1. Shiny Expensive Things: The Global
Problem of Mobile Phone Theft
David Rogers
School of Design, Engineering and Computing
Bournemouth University
3rd December 2013
Copyright © 2013 Copper Horse Solutions Ltd. All rights reserved.
1

2. http://www.mobilephonesecurity.org
The Problem
 Millions of mobile phones are stolen each year globally
 Some countries have not recognised it as a problem
– UK has led the way
 2001 Home Office study:
– 710,000 phones stolen in the UK every year
– Large percentage of this was likely to be insurance fraud
 Despite many technical measures, it is still a problem today

3. http://www.mobilephonesecurity.org
Types of Theft
 Street theft / theft from user
– Individual handsets (muggings etc.)
 Theft from shops
– Multiples (burglaries)
– ‘Steaming’ – group distraction /
disruption theft while shop is open
 Bulk theft
– Pallet loads (truck theft etc.)

4. http://www.mobilephonesecurity.org
Youth on Youth Crime
 School bag in 2011 is £000s different to 1991
 Issues with bullying, theft, abuse of service and re-sale of stolen
handsets
 Education is key:

5. http://www.mobilephonesecurity.org
CRAVED
 Six elements that make products attractive to thieves:
–
–
–
–
–
–
Concealable
Removable
Available
Valuable
Enjoyable
Disposable
 Report argues that “how much depends on ease of disposal”
From: Ron Clarke - ‘Hot Products: understanding,
anticipating and reducing
demand for stolen goods’
http://www.popcenter.org/problems/shoplifting/PDFs/fprs112.pdf

6. http://www.mobilephonesecurity.org
Violent Theft must be Addressed
From: http://www.dailymail.co.uk/news/article-2051414/iPhoneBlackBerry-phones-targetted-thieves-leads-7-rise-knifepointrobbery.html?ito=feeds-newsxml

7. Police Awareness Campaigns
UK Home Office TV Advert Campaign
Mobile Phone Security - David Rogers

8. http://www.mobilephonesecurity.org
Root Causes
 Value of device
– Can be shipped and sold overseas where it will still work
 Features and commodities on device
– Apps, music, money
– WiFi enables device to continue to be used
– Theft of service – still an issue e.g. calls abroad
 Possession
– It is just something else someone is carrying (belts have been stolen in the
past!)
– not allowing user to call for help

9. Has been a focus for a long time…
„...what we have got to do is get to a situation where there is no
point in stealing them. The only way we can do that is with
the industry.“
Commissioner Sir Ian Blair 13/04/06
Mobile Phone Security - David Rogers

10. http://www.mobilephonesecurity.org
Car Crime v Phone Crime
 Analogy everyone uses in government (especially the ‘Nudge’ unit* in the UK):
“we solved car crime by putting pressure on the manufacturers to introduce security,
we can do the same for mobile phones”
 Mobile is different!
–
–
–
–
–
–
Remember CRAVED
Users need to access device very regularly – ease of access is very important
Much lower cost device than a car
Easy to lose, then subsequently stolen
Small, easy to export
High youth on youth crime
 Attention to car crime has reduced it significantly but:
– Increases in carjacking and aggravated burglary (for keys)
– Hacking of wireless ignition systems
* Cabinet Office Behavioural Insights Team

11. http://www.mobilephonesecurity.org
Explanation of how a phone is disabled after theft

12. http://www.mobilephonesecurity.org
How blocking works
 Blacklisting (whitelists and greylists exist too)
357213000000290
357213000000128
357213000030123
GSM Association
Country
CEIR
SEIR
EIR
EIR
EIR
EIR
EIR
EIR
EIR
Operator
 Also: in UK - NMPR – Police database of property can be checked while on
patrol
 UK operators operate a ‘virtual’ SEIR (only take UK data from CEIR)
EIR = Equipment Identity Register, NMPR = National Mobile Phone Register, SEIR = Shared EIR, CEIR = Central EIR

