Shiny Expensive Things: The Global Problem of Mobile Phone Theft

1. Shiny Expensive Things: The Global Problem of Mobile Phone Theft David Rogers School of Design, Engineering and Computing Bournemouth University 3rd December 2013 Copyright © 2013 Copper Horse Solutions Ltd. All rights reserved. 1

2. http://www.mobilephonesecurity.org The Problem  Millions of mobile phones are stolen each year globally  Some countries have not recognised it as a problem – UK has led the way  2001 Home Office study: – 710,000 phones stolen in the UK every year – Large percentage of this was likely to be insurance fraud  Despite many technical measures, it is still a problem today

3. http://www.mobilephonesecurity.org Types of Theft  Street theft / theft from user – Individual handsets (muggings etc.)  Theft from shops – Multiples (burglaries) – ‘Steaming’ – group distraction / disruption theft while shop is open  Bulk theft – Pallet loads (truck theft etc.)

4. http://www.mobilephonesecurity.org Youth on Youth Crime  School bag in 2011 is £000s different to 1991  Issues with bullying, theft, abuse of service and re-sale of stolen handsets  Education is key:

5. http://www.mobilephonesecurity.org CRAVED  Six elements that make products attractive to thieves: – – – – – – Concealable Removable Available Valuable Enjoyable Disposable  Report argues that “how much depends on ease of disposal” From: Ron Clarke - ‘Hot Products: understanding, anticipating and reducing demand for stolen goods’ http://www.popcenter.org/problems/shoplifting/PDFs/fprs112.pdf

6. http://www.mobilephonesecurity.org Violent Theft must be Addressed From: http://www.dailymail.co.uk/news/article-2051414/iPhoneBlackBerry-phones-targetted-thieves-leads-7-rise-knifepointrobbery.html?ito=feeds-newsxml

7. Police Awareness Campaigns UK Home Office TV Advert Campaign Mobile Phone Security - David Rogers

8. http://www.mobilephonesecurity.org Root Causes  Value of device – Can be shipped and sold overseas where it will still work  Features and commodities on device – Apps, music, money – WiFi enables device to continue to be used – Theft of service – still an issue e.g. calls abroad  Possession – It is just something else someone is carrying (belts have been stolen in the past!) – not allowing user to call for help

9. Has been a focus for a long time… „...what we have got to do is get to a situation where there is no point in stealing them. The only way we can do that is with the industry.“ Commissioner Sir Ian Blair 13/04/06 Mobile Phone Security - David Rogers

10. http://www.mobilephonesecurity.org Car Crime v Phone Crime  Analogy everyone uses in government (especially the ‘Nudge’ unit* in the UK): “we solved car crime by putting pressure on the manufacturers to introduce security, we can do the same for mobile phones”  Mobile is different! – – – – – – Remember CRAVED Users need to access device very regularly – ease of access is very important Much lower cost device than a car Easy to lose, then subsequently stolen Small, easy to export High youth on youth crime  Attention to car crime has reduced it significantly but: – Increases in carjacking and aggravated burglary (for keys) – Hacking of wireless ignition systems * Cabinet Office Behavioural Insights Team

11. http://www.mobilephonesecurity.org Explanation of how a phone is disabled after theft

12. http://www.mobilephonesecurity.org How blocking works  Blacklisting (whitelists and greylists exist too) 357213000000290 357213000000128 357213000030123 GSM Association Country CEIR SEIR EIR EIR EIR EIR EIR EIR EIR Operator  Also: in UK - NMPR – Police database of property can be checked while on patrol  UK operators operate a ‘virtual’ SEIR (only take UK data from CEIR) EIR = Equipment Identity Register, NMPR = National Mobile Phone Register, SEIR = Shared EIR, CEIR = Central EIR

13. http://www.mobilephonesecurity.org Industry steps over 10 years  Vastly improved IMEI security – Manufacturers have fought a long battle with embedded systems hackers  Industry “IMEI Weakness and Reporting and Correction Process” – 42 day reporting for fixes  Progress reported regularly to European Commission  UK charter on mobile phone theft and UK SEIR  Operators still lagging with CEIR sign-up – Very few connected – getting better though! – National governments still need to take an active lead, but very few have – Some operators not investing in EIRs

14. Handset Embedded Security Evolution RIM / Nokia proprietary security features Google / Apple Proprietary hardware security features TCG MPWG Specification Banking / film industry requirements Fragmented Security EICTA / GSMA 9 Principles OMTP Trusted Environment: OMTP TR0 OMTP Advanced Trusted Environment: OMTP TR1 WAC webinos GSMA Pay-Buy-Mobile 2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012

