On Aug. 25, California Governor Jerry Brown signed Senate Bill 962, which requires "kill switches" on smartphones sold in California, starting July 1, 2015.
The bill narrowly failed a vote in the California State Senate in April because of concerns it would be bad for business. It passed when revisited in August. In an effort to avoid the imposition of a mandatory kill switch requirement, CTIA-The Wireless Association, a wireless communications trade group, proposed a voluntary agreement to include "a baseline anti-theft tool" in US smartphones that could be either pre-loaded or downloaded.
But New York attorney general Eric T. Schneiderman and San Francisco district attorney George Gascón urged that the kill switch be enabled by default. And that's essentially what California's law requires, unlike the smartphone anti-theft law passed in Minnesota earlier this year.
The law represent an attempt to reduce rampant smartphone theft. Approximately 30% to 40% of robberies in major US cities involve the theft of mobile communications devices, according to the San Francisco district attorney's office. In San Francisco, that figure is 65%.
[Are your mobile apps leaking data? See NIST Drafts Mobile App Security Guidelines.]
A kill switch enables the phone's owner to disable the device remotely, via wireless command, so that it cannot be used. Law enforcement officials argue that widespread use of kill switches will reduce the incentive to steal smartphones.
With Apple, Google, Microsoft, Samsung, and other handset makers and mobile carriers onboard, the kill-switch train has left the station. However, there's a lot of confusion about what the kill switch actually does. Here's what you need to know.
Will a kill switch "kill" a smartphone that has been reported stolen?
No. Killing is a reversible process. Smartphones rendered inoperable through a kill switch can be restored. The law states, "The technological solution shall be reversible, so that if an authorized user obtains possession of the smartphone after the essential features of the smartphone have been rendered inoperable, the operation of those essential features can be restored by an authorized user." Will thieves and hackers find a way to resurrect dead phones? They will certainly try.
Are all smartphones sold in California subject to the law?
No. The law applies to smartphones sold at retail in the state, or shipped to a customer who will use the device at a California address, on or after July 15, 2015. It does not apply to smartphone models introduced before Jan. 1, 2015, that cannot reasonably be re-engineered to support the kill-switch code provided by the handset maker or operating system maker. It also does not apply to smartphones resold in California on the secondhand market.
Must smartphone kill switches be enabled by default?
No. That's what law enforcement officials advocated, but it's not a feasible request. Customer information must be input before the customer can trigger device deactivation. Phone makers do not now have the capability to place customer data on a smartphone and configure the device before the customer has taken possession of the device. It would be necessary to have that information for a kill switch that's available by default. That's why the law states, "[T]he default setting of the [kill switch] shall be to prompt the consumer to enable the solution during the initial device setup."
Can smartphone kill switches be disabled?
Yes. The law states, "Consumers should have the option to affirmatively elect to disable this protection, but it must be clear to the consumer that the function the consumer is electing to disable is intended to prevent the unauthorized use of the device." The kill switch can also be prevented from functioning when the device has been powered down or radio signals have been blocked. Recent Android and iOS devices include a setting that will erase data after a specified or preset number of failed password attempts.
Does Apple's Activation Lock qualify as a kill switch under California's law?
No. Apple's security mechanism is close, but the iOS 7 setup process doesn't appear to meet the law's requirements. Activation Lock is enabled automatically when you turn on Find My iPhone in iOS 7. In order to do so, you must first enable iCloud, which requires an Apple ID. Both iCloud and an Apple ID are currently optional for iPhone customers (though an Apple ID is necessary to download apps and updates). A compliant implementation would present an activation screen for Find My iPhone and Activation Lock in a way it couldn't be missed by skipping prerequisite actions. Apple's iOS 8 should be available within a few weeks and it may address these issues.
Will a kill switch will erase the data on my smartphone?
Maybe. Activating a kill switch should make it look as if the data on the device is gone, but it could still be there. In July, security vendor Avast said that it had recovered data from Android devices that had been "factory reset." If Android data has been encrypted, then the potential persistence of that data becomes less of an issue. The addition of enterprise security like KNOX improves the situation for Android users.
On iOS, the factory wipe appears to be reliable. In an email, forensic researcher Jonathan Zdziarski said Apple's factory data wipe works well, provided the device has not been jailbroken and has network access. "The encrypted file system structure hinges on a key hierarchy with only three sets of keys at the very top," he said. "It takes mere seconds for the device to wipe these keys, rendering the rest of the file system irrecoverable."
But network access is critical. "If a thief is able to disable the device's WiFi and cellular data before the owner is aware the device is stolen, or before they issue a wipe, then of course the thief could preserve the data and even make a backup or forensic image of it," Zdziarski said. "The thief could use a Faraday bag, which is an inexpensive law enforcement instrument for blocking signals to a device. [The thief] could also just pull the SIM and leave range of any known WiFi networks."
Zdziarski prefers the technique used by BlackBerry for enterprise devices: automatically wiping the device if it has not checked in with the network after a preset period of time.
Do smartphone kill switches deter smartphone theft?
Yes, at least until thieves discover Faraday bags. Apple deployed its take on a kill switch last fall with the debut of Activation Lock in iOS 7. According to a report published over the summer, "Secure Our Smartphone Initiative: One Year Later," the technology has already had a positive effect on iPhone theft. "[I]n the first five months of 2014, shortly after Apple introduced Activation Lock, the theft of Apple devices fell by 17% in New York City, while thefts of Samsung products increased by 51% compared to the same time period in the previous year," the report says.
Will only the phone's owner will be able to activate the kill switch?
No. But the chance of someone killing your phone without consent isn't very likely. Authorities have the legal right to interrupt telecommunications services, and California's new kill-switch law authorizes them to use kill switches to do so in accordance with state public utility rules: "Any request by a government agency to interrupt communications service utilizing [a kill switch] is subject to Section 7908 of the Public Utilities Code." The law also spares phone sellers from liability if the kill switch is misused by hackers, a provision that wouldn't be necessary if misuse weren't a possibility.
Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)