represent an attempt to reduce rampant smartphone theft. Approximately 30% to 40% of robberies in major US cities involve the theft of mobile communications devices, according to the San Francisco district attorney's office. In San Francisco, that figure is 65%.

[Are your mobile apps leaking data? See NIST Drafts Mobile App Security Guidelines.]

A kill switch enables the phone's owner to disable the device remotely, via wireless command, so that it cannot be used. Law enforcement officials argue that widespread use of kill switches will reduce the incentive to steal smartphones.

(Source: Philip Wilson on Flickr)
(Source: Philip Wilson on Flickr)

With Apple, Google, Microsoft, Samsung, and other handset makers and mobile carriers onboard, the kill-switch train has left the station. However, there's a lot of confusion about what the kill switch actually does. Here's what you need to know.

Will a kill switch "kill" a smartphone that has been reported stolen?
No. Killing is a reversible process. Smartphones rendered inoperable through a kill switch can be restored. The law states, "The technological solution shall be reversible, so that if an authorized user obtains possession of the smartphone after the essential features of the smartphone have been rendered inoperable, the operation of those essential features can be restored by an authorized user." Will thieves and hackers find a way to resurrect dead phones? They will certainly try.

Are all smartphones sold in California subject to the law?
No. The law applies to smartphones sold at retail in the state, or shipped to a customer who will use the device at a California address, on or after July 15, 2015. It does not apply to smartphone models introduced before Jan. 1, 2015, that cannot reasonably be re-engineered to support the kill-switch code provided by the handset maker or operating system maker. It also does not apply to smartphones resold in California on the secondhand market.

Must smartphone kill switches be enabled by default?
No. That's what law enforcement officials advocated, but it's not a feasible request. Customer information must be input before the customer can trigger device deactivation. Phone makers do not now have the capability to place customer data on a smartphone and configure the device before the customer has taken possession of the device. It would be necessary to have that information for a kill switch that's available by default. That's why the law states, "[T]he default setting of the [kill switch] shall be to prompt the consumer to enable the solution during the initial device setup."

Can smartphone kill switches be disabled?
Yes. The law states, "Consumers should have the option to affirmatively elect to disable this protection, but it must be clear to the consumer that the function the consumer is electing to disable is intended to prevent the unauthorized use of the device." The kill switch can also be prevented from functioning when the device has been powered down or radio signals have been blocked. Recent Android and iOS devices include a setting that will erase data after a specified or preset number of failed password attempts.

Does Apple's Activation Lock qualify as a kill switch under California's law?
No. Apple's security mechanism is close, but the iOS 7 setup process doesn't appear to meet the law's requirements. Activation Lock is enabled automatically when you turn on Find My iPhone in iOS 7. In order to do so, you must first enable iCloud, which requires an Apple ID. Both iCloud and an Apple ID are currently optional for iPhone customers (though an Apple ID is necessary to download apps and updates). A compliant implementation would present an activation screen for Find My iPhone and Activation Lock in a way it couldn't be missed by skipping prerequisite actions. Apple's iOS 8 should be available within a few weeks and it may address these issues.

Will a kill switch will erase the data on my smartphone?
Maybe. Activating a kill switch should make it look as if the data on the device is gone, but it could still be there. In July, security vendor Avast said that it had recovered data from Android devices that had been "factory reset." If Android data has been encrypted, then the potential persistence of that data becomes less of an issue. The addition of enterprise security like KNOX improves the situation for Android users.

On iOS, the factory wipe appears to be reliable. In an email, forensic researcher Jonathan Zdziarski said Apple's factory data wipe works well, provided the device has not been jailbroken and has network access. "The encrypted file system structure hinges on a key hierarchy with only three sets of keys at the very top," he said. "It takes mere seconds for the device to wipe these keys, rendering the rest of the file system irrecoverable."

But network access is critical. "If a thief is able to disable the device's WiFi and cellular data before the owner is aware the device is stolen, or before they issue a wipe, then of course the thief could preserve the data and even make a backup or forensic image of it," Zdziarski said. "The thief could use a Faraday bag, which is an inexpensive law enforcement instrument for blocking signals to a device. [The thief] could also just pull the SIM and leave range of any known WiFi networks."

Zdziarski prefers the technique used by BlackBerry for enterprise devices: automatically wiping the device if it has not checked in with the network after a preset period of time.

Do smartphone kill switches deter smartphone theft?
Yes, at least until thieves discover Faraday bags. Apple deployed its take on a kill switch last fall with the debut of Activation Lock in iOS 7. According to a report published over the summer, "Secure Our Smartphone Initiative: One Year Later," the technology has already had a positive effect on iPhone theft. "[I]n the first five months of 2014, shortly after Apple introduced Activation Lock, the theft of Apple devices fell by 17% in New York City, while thefts of Samsung products increased by 51% compared to the same time period in the previous year," the report says.

Will only the phone's owner will be able to activate the kill switch?
No. But the chance of someone killing your phone without consent isn't very likely. Authorities have the legal right to interrupt telecommunications services, and California's new kill-switch law authorizes them to use kill switches to do so in accordance with state public utility rules: "Any request by a government agency to interrupt communications service utilizing [a kill switch] is subject to Section 7908 of the Public Utilities Code." The law also spares phone sellers from liability if the kill switch is misused by hackers, a provision that wouldn't be necessary if misuse weren't a possibility.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 4 / 4
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Author
8/29/2014 | 12:42:30 PM
Re: How do you kill it?
Thanks Tom. But if your smartphone is gone, a text message code won't do you much good. A phone number you could call to activate the kill would work. But it seems a website covers the bases best. Whatever the medium, it should be quick and easy for an owner to pull the trigger.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
8/29/2014 | 12:32:47 PM
Re: How do you kill it?
>Where and how do you actually activate a kill switch? Via a website?

That's the way Apple does it, via iCloud's Find My iPhone. But the law doesn't spell that out so Google, for example, could implement it in a variety of ways. A website makes sense but it could be set up to trigger via a specific text message code, a specific phone number, or some other criteria -- the software listening for the kill message could in theory listen for any distinct event.
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Author
8/29/2014 | 12:20:51 PM
How do you kill it?
Where and how do you actually activate a kill switch? Via a website?
mstechie
50%
50%
mstechie,
User Rank: Apprentice
8/29/2014 | 10:59:19 AM
Secure Profiles
This is more of a question rather than a statement. I am concerned about where the kill switch data or profile is stored at. Is there going to be some central repository or is it based on carriers? I am asking this because apparently there will be some type of Web interface. Will the profile data all be stored on the phone? How secure is this process? Is there a risk of the repository of 'kill switch profiles' being hacked then a mass number if phones could be killed at once. How is this different from Find My Phone or LookOut? Ok, this is more like a short list if questions.
<<   <   Page 4 / 4
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.