Mobile // Mobile Business
News
8/29/2014
09:33 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

California Smartphone Kill-Switch Law: What It Means

Do you understand the consequences of California's new smartphone anti-theft law? Our FAQ will clear up the confusion.

8 Things We Want In iPhone 6
8 Things We Want In iPhone 6
(Click image for larger view and slideshow.)

On Aug. 25, California Governor Jerry Brown signed Senate Bill 962, which requires "kill switches" on smartphones sold in California, starting July 1, 2015.

The bill narrowly failed a vote in the California State Senate in April because of concerns it would be bad for business. It passed when revisited in August. In an effort to avoid the imposition of a mandatory kill switch requirement, CTIA-The Wireless Association, a wireless communications trade group, proposed a voluntary agreement to include "a baseline anti-theft tool" in US smartphones that could be either pre-loaded or downloaded.

But New York attorney general Eric T. Schneiderman and San Francisco district attorney George Gascón urged that the kill switch be enabled by default. And that's essentially what California's law requires, unlike the smartphone anti-theft law passed in Minnesota earlier this year.

The law represent an attempt to reduce rampant smartphone theft. Approximately 30% to 40% of robberies in major US cities involve the theft of mobile communications devices, according to the San Francisco district attorney's office. In San Francisco, that figure is 65%.

[Are your mobile apps leaking data? See NIST Drafts Mobile App Security Guidelines.]

A kill switch enables the phone's owner to disable the device remotely, via wireless command, so that it cannot be used. Law enforcement officials argue that widespread use of kill switches will reduce the incentive to steal smartphones.

(Source: Philip Wilson on Flickr)
(Source: Philip Wilson on Flickr)

With Apple, Google, Microsoft, Samsung, and other handset makers and mobile carriers onboard, the kill-switch train has left the station. However, there's a lot of confusion about what the kill switch actually does. Here's what you need to know.

Will a kill switch "kill" a smartphone that has been reported stolen?
No. Killing is a reversible process. Smartphones rendered inoperable through a kill switch can be restored. The law states, "The technological solution shall be reversible, so that if an authorized user obtains possession of the smartphone after the essential features of the smartphone have been rendered inoperable, the operation of those essential features can be restored by an authorized user." Will thieves and hackers find a way to resurrect dead phones? They will certainly try.

Are all smartphones sold in California subject to the law?
No. The law applies to smartphones sold at retail in the state, or shipped to a customer who will use the device at a California address, on or after July 15, 2015. It does not apply to smartphone models introduced before Jan. 1, 2015, that cannot reasonably be re-engineered to support the kill-switch code provided by the handset maker or operating system maker. It also does not apply to smartphones resold in California on the secondhand market.

Must smartphone kill switches be enabled by default?
No. That's what law enforcement officials advocated, but it's not a feasible request. Customer information must be input before the customer can trigger device deactivation. Phone makers do not now have the capability to place customer data on a smartphone and configure the device before the customer has taken possession of the device. It would be necessary to have that information for a kill switch that's available by default. That's why the law states, "[T]he default setting of the [kill switch] shall be to prompt the consumer to enable the solution during the initial device setup."

Can smartphone kill switches be disabled?
Yes. The law states, "Consumers should have the option to affirmatively elect to disable this protection, but it must be clear to the consumer that the function the consumer is electing to disable is intended to prevent the unauthorized use of the device." The kill switch can also be prevented from functioning when the device has been powered down or radio signals have been blocked. Recent Android and iOS devices include a setting that will erase data after a specified or preset number of failed password attempts.

Does Apple's Activation Lock qualify as a kill switch under California's law?
No. Apple's security mechanism is close, but the iOS 7 setup process doesn't appear to meet the law's requirements. Activation Lock is enabled automatically when you turn on Find My iPhone in iOS 7. In order to do so, you must first enable iCloud, which requires an Apple ID. Both iCloud and an Apple ID are currently optional for iPhone customers (though an Apple ID is necessary to download apps and updates). A compliant implementation would present an activation screen for Find My iPhone and Activation Lock in a way it couldn't be missed by skipping prerequisite actions. Apple's iOS 8 should be available within a few weeks and it may address these issues.

Will a kill switch will erase the data on my smartphone?
Maybe. Activating a kill switch should make it look as if the data on the device is gone, but it could still be there. In July, security vendor Avast said that it had recovered data from Android devices that had been "factory reset." If Android data has been encrypted, then the potential persistence of that data becomes less of an issue. The addition of enterprise security like KNOX improves the situation for Android users.

On iOS, the factory wipe appears to be reliable. In an email, forensic researcher Jonathan Zdziarski said Apple's factory data wipe works well, provided the device has not been jailbroken and has network access. "The encrypted file system structure hinges on a key hierarchy with only three sets of keys at the very top," he said. "It takes mere seconds for the device to wipe these keys, rendering the rest of the file system irrecoverable."

