The Trouble With Smartphone Kill Switches - InformationWeek
09:28 AM
How Upwork Cut Zero-Day File Attacks by 70%
Oct 05, 2017
Upwork has millions of clients and freelancers that have to upload and download many files to and ...Read More>>

The Trouble With Smartphone Kill Switches

To fight smartphone theft, public officials tell smartphone makers to add remote-deactivation, tracking and recovery features. But manufacturers may not do the job right.

Authorities are looking to handset manufacturers to implement smartphone "kill switches" that are designed to make the devices unattractive to thieves and recoverable for owners. But given their track record, there is no guarantee that smartphone makers will implement the right technology for the job.

"We need the industry to take this issue seriously and come up with a technical solution that can squash the illegal smartphone market that is fuelling this crime," London mayor Boris Johnson said last week.

Smartphone crime is a public safety issue, with police in many cities reporting a related rise in crime: London police say they see 10,000 smartphone thefts per month. In 2012, half of all robberies in San Francisco targeted a smartphone, while in New York City last year, the figure was 40%, according to statistics supplied by "Secure Our Smartphones," a program launched earlier this year by New York State Attorney General Eric Schneiderman and San Francisco District Attorney George Gascon, and recently joined by London.

All told, Consumer Reports estimates that 1.6 million Americans were victims of phone theft last year.

[ There are a host of problems facing mobile devices. Read Google Play: Beware Android Adware Infestation. ]

High-end smartphones are expensive to buy and lucrative to resell. Some models reportedly fetch up to $1,200 each in Hong Kong. Many phones ultimately end up in Africa and Asia, where they're wiped and rolled out on new cellular networks, according to law enforcement experts. Even if the devices are still running tracking software, you can kiss them goodbye.

The SOS program is calling on smartphone manufacturers to add public safety features to their devices. While specifics are so far scarce, such features might include remote-deactivation technology to render smartphones inoperable.

The first round of SOS, however, was a dud, after Gascon attempted to convince carriers -- including AT&T -- to do something about smartphone theft. They declined, although say they're building a global database to help track stolen smartphones.

Accordingly, Gascon has redirected his attention to handset manufacturers. But can many smartphone manufacturers be relied on to build a kill switch that's good enough to enable devices to be recovered, yet tough enough to withstand hack attacks? Consider the Android add-on software and skins added by so many handset manufacturers to their devices. Bloatware is the charitable word for such software, which too often poses a security risk because add-ons can introduce entirely new, exploitable vulnerabilities.

Of course, some smartphones already sport remote-kill features, such as such as the new Android Device Manager from Google, or the "wipe your iPhone" (or iPad) feature built into iOS devices. But they're more of a convenience than a theft-prevention feature. "Apple's switch renders the phone inoperable, but you have no way of getting it back," says Stephen Midgley, VP of marketing for Absolute Software, in an interview. Absolute has long made laptop-recovery software that uses software agents installed in device firmware.

"If the phone is stolen, you may be able to track it using 'find my phone' functionality, but we certainly don't recommend that consumers try to recover their own device," he says. "So being able to use a kill switch to remotely wipe or brick the device, but also recover the device, is of equal importance to either find the person who did it and make them accountable, or provide that information to police, so they can then take action."

To be viable, recovery software must involve some sort of persistent tracking technology installed on devices. That happens to be the type of software agent used by Absolute's Lojack for Mobile Devices software, which costs $30 per year to use, and so far is only available on Samsung Galaxy S4 devices, for which it's built into the device's firmware. Midgley said that approach is essential for making the tracker tough to find or delete, thus bettering the odds that it will remain running if the device gets stolen and helping the company's dedicated recovery team. Even if the phone does move to a part of the world where getting it back would be difficult, the location information may still be of use to law enforcement agencies amassing intelligence on the criminal gangs involved.

Samsung is doubling down on Absolute's recovery software, which will also feature in Samsung Knox. Due out later this year, Knox aims to give enterprises a more secure version of Android for business use, including secure boot, plus application containers to separate business apps from consumer apps.

