This talk was given at Oxford University on the 26th of October 2011 as part of their Information Security and Privacy Programme.
Over the past ten years, considerable effort has been put into engineering preventative solutions, policing and locating lost and stolen devices. Unfortunately theft of mobile devices continues to be an issue. Youth on youth crime is a particular issue in today’s world, where children take hundreds of pounds worth of electronic equipment to school with them every day. This talk will explore the issues and ask the following questions: Are we looking at a social issue rather than a technological one? Does new technology such as NFC and basing our lives in the cloud increase the risk of theft? Would the introduction of biometrics on phones put us as users at more of a risk than if we didn’t have it?
Street theft impacts the user the most and can do in a physical and violent way.Theft from shops is still prevalent and impacts the store locally in terms of lost sales and the ultimately the company more widely in terms of increases in insurance premiums.Bulk theft goes under the radar of a lot of people. Mobile phones are targeted by organised criminal gangs from both storage warehouses through to lorries being hijacked. The Transport Asset Protection Association figures from August 2011 show that well over the biggest proportion of cargo thefts are electronics. Laptops, mobile phones and cameras are the most stolen products. The UK remains a hotspot for crime.This presentation concentrates mainly on the issues that affect users the most – street crime.Youth on youth crime is a particular problem
This is not to say that further pressure is not necessary. A couple of manufacturers are still dragging their heels on security. New challenges such as additional bearers (e.g. WiFi) mean that IMEI blocking is not going to be 100% effective.It should be said that mobile operators have managed to stay below the radar and have not significantly invested in improving EIRs or in some cases overseas, are not using them at all to block phones.
(verbal run through of what happens)
UK crime reduction charter agreed between MICAF and Home Office with tests against SEIR blocking timesA lot of edge issues around unblocking / delisting such as: http://paulclarke.com/honestlyreal/2010/07/my-phones-been-blacklisted/
Hardware security in devices has massively improved with the introduction of various standards, including OMTP’s Advanced Trusted Environment, TR1. Some work needs to be done by a couple of manufacturers.
Manufacturers and their authorised agents (i.e. regional repair centres doing legitimate programming) are exemptThis act could also be theoretically used to target hardware hacking. Unique identifier also offers the opportunity to protect MAC address? Should this be a focus in the future? What about MAC address blocking?Offences like money laundering carry a much higher sentence and are more easy to prove than IMEI reprogramming
Non-use of the CEIR means that phones are just disappearing abroad
Robberies increase during times of hardship
Snatch and pickpocketing are up
Fake phones are a real problem. This issue directly affects consumers in terms of the quality of the product they’re getting – for example exploding batteries are frequently fake because they don’t have the correct protection circuits. The RF performance of counterfeit devices has been shown to be really poor. Often these devices have dual SIM capability which is not something that you normally see in legitimate devices.From a theft / blocking point of view, many of these devices do not use correct or legitimate IMEIs. This leads to lots of duplicates. Counterfeit devices from China, known as “Shanzhai” are a particular problem in African countries. The MMF estimates that around 50% of phones in Uganda are fake.
There are countless examples such as this “Blockberry”, supposedly endorsed by Barrack Obama!
Managing a global blacklist is a nightmare.Sometimes just moving operators and giving the call centre operator a sob story is enough to make them de-list the blocked handset.
Easy to launder mobile wallet cash – just go and buy something for less than £10 in Argos then sell it on ebay / market stall
There are lots of different solutions out there, from PINs to pictures. The problem is that users opt for convenience and don’t think they need the PINlock until it is too late.
There are problems with cloud based solutions for authenticating to devices. The device may not always be able to get network.
Biometrics put the whole access problem on the user
But even without biometrics, some horrific crimes can be committed for the thing that people have to “know”
This is Samsung’s ad campaign from India which tells a story with the moral “how far will you run with a stolen phone”. Video: http://youtu.be/9XkFfw6wduY
Backup, lock and wipe, just lock only, disable, locate featuresSome of these apps can also not be removed by a hard reset
Developers are coming up with some innovative ideasThe ugly truth is there is no silver bullet to mobile phone theft. However, the sum of the solutions may help to reduce the problem as a whole.
WiFi usage,UMA problems in the future?Should devices be further secured, how about MAC address security?My view: There is no one solution. This is a very complex problem, because of the differing circumstance but we need a solution to the very difficult problem of export, supported by national / regional regulation. Users have to take there part too in terms of their own responsibility over stolen property.