But network access is critical. "If a thief is able to disable the device's WiFi and cellular data before the owner is aware the device is stolen, or before they issue a wipe, then of course the thief could preserve the data and even make a backup or forensic image of it," Zdziarski said. "The thief could use a Faraday bag, which is an inexpensive law enforcement instrument for blocking signals to a device. [The thief] could also just pull the SIM and leave range of any known WiFi networks."

Zdziarski prefers the technique used by BlackBerry for enterprise devices: automatically wiping the device if it has not checked in with the network after a preset period of time.

Do smartphone kill switches deter smartphone theft?
Yes, at least until thieves discover Faraday bags. Apple deployed its take on a kill switch last fall with the debut of Activation Lock in iOS 7. According to a report published over the summer, "Secure Our Smartphone Initiative: One Year Later," the technology has already had a positive effect on iPhone theft. "[I]n the first five months of 2014, shortly after Apple introduced Activation Lock, the theft of Apple devices fell by 17% in New York City, while thefts of Samsung products increased by 51% compared to the same time period in the previous year," the report says.

Will only the phone's owner will be able to activate the kill switch?
No. But the chance of someone killing your phone without consent isn't very likely. Authorities have the legal right to interrupt telecommunications services, and California's new kill-switch law authorizes them to use kill switches to do so in accordance with state public utility rules: "Any request by a government agency to interrupt communications service utilizing [a kill switch] is subject to Section 7908 of the Public Utilities Code." The law also spares phone sellers from liability if the kill switch is misused by hackers, a provision that wouldn't be necessary if misuse weren't a possibility.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 4   >   >>
Jeffrub1
50%
50%
Jeffrub1,
User Rank: Apprentice
9/3/2014 | 4:18:30 PM
Unpredictable data safety
While the specter of disabled devices will likely reduce hardware theft, the possibility of immediate SIM pull or turned-off-radio blocking the disablement means that data mining will still be a threat.  This is especially troubling for businesses who may harbor hope that the new capabilities will effectively eliminate corporate data breaches on BYOD devices.
escher
50%
50%
escher,
User Rank: Apprentice
9/3/2014 | 4:44:28 AM
Slippery slope
What's next - installing a chip in our children to turn them catatonic if kidnapped?
Shane M. O'Neill
100%
0%
Shane M. O'Neill,
User Rank: Author
9/2/2014 | 4:32:26 PM
Re: How do you kill it?
Ok, I see. You can send a text message to kill it. I was thinking you would need to receive a text to kill it. Doh. Silly me. 
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Ninja
9/2/2014 | 4:25:34 PM
Re: How do you kill it?
Actually, text messaging would be great. Someone snatches your phone while you are out with friends? No problem! Borrow their phone and text the "kill phrase" to yours and it's shutdown in seconds. Also, there are multiple websites that allow you to text any phone in the US. It's a reasonable way to handle the problem yourself.
mejiac
50%
50%
mejiac,
User Rank: Ninja
9/2/2014 | 3:55:14 PM
Re: Start the clock
@Ashu001,

Very true, and there is high demand in a market where consumers have less buying power, specially in third world countries.

Like everything else, nothing will ever be theft proof, but providers and manufacturers try to limit it as best as they can.
tkeller852
50%
50%
tkeller852,
User Rank: Apprentice
9/1/2014 | 11:27:18 PM
More on low value
I wondered just why the essentually no response attitude on the part of the local authorities but did not get a straight answer about it.  i would be surprised if the park is well connected from it's overhead appearance.  I got the idea they just consider the value of a cell phone not worth their attention.  They would, I am sure, if pressed claim insufficient resources.
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
9/1/2014 | 10:48:58 AM
Re: Government activated kill switch
This is a tricky thing - even if we activated kill switch by law, how about those legacy phones? They will exist for long time and the effect of the law will materialize only in the long run.
BillB031
50%
50%
BillB031,
User Rank: Strategist
9/1/2014 | 7:36:56 AM
Re: Government activated kill switch
Seems like the Government is less concerned about theft, and more about disabling potential organizing of civil insurrection of one form or another....  Why the heck does the government care if you left your cell phone in a bar somewhere, or somebody lifted it out of your unlocked car?  
shamika
50%
50%
shamika,
User Rank: Ninja
8/31/2014 | 11:58:51 PM
Re: Government activated kill switch
@BillB031 – yes authorities have the legal right to interrupt telecommunications services, but do they really have to do this? What's the ultimate objective?
shamika
50%
50%
shamika,
User Rank: Ninja
8/31/2014 | 11:57:16 PM
Re: Start the clock
@Ashu – yes if someone offers you a phone for 50% most of us would buy it without knowing that it's a stolen phone, and finally we will face the consequences. 
Page 1 / 4   >   >>
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.