Mobile // Mobile Business
News
8/29/2014
09:33 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

California Smartphone Kill-Switch Law: What It Means

Do you understand the consequences of California's new smartphone anti-theft law? Our FAQ will clear up the confusion.

8 Things We Want In iPhone 6
8 Things We Want In iPhone 6
(Click image for larger view and slideshow.)

On Aug. 25, California Governor Jerry Brown signed Senate Bill 962, which requires "kill switches" on smartphones sold in California, starting July 1, 2015.

The bill narrowly failed a vote in the California State Senate in April because of concerns it would be bad for business. It passed when revisited in August. In an effort to avoid the imposition of a mandatory kill switch requirement, CTIA-The Wireless Association, a wireless communications trade group, proposed a voluntary agreement to include "a baseline anti-theft tool" in US smartphones that could be either pre-loaded or downloaded.

But New York attorney general Eric T. Schneiderman and San Francisco district attorney George Gascón urged that the kill switch be enabled by default. And that's essentially what California's law requires, unlike the smartphone anti-theft law passed in Minnesota earlier this year.

The law represent an attempt to reduce rampant smartphone theft. Approximately 30% to 40% of robberies in major US cities involve the theft of mobile communications devices, according to the San Francisco district attorney's office. In San Francisco, that figure is 65%.

[Are your mobile apps leaking data? See NIST Drafts Mobile App Security Guidelines.]

A kill switch enables the phone's owner to disable the device remotely, via wireless command, so that it cannot be used. Law enforcement officials argue that widespread use of kill switches will reduce the incentive to steal smartphones.

(Source: Philip Wilson on Flickr)
(Source: Philip Wilson on Flickr)

With Apple, Google, Microsoft, Samsung, and other handset makers and mobile carriers onboard, the kill-switch train has left the station. However, there's a lot of confusion about what the kill switch actually does. Here's what you need to know.

Will a kill switch "kill" a smartphone that has been reported stolen?
No. Killing is a reversible process. Smartphones rendered inoperable through a kill switch can be restored. The law states, "The technological solution shall be reversible, so that if an authorized user obtains possession of the smartphone after the essential features of the smartphone have been rendered inoperable, the operation of those essential features can be restored by an authorized user." Will thieves and hackers find a way to resurrect dead phones? They will certainly try.

Are all smartphones sold in California subject to the law?
No. The law applies to smartphones sold at retail in the state, or shipped to a customer who will use the device at a California address, on or after July 15, 2015. It does not apply to smartphone models introduced before Jan. 1, 2015, that cannot reasonably be re-engineered to support the kill-switch code provided by the handset maker or operating system maker. It also does not apply to smartphones resold in California on the secondhand market.

Must smartphone kill switches be enabled by default?
No. That's what law enforcement officials advocated, but it's not a feasible request. Customer information must be input before the customer can trigger device deactivation. Phone makers do not now have the capability to place customer data on a smartphone and configure the device before the customer has taken possession of the device. It would be necessary to have that information for a kill switch that's available by default. That's why the law states, "[T]he default setting of the [kill switch] shall be to prompt the consumer to enable the solution during the initial device setup."

Can smartphone kill switches be disabled?
Yes. The law states, "Consumers should have the option to affirmatively elect to disable this protection, but it must be clear to the consumer that the function the consumer is electing to disable is intended to prevent the unauthorized use of the device." The kill switch can also be prevented from functioning when the device has been powered down or radio signals have been blocked. Recent Android and iOS devices include a setting that will erase data after a specified or preset number of failed password attempts.

Does Apple's Activation Lock qualify as a kill switch under California's law?
No. Apple's security mechanism is close, but the iOS 7 setup process doesn't appear to meet the law's requirements. Activation Lock is enabled automatically when you turn on Find My iPhone in iOS 7. In order to do so, you must first enable iCloud, which requires an Apple ID. Both iCloud and an Apple ID are currently optional for iPhone customers (though an Apple ID is necessary to download apps and updates). A compliant implementation would present an activation screen for Find My iPhone and Activation Lock in a way it couldn't be missed by skipping prerequisite actions. Apple's iOS 8 should be available within a few weeks and it may address these issues.

Will a kill switch will erase the data on my smartphone?
Maybe. Activating a kill switch should make it look as if the data on the device is gone, but it could still be there. In July, security vendor Avast said that it had recovered data from Android devices that had been "factory reset." If Android data has been encrypted, then the potential persistence of that data becomes less of an issue. The addition of enterprise security like KNOX improves the situation for Android users.

On iOS, the factory wipe appears to be reliable. In an email, forensic researcher Jonathan Zdziarski said Apple's factory data wipe works well, provided the device has not been jailbroken and has network access. "The encrypted file system structure hinges on a key hierarchy with only three sets of keys at the very top," he said. "It takes mere seconds for the device to wipe these keys, rendering the rest of the file system irrecoverable."

But network access is critical. "If a thief is able to disable the device's WiFi and cellular data before the owner is aware the device is stolen, or before they issue a wipe, then of course the thief could preserve the data and even make a backup or forensic image of it," Zdziarski said. "The thief could use a Faraday bag, which is an inexpensive law enforcement instrument for blocking signals to a device. [The thief] could also just pull the SIM and leave range of any known WiFi networks."

Zdziarski prefers the technique used by BlackBerry for enterprise devices: automatically wiping the device if it has not checked in with the network after a preset period of time.