15. http://www.mobilephonesecurity.org Mobile Telephones (Re-Programming) Act (2002)  http://www.legislation.gov.uk/ukpga/2002/31/contents  Offences: – Change a unique device identifier – Interfere with the operation of a unique device identifier – Possession (with intent) of tool and offering to re-program  Maximum 5 years imprisonment 2009-2011 - 2 years, 5 investigations, no convictions*  Problem – most tools were dual use (maintenance, SIMlock removal AND IMEI change). Very difficult and costly to prove  Other offences involved are often more serious – e.g money laundering  Deterrent effect? * Source: National Mobile Phone Crime Unit

16. http://www.mobilephonesecurity.org Recycling and Export  Lots of stolen phones are exported, re-sold abroad through the web or “recycled”  Recyclers Charter and Code of Practice – Check incoming phones are not stolen  Some foreign recyclers offering to take blocked phones from the UK  Very difficult to work out exactly how many stolen phones are exported as they just disappear – Each network looks after their own data – Evidence to suggest that stolen phones are exported to classic shipment hubs overseas such as Dubai

17. http://www.mobilephonesecurity.org Regional Theft Guard  Investigated at length by industry  An alternative method of disabling mobiles as not all operators were using the CEIR  3 solutions were investigated but proved to be at issue: – – – – Could be subverted by other means once in place High threat of collusion at a low level Tough to prove originating operator / owner – e.g. whether stolen Not a panacea by any means

18. http://www.mobilephonesecurity.org Counterfeits From: http://reviews.ebay.com/Avoid-Buying-Fake-Nokia-Cell-Phone-Battery-OneBay_W0QQugidZ10000000001916166 And: http://www.slashgear.com/uk-could-become-key-counterfeit-route-after-trademark-ruling-1452340/

19. http://www.mobilephonesecurity.org Counterfeits (2) From: http://www.littleredbook.cn/2009/07/06/o bamas-sponsorship-of-shanzhai-blockberrychinese-netizens-reactions/

20. http://www.mobilephonesecurity.org Global Blacklisting Problems Blacklisting for other reasons such as fraud User error – wrong IMEI Social engineering of call centre staff Lost then found Jurisdictional Differences Network Operator A cannot trust data from Network Operator B Mass duplicates of IMEIs from counterfeit devices Not blacklisting quickly enough Counterfeit devices deliberately copying legitimate IMEIs Is the IMEI “personal data”? Human error in call centres What about other features of the phone that are not disabled?

21. http://www.mobilephonesecurity.org Near Field Communications  Samsung, RIM, Google Wallet and others… Another reason to steal a phone  Demo application developed for capturing credit card numbers  Numerous attack scenarios outlined already  Peer-to-peer payments From: http://www.retroworks.co/scytale.htm

22. http://www.mobilephonesecurity.org Access control is becoming much more important From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

23. http://www.mobilephonesecurity.org Biometrics  Still immature on mobile devices – – – – Early solutions easy to defeat (e.g. gummy finger etc.) Requires significant processing power May see some kind of cloud-based solution emerge (e.g. voice biometrics) Android 4.0 started facial recognition based on acquisition of Pittsburgh Pattern Recognition – not widely used by users – iPhone 5S introduced TouchID – 990 million devices with fingerprint sensors predicted by 2017  Increased risk for the user – User as unlock key means user becomes the target of attack – Same issue as car crime Also see: http://blog.mobilephonesecurity.org/2013/09/you-are-key-fingerprint-access-on.html

24. http://www.mobilephonesecurity.org Apple TouchID Hack / Reported Issues

25. Repeating the ‘gummy finger’ - tools needed  One trip to HobbyCraft….  100g Gedeo Siligum (Silicone Moulding Paste) £9.99  250ml Gedeo Latex £3.99  Total Cost: £13.98 26 Note: Experiment conducted in 2005 by the author on an optical scanner. Originally described by Ton van der Putte in 2000 and by Tsutomu Matsumoto in 2002

26. http://www.mobilephonesecurity.org Challenges for Biometrics  False negatives: – – – – – – – – – – Eyelashes too long Long fingernails Arthritis Circulation problems People wearing hand cream People who’ve just eaten greasy foods People with brown eyes Fingerprint abrasion, includes: Manual labourers, typists, musicians People with cuts Disabled people

27. http://www.mobilephonesecurity.org Biometrics (2) From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

28. http://www.mobilephonesecurity.org Result of: “User Is The Key” Sources: ITV, Evening Standard, BBC

29. http://www.mobilephonesecurity.org Helpful Technology  “Cloud” and 3rd party client applications: – – – – – Offline backup Lock and wipe functionality Locate my phone Traditional anti-virus vendors are providing packaged functionality Parental controls  Not just technology – also consumer awareness and education  Mobile industry is still well aware of the problem and willing to help

30. http://www.mobilephonesecurity.org Tracking Stolen Phones  Being introduced as standard on many handsets  Privacy concerns if misused  What good is it if your phone appears abroad? From: http://www.apple.com/iphone/built-in-apps/find-my-iphone.html And: http://www.samsungdive.com/DiveMain.do