Bolstering the tracking and recovery services built into smartphones stands to benefit both businesses and consumers. Still, what's to prevent enterprising hackers from using recovery or remote-wipe tools to forcibly deactivate or delete numerous Android devices in one go? That's an open question. "For solutions that use applications to control the phone's hardware, there is always a risk" that the app may draw the attention of hackers, or be used to access or wipe the data it's meant to protect, Jim Butterworth, CSO of technology security firm HBGary, tells me via email. "But an app can and should be created with controls to login and operate the app itself, as well as being limited in code to only the functions it requires in order to work."

In other words, handset manufacturers that build their own recovery tools must employ secure coding practices and extensive testing to ensure that add-on security apps can't be hacked, but instead can only be accessed by an approved recovery provider -- or perhaps the subscriber's carrier. Likewise, they'll need to have any recovery software they put on the devices tested to ensure that would-be attackers can't simply erase the software from the device or flash the firmware, before sending the phone to its new life overseas.

Alternately, handset manufacturers can tap third-party software vendors and recovery services. Given many handset manufacturers' previous, poor track record when it comes to developing their Android add-ons, let's hope that -- with the possible exception of Apple and Google, which excel at building their own software -- manufacturers tap a third-party information security specialist. If you value your phone, and chances of recovering any device that gets stolen, that's the best blueprint for building in kill switches, zappers or whatever technology may help deter theft.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/20/2013 | 4:19:25 AM
re: The Trouble With Smartphone Kill Switches
There really isn't a clear solution out there for tracking and security phone software. Even if they develop apps that have the capability to track phones remotely and are unable to be wiped out by whoever took it, there is also the task of recovering it. From what I've seen it really isn't too easy to have law enforcement officers take phone recovery seriously when most of them are already over worked and busy with more pressing matters.

Jay Simmons
Information Week Contributor
User Rank: Ninja
8/15/2013 | 1:27:44 AM
re: The Trouble With Smartphone Kill Switches
Agreed. And by brick, you have to completely fry the whole phone. If you just fry the SOC, cell radio or flash memory, there will still be a market for "chop shops" that resell the display, battery, buttons, switches and enclosure.
Of course the problem with truly frying it (i.e. short-circuit the battery and melt the innards) is the risk of fire and personal injury -- to both legitimate owners and criminals. Yes, criminals. I guarantee you that the first criminal that gets burned will find an ambulance chasing lawyer and quickly go public and go loud. Of course they will be an extremely economically disadvantaged teenager that was only stealing so they could buy medications for their terminally ill mother and/or feed their younger siblings.
Thomas Claburn
Thomas Claburn,
User Rank: Author
8/14/2013 | 7:59:51 PM
re: The Trouble With Smartphone Kill Switches
I hope that whatever gets implemented is under user rather than manufacturer control.
Lorna Garey
Lorna Garey,
User Rank: Author
8/14/2013 | 6:38:29 PM
re: The Trouble With Smartphone Kill Switches
I think the key is ubiquitousness and prioritizing the "brick" part of the "brick it and recover it" equation. Once thieves believe the chances are 90% or better that a stolen phone will be unusable even in Asia, the problem will abate. At that point, recovery becomes moot.
User Rank: Apprentice
8/14/2013 | 4:29:35 PM
re: The Trouble With Smartphone Kill Switches
Nice article to save your mobile from thieves. But what should Samsung's existing customers should do for security purpose?
Shane M. O'Neill
Shane M. O'Neill,
User Rank: Author
8/14/2013 | 3:49:23 PM
re: The Trouble With Smartphone Kill Switches
Lots to think about in this article. Seems like the perfect mix of hacker-proof location tracking and remote wipe capability is still out of reach. Leaving it to a third-party app is risky because it's too easy for a hacker to infiltrate the app, and same goes for manufacturers baking kill-switch tech into the hardware. No easy answer. Manufacturers have to make mobile security a priority. In the meantime, password protect your phones people!
David F. Carr
David F. Carr,
User Rank: Author
8/14/2013 | 2:17:05 PM
re: The Trouble With Smartphone Kill Switches
To be certain you'd killed the phone, you'd probably need to make it self destruct, frying the circuits Mission Impossible style. Then you'd probably have misfires where phones are blowing up for no good reason.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll