This week, the major telecommunications carriers in the United States finally agreed to make a mandatory “kill switch” option available on all cell phones by 2015. It’s a move that has been praised as a long time coming and slammed as incremental. However, it has also been resisted in certain corners by those who feel that the option will be abused.
No one disputes that mobile phone theft is on the rise. The San Francisco police department has reported that a whopping 67% of all theft cases are related to mobile devices; 10% of phone owners have reportedly had a device stolen at some point. Consumer Reports claims that 1.2 million phones were stolen in 2012, with 3.1 million reported thefts in 2013. The question is whether a manufacturer-enabled “kill switch,” a method of disabling a device remotely, would be an effective means of short-circuiting a thriving market in stolen devices.
US carriers have previously balked at manufacturer-implemented kill switches. Samsung reportedly planned to include a LoJack-provided anti-theft kill switch last year, but multiple carriers refused to support it. San Francisco District Attorney George Gascon reported, “We have seen e-mails that indicate that the carriers refuse to allow Samsung to put a third-party solution in their phones… I think that this is motivated by profit.”
While carriers have implemented a database of stolen IMEI codes, reports from other news agencies indicate that changing the IMEI number on a phone, while a hassle, is something that black market rings are willing to do. In other countries, IMEI blocking efforts, have not been enough to slow the tide of cell phone thefts.
The carrier defense — someone could hack it
The most common reason for refusing to implement a kill switch, according to the carriers themselves, is that its very existence is a security risk. Let’s start by recognizing that this is true. A person with access to certain information could kill a device, no question. That includes hackers, vengeful exes, and anyone who fools the carrier with social engineering tricks.Having acknowledged that, it’s time to also acknowledge the fact that no one is discussing a 007-esque kill switch in which a device ignites or explodes seconds after activation. Some of the various kill switch methods would simply lock a phone, rendering it useless until the authorized owner reacquired and validated his or her identity. Some would allow wiping all contacts and data information off the device, thereby minimizing the chances of identity theft. Most of these methods come with their own trade-offs — the ability to wipe data remotely means that a malicious attacker could gain access to an account and destroy someone’s phone. Still, many of the kill switch options are reversible once the device is back in the hands of the original owner.
The second important point is that while carriers are raising the specter of “hackers” as a reason not to implement kill switches, they also make a great deal of money off selling special insurance plans that cover phone theft. Those insurance plans are further stacked against the customer by stipulating deductibles of up to $200 and stipulating that AT&T can give you a used or refurbished device to cover the new phone you just lost. In other words, you pay $7 a month for the privilege of paying $200 and grabbing a refurbished phone they’d otherwise hand you for free with a new two-year contract.
As for the idea that this is somehow a position to protect us all from hackers, it’s a nice fable. However, if telecommunications companies actually put much emphasis on user data security, AT&T wouldn’t have accidentally published the personal information of 114,000 iPad users in 2010 and both T-Mobile and Verizon wouldn’t be admitting to major data breaches in the past few months.
Cell phone companies, in other words, only seem concerned about our security when implementing it threatens a profit center. Even the new agreement only calls for the existence of a kill switch — it’ll be shipped to the customer deactivated, which means you’ll have to turn it on yourself. This is a critical point for carriers, because a great deal of consumer research shows that most people simply use default settings for any given product.
Furthermore, without mandatory, activated kill switches, the impact on cell phone theft will be minimal. If you know that every smartphone you steal is locked, you’re going to stop stealing them. If you only run into locks in the rare instance when someone has activated it, then the law of averages still encourages cell phone theft. By making the default position “off,” the carriers therefore ensure that the kill switches will generally fail — and that gives them ammunition to argue against any ruling or law passed by a state legislature that would require all shipping devices to activate the kill switch feature prior to sale.
This just isn’t a problem that cellular providers are particularly interested in solving. The discussion over theoretical hacking attempts is, on the one hand, an admission that miserable security practices are part of the status quo, as well as a tacit attempt to paint end users as the sole arbiters of device security. In a world where AT&T and Verizon took their end of the security chain seriously, that argument might fly. In the real world, it doesn’t.
Comments
Post a Comment