13. http://www.mobilephonesecurity.org
Industry steps over 10 years
 Vastly improved IMEI security
– Manufacturers have fought a long battle with embedded systems hackers
 Industry “IMEI Weakness and Reporting and Correction Process”
– 42 day reporting for fixes
 Progress reported regularly to European Commission
 UK charter on mobile phone theft and UK SEIR
 Operators still lagging with CEIR sign-up
– Very few connected – getting better though!
– National governments still need to take an active lead, but very few have
– Some operators not investing in EIRs

15. Handset Embedded Security Evolution
RIM / Nokia proprietary
security features
Google / Apple
Proprietary hardware
security features
TCG MPWG
Specification
Banking / film industry
requirements
Fragmented Security
EICTA / GSMA 9 Principles
OMTP Trusted
Environment:
OMTP TR0
OMTP Advanced Trusted
Environment: OMTP TR1
WAC
webinos
GSMA Pay-Buy-Mobile
2002
2003
2004
2005
2006
2007
2008
2009
2010/11 2012

16. http://www.mobilephonesecurity.org
Mobile Telephones (Re-Programming) Act (2002)
 http://www.legislation.gov.uk/ukpga/2002/31/contents
 Offences:
– Change a unique device identifier
– Interfere with the operation of a unique device identifier
– Possession (with intent) of tool and offering to re-program
 Maximum 5 years imprisonment
2009-2011 - 2 years, 5 investigations, no convictions*
 Problem – most tools were dual use (maintenance, SIMlock removal AND IMEI
change). Very difficult and costly to prove
 Other offences involved are often more serious
– e.g money laundering
 Deterrent effect?
* Source: National Mobile Phone Crime Unit

17. http://www.mobilephonesecurity.org
Recycling and Export
 Lots of stolen phones are exported, re-sold abroad through the
web or “recycled”
 Recyclers Charter and Code of Practice
– Check incoming phones are not stolen
 Some foreign recyclers offering to take blocked phones from the
UK
 Very difficult to work out exactly how many stolen phones are
exported as they just disappear
– Each network looks after their own data
– Evidence to suggest that stolen phones are exported to classic shipment hubs
overseas such as Dubai

18. http://www.mobilephonesecurity.org
Regional Theft Guard
 Investigated at length by industry
 An alternative method of disabling mobiles as not all operators
were using the CEIR
 3 solutions were investigated but proved to be at issue:
–
–
–
–
Could be subverted by other means once in place
High threat of collusion at a low level
Tough to prove originating operator / owner – e.g. whether stolen
Not a panacea by any means

19. http://www.mobilephonesecurity.org
Counterfeits
From: http://reviews.ebay.com/Avoid-Buying-Fake-Nokia-Cell-Phone-Battery-OneBay_W0QQugidZ10000000001916166
And: http://www.slashgear.com/uk-could-become-key-counterfeit-route-after-trademark-ruling-1452340/

20. http://www.mobilephonesecurity.org
Counterfeits (2)
From:
http://www.littleredbook.cn/2009/07/06/o
bamas-sponsorship-of-shanzhai-blockberrychinese-netizens-reactions/

21. http://www.mobilephonesecurity.org
Global Blacklisting Problems
Blacklisting for
other reasons
such as fraud
User error – wrong
IMEI
Social engineering of
call centre staff
Lost then
found
Jurisdictional Differences
Network Operator A
cannot trust data
from Network
Operator B
Mass duplicates of
IMEIs from
counterfeit devices
Not blacklisting
quickly enough
Counterfeit devices
deliberately copying
legitimate IMEIs
Is the IMEI “personal data”?
Human error in
call centres
What about other features of the
phone that are not disabled?