Do smartphone kill switches deter smartphone theft?
Yes, at least until thieves discover Faraday bags. Apple deployed its take on a kill switch last fall with the debut of Activation Lock in iOS 7. According to a report published over the summer, "Secure Our Smartphone Initiative: One Year Later," the technology has already had a positive effect on iPhone theft. "[I]n the first five months of 2014, shortly after Apple introduced Activation Lock, the theft of Apple devices fell by 17% in New York City, while thefts of Samsung products increased by 51% compared to the same time period in the previous year," the report says.

Will only the phone's owner will be able to activate the kill switch?
No. But the chance of someone killing your phone without consent isn't very likely. Authorities have the legal right to interrupt telecommunications services, and California's new kill-switch law authorizes them to use kill switches to do so in accordance with state public utility rules: "Any request by a government agency to interrupt communications service utilizing [a kill switch] is subject to Section 7908 of the Public Utilities Code." The law also spares phone sellers from liability if the kill switch is misused by hackers, a provision that wouldn't be necessary if misuse weren't a possibility.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 4   >   >>
BillB031
50%
50%
BillB031,
User Rank: Strategist
8/31/2014 | 10:05:08 AM
Government activated kill switch
"Authorities have the legal right to interrupt telecommunications services"

 

I'm not so warm and fuzzy about allowing the Government to have control over my device. 
mejiac
50%
50%
mejiac,
User Rank: Ninja
8/31/2014 | 9:18:16 AM
Re: Start the clock
@asksqn,

Nothing is impossible, and you're correct, it's a matter of time, but if things start to become increasingly more difficult, the attraction to steal phones may start to fade away.

Another factor to consider is that most of today's smartphones are being constantly pushed an update, and require credentials to install apps, so this will also lead people to not buy stolen phones simply because of the fact they won't be able to get further updates.

And again, like you mention, it's only a matter of time before they find work arounds for that too...but in today's consumer oriented market, users will most likely stay away of hacked phones (at least the non-techys)
mejiac
50%
50%
mejiac,
User Rank: Ninja
8/31/2014 | 9:12:26 AM
Re: to really deter them
@kstaron,

If I'm not mistaken, cell phones are alreardy enabled to allow for GPS location (unless it's one of those burner phones).

I think the fact that a phone can't be re-sold is suffcient to make it's theaf not even feasible. This will also lead for the smarphone "black market" to dissolve, since the support required to unlock stolen phones would start fading.
asksqn
50%
50%
asksqn,
User Rank: Ninja
8/30/2014 | 10:08:20 PM
Start the clock
I give it til the end of the year before crackers (the correct terminology to describe blackhats, cyber and other techno criminals) find a way to reverse engineer the kill switch. 
tkeller852
50%
50%
tkeller852,
User Rank: Apprentice
8/30/2014 | 7:49:24 PM
Kikll switch pretty low value.
None of this will do any practical good until authorities are willing to act on such thefts.  Mine was stolen, I activated the child tracking feature and reported the exact trailer house in the exact trailer park in west Phoenix where the phone was located and provided the Google earth image of it.  They told me to use my phone insurance.
Henrisha
50%
50%
Henrisha,
User Rank: Strategist
8/30/2014 | 1:47:34 PM
Re: How do you kill it?
More options on activating the kill switch seem to be in order. They can be rolled out one after the other, perhaps in some countries where some options might not be as practical (ie. adding the phone option.)

Living in a third world country where people have been beaten up or worse, stabbed for their phones--it's high time for some deterrents that they can't get past, rendering stolen phones pretty much useless.
Henrisha
50%
50%
Henrisha,
User Rank: Strategist
8/30/2014 | 1:46:15 PM
Re: to really deter them
I agree with you. There has to be something more than a kill switch, although I won't disagree since I think it's a useful option to have as well. But something that's a bigger deterrent, that's what I would like to see too.
gvandunk
50%
50%
gvandunk,
User Rank: Apprentice
8/30/2014 | 9:44:26 AM
Re: How do you kill it?
The current iPhone kill switch works.  However most of the people who steal these devices know about it so the first thing they do is turn the phone off so it can not be traced.  This was my personal experience.  I went to iCloud within minutes and it could not find my phone.  The authorities are correct in that it has decreased theft some since the phones can not currently be resold and reactivated which was what made them valuable before.  They are however sold for parts much like the bulk of stolen cars.  There is a large secondary market for screens, batteries etc to fix broken phones. Repairing phones is a good business and if you can get quality used parts your margins increase. I am sure a good portion of the "street" vendors that do repairs use the parts. Unfortuneately people create the demand as they are the ones looking for a cheaper alternative to going to the manufacturer for repair.
kstaron
100%
0%
kstaron,
User Rank: Ninja
8/29/2014 | 5:07:20 PM
to really deter them
If you want to prevent cell phone theft this is a decent way to protect the info on the phone, but shouldn't it be coupled with an alarm type of GPS device so when it's activated you can find out where theif took it, preferrably with a loud blaring noise emitting from the phone to declare this phone was stolen? Do that and it makes stealing a phone a liability not just less desirable.
mejiac
50%
50%
mejiac,
User Rank: Ninja
8/29/2014 | 4:52:13 PM
Re: How do you kill it?
Here's my 2 cents,

In many third world countries, people have been badly hurt (even killed) for a phone, so the having a way to completely disable a phone it's a really good meassure

 

But like @Shane mentiones, some people might not have access to a computer in a street, but might be able to make a call from a restaurant or other location, so if the kill switch can be activated by calling a number and entering a PIN, it would allow for greater efficiency.
<<   <   Page 3 / 4   >   >>
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.