31. http://www.mobilephonesecurity.org 3rd Party Solutions  Traditional AV vendors can finally add real value  Packaged, holistic apps: From: https://www.mylookout.com/features/missing-device/

32. http://www.mobilephonesecurity.org Point of Sale Registration?  http://www.immobilise.com

33. Political Initiatives • Not just US and UK, South American countries (through CITEL) taking a strong lead and others are gradually following

34. Political Bandwagon? “Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products” Boris Johnson, Mayor of London, July 2013 1st December 2013 • But: cutting the National Mobile Phone Crime Unit’s budget at the same time! http://www.telegraph.co.uk/technology/news/10192726/Smartphone-manufacturers-told-to-introduce-kill-switch.html http://www.telegraph.co.uk/comment/columnists/borisjohnson/10487320/Is-it-beyond-the-wit-of-tech-wizards-to-stop-phone-theft.html

35. New solutions example: Activation Lock     Apple introduced in iOS7 (but under some political pressure) This is the right thing to do Politicians are right that this type of thing is CSR* Functionality becomes the target of hacks though * Corporate Social Responsibility http://cir.ca/news/prosecutors-rally-against-phone-theft

36. “Kill Switch”  Doesn’t accurately describe solutions being deployed by Apple, Samsung – Not all the same! Some apparently subscription based  Politicians and media love the term  If we really had a true ‘kill switch’ it would be a massive target for cyber attacks – Imagine killing every phone in the world?  Some technological solutions are becoming viable – Not all about operators blacklisting IMEIs anymore – Devices phone home to OS vendors • • • • Value is in the things they access – e.g. software updates, app stores OS vendors could take whitelists from GSMA Verify location if stolen – give legitimate owner the option about what to do Work with law enforcement to understand theft fencing / trade routes

37. Divide and Conquer?  Politicians are looking at the problem too simplistically  Separate operator and vendor meetings don’t help – Just creates a blame game – It didn’t work in 2001 and it doesn’t work in 2013  Some politicians stating that industry is deliberately profiting from theft so is therefore not taking action – This is crazy and false – Have to remember it is the criminal who steals the phone – More action is needed on all sides and some could do much better  All parties need to work together – Government, Police, users and industry are all part of the solution – Need to keep looking at things such as insurance fraud – GSMA Device Security Steering Group is doing a lot of work on the technical side

38. Statistics – people will always steal things? 9,000,000 8,000,000 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 - Acquisitive crimes 2011-12 2010-11 2009-10 2008-09 2007-08 2006-07 2005-06 2004-05 2003-04 2002-03 2001-02 Involving mobile phones Source: Crime Survey for England & Wales http://webarchive.nationalarchives.gov.uk/20110218135832/rds.h omeoffice.gov.uk/rds/pdfs07/bcs25.pdf • How much has mobile phone ownership gone up in the last 10 years? • We need to compare theft stats against ownership figures to give a true picture

39. Digging into the UK ONS mobile theft stats  Phone theft fell between 2008 and 2010 – the authors attribute it to the MICAF charter.  There was a decrease in theft rates among children aged 10-17  The figures are only estimates and are extrapolated from the survey of a small number of people  The estimated increase last year has not risen above the 2008/09 figures.  The survey asks people if they had a phone stolen – but that could be that person’s perception still, it could easily have been lost.  The report acknowledges that phone theft peaked in 2003/04 and states that “it is clear that mobile phone theft incidents remain a small fraction of overall acquisitive crime”.  Incidents of mobile phone theft are more likely to be reported to the network provider than the Police.  25% of incidents were not reported to the network provider: – 43% of these “the phone was returned to the owner” – i.e. it probably wasn’t actually stolen! http://webarchive.nationalarchives.gov.uk/20110218135832/rds.h omeoffice.gov.uk/rds/pdfs07/bcs25.pdf

40. Questions? david.rogers {@} copperhorse.co.uk @drogersuk Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-securitya-guide-for-users/paperback/product-21197551.html Copyright © 2013 Copper Horse Solutions Ltd. All rights reserved. 41

41. References  Immobilise: http://www.immobilise.com  Mobile Phone (Re-programming) Act 2002: http://www.legislation.gov.uk/ukpga/2002/31/contents  NMPCU: http://www.met.police.uk/mobilephone/  CCSG / MICAF: http://www.micaf.co.uk/home.asp  9 Principles: http://www.gsma.com/publicpolicy/wpcontent/uploads/2012/10/Security-Principles-Related-toHandset-Theft-3.0.0.pdf  OMTP TR1: http://www.gsma.com/newsroom/omtp-documents1-1-omtp-advanced-trusted-environment-omtp-tr1-v1-1