22. http://www.mobilephonesecurity.org
Near Field Communications
 Samsung, RIM, Google Wallet and others…
Another reason to steal a phone
 Demo application developed for capturing credit card numbers
 Numerous attack scenarios outlined already
 Peer-to-peer payments
From: http://www.retroworks.co/scytale.htm

23. http://www.mobilephonesecurity.org
Access control is becoming much more important
From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

24. http://www.mobilephonesecurity.org
Biometrics
 Still immature on mobile devices
–
–
–
–
Early solutions easy to defeat (e.g. gummy finger etc.)
Requires significant processing power
May see some kind of cloud-based solution emerge (e.g. voice biometrics)
Android 4.0 started facial recognition based on acquisition of Pittsburgh
Pattern Recognition – not widely used by users
– iPhone 5S introduced TouchID
– 990 million devices with fingerprint sensors predicted by 2017
 Increased risk for the user
– User as unlock key means user becomes the target of attack
– Same issue as car crime
Also see: http://blog.mobilephonesecurity.org/2013/09/you-are-key-fingerprint-access-on.html

25. http://www.mobilephonesecurity.org
Apple TouchID Hack / Reported Issues

26. Repeating the ‘gummy finger’ - tools needed
 One trip to HobbyCraft….
 100g Gedeo Siligum
(Silicone Moulding Paste)
£9.99
 250ml Gedeo Latex
£3.99
 Total Cost: £13.98
26
Note: Experiment conducted in 2005 by the author on an optical scanner. Originally described by Ton van der Putte in 2000 and by
Tsutomu Matsumoto in 2002

27. http://www.mobilephonesecurity.org
Challenges for Biometrics
 False negatives:
–
–
–
–
–
–
–
–
–
–
Eyelashes too long
Long fingernails
Arthritis
Circulation problems
People wearing hand cream
People who’ve just eaten greasy foods
People with brown eyes
Fingerprint abrasion, includes: Manual labourers, typists, musicians
People with cuts
Disabled people

28. http://www.mobilephonesecurity.org
Biometrics (2)
From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

29. http://www.mobilephonesecurity.org
Result of: “User Is The Key”
Sources: ITV, Evening Standard, BBC

30. http://www.mobilephonesecurity.org
Helpful Technology
 “Cloud” and 3rd party client applications:
–
–
–
–
–
Offline backup
Lock and wipe functionality
Locate my phone
Traditional anti-virus vendors are providing packaged functionality
Parental controls
 Not just technology – also consumer awareness and education
 Mobile industry is still well aware of the problem and willing to
help

31. http://www.mobilephonesecurity.org
Tracking Stolen Phones
 Being introduced as standard on many handsets
 Privacy concerns if misused
 What good is it if your phone appears abroad?
From: http://www.apple.com/iphone/built-in-apps/find-my-iphone.html
And: http://www.samsungdive.com/DiveMain.do

32. http://www.mobilephonesecurity.org
3rd Party Solutions
 Traditional AV vendors can finally add real value
 Packaged, holistic apps:
From: https://www.mylookout.com/features/missing-device/

33. http://www.mobilephonesecurity.org
Point of Sale Registration?
 http://www.immobilise.com

34. Political Initiatives
• Not just US and UK, South American countries (through CITEL)
taking a strong lead and others are gradually following

35. Political Bandwagon?
“Each of your companies promote the
security of your devices, their software and
information they hold, but we expect the
same effort to go into hardware security so
that we can make a stolen handset
inoperable and so eliminate the illicit
second-hand market in these products”
Boris Johnson, Mayor of London, July 2013
1st December 2013
• But: cutting the National Mobile Phone
Crime Unit’s budget at the same time!
http://www.telegraph.co.uk/technology/news/10192726/Smartphone-manufacturers-told-to-introduce-kill-switch.html
http://www.telegraph.co.uk/comment/columnists/borisjohnson/10487320/Is-it-beyond-the-wit-of-tech-wizards-to-stop-phone-theft.html

36. New solutions example: Activation Lock




Apple introduced in iOS7 (but under some political pressure)
This is the right thing to do
Politicians are right that this type of thing is CSR*
Functionality becomes the target of hacks though
* Corporate Social Responsibility
http://cir.ca/news/prosecutors-rally-against-phone-theft

37. “Kill Switch”
 Doesn’t accurately describe solutions being deployed by Apple,
Samsung
– Not all the same! Some apparently subscription based
 Politicians and media love the term
 If we really had a true ‘kill switch’ it would be a massive target for
cyber attacks
– Imagine killing every phone in the world?
 Some technological solutions are becoming viable
– Not all about operators blacklisting IMEIs anymore
– Devices phone home to OS vendors
•
•
•
•
Value is in the things they access – e.g. software updates, app stores
OS vendors could take whitelists from GSMA
Verify location if stolen – give legitimate owner the option about what to do
Work with law enforcement to understand theft fencing / trade routes

38. Divide and Conquer?
 Politicians are looking at the problem too simplistically
 Separate operator and vendor meetings don’t help
– Just creates a blame game
– It didn’t work in 2001 and it doesn’t work in 2013
 Some politicians stating that industry is deliberately profiting
from theft so is therefore not taking action
– This is crazy and false
– Have to remember it is the criminal who steals the phone
– More action is needed on all sides and some could do much better
 All parties need to work together
– Government, Police, users and industry are all part of the solution
– Need to keep looking at things such as insurance fraud
– GSMA Device Security Steering Group is doing a lot of work on the
technical side

39. Statistics – people will always steal things?
9,000,000
8,000,000
7,000,000
6,000,000
5,000,000
4,000,000
3,000,000
2,000,000
1,000,000
-
Acquisitive crimes
2011-12
2010-11
2009-10
2008-09
2007-08
2006-07
2005-06
2004-05
2003-04
2002-03
2001-02
Involving mobile phones
Source: Crime Survey for England & Wales
http://webarchive.nationalarchives.gov.uk/20110218135832/rds.h
omeoffice.gov.uk/rds/pdfs07/bcs25.pdf
• How much has mobile phone ownership gone up in the last 10 years?
• We need to compare theft stats against ownership figures to give a true picture

40. Digging into the UK ONS mobile theft stats
 Phone theft fell between 2008 and 2010 – the authors attribute it to the
MICAF charter.
 There was a decrease in theft rates among children aged 10-17
 The figures are only estimates and are extrapolated from the survey of a small
number of people
 The estimated increase last year has not risen above the 2008/09 figures.
 The survey asks people if they had a phone stolen – but that could be that
person’s perception still, it could easily have been lost.
 The report acknowledges that phone theft peaked in 2003/04 and states that
“it is clear that mobile phone theft incidents remain a small fraction of overall
acquisitive crime”.
 Incidents of mobile phone theft are more likely to be reported to the network
provider than the Police.
 25% of incidents were not reported to the network provider:
– 43% of these “the phone was returned to the owner” – i.e. it probably wasn’t actually
stolen!
http://webarchive.nationalarchives.gov.uk/20110218135832/rds.h
omeoffice.gov.uk/rds/pdfs07/bcs25.pdf

41. Questions?
david.rogers {@} copperhorse.co.uk
@drogersuk
Mobile Security: A Guide for Users:
http://www.lulu.com/gb/en/shop/david-rogers/mobile-securitya-guide-for-users/paperback/product-21197551.html
Copyright © 2013 Copper Horse Solutions Ltd. All rights reserved.
41

42. References
 Immobilise: http://www.immobilise.com
 Mobile Phone (Re-programming) Act 2002:
http://www.legislation.gov.uk/ukpga/2002/31/contents
 NMPCU: http://www.met.police.uk/mobilephone/
 CCSG / MICAF: http://www.micaf.co.uk/home.asp
 9 Principles: http://www.gsma.com/publicpolicy/wpcontent/uploads/2012/10/Security-Principles-Related-toHandset-Theft-3.0.0.pdf
 OMTP TR1: http://www.gsma.com/newsroom/omtp-documents1-1-omtp-advanced-trusted-environment-omtp-tr1-v1-1