Mobile Device “Security”: The Problems of Remotely Disabling Stolen Phones
The problem of mobile device theft has become sufficiently severe that legislators have decided to file bills discussing it. Last week, US Senator Charles Schumer re-filed Mobile Device Theft Deterrence Act of 2013, which makes modifying a device’s International Mobile Equipment Identity (IMEI) number a crime punishable by up to five years in federal prison. In theory, this is supposed to make it more difficult for stolen devices to be reused and thus less appealing. The CTIA, a trade group representing the wireless industry, has spoken out in support of the bill.
Having one’s mobile device stolen has real costs. Replacing a phone can cost hundreds of dollars; any data on the device may be either lost or stolen. Enterprises particularly care about the latter problem, an item we discussed in the report Embracing BYOD: Are You Exposing Critical Data?.
Even if the bill was passed, it’s unclear how much impact it would have, given how many stolen devices end up “exported” abroad. (Stolen goods being “exported” is not limited to electronics; for example, stolen cars have long been exported to places like Albania, Africa, and other less developed parts of the world.)
The bigger issue is that other solutions to try and “fix” this problem may actually weaken mobile device security, not strengthen it. It’s frequently suggested that “remote kill” systems that would remotely disable stolen devices be included in new devices. However, these are very problematic from a security perspective: it would mean that the capability to remotely administer a device would have to be built into the device: i.e., a backdoor. If the capability to remotely kill a device is built into a product, it has to be assumed that a sufficiently determined attacker can access it and do what they with that capability.
There’s also the thorny issue of who would hold the keys: both end user and organizations can be socially engineered and end up with a malicious attacker disabling (or just threatening to disable) a device. We’re supposed to make devices more secure over time, not less; a “remote kill” system brings with it very real potential problems. It may be better to focus on locating the device after it has been stolen; this capability is already built into iOS and Windows Phone, but not Android.
The real solution to the problem of stolen devices may be found by treating it as a police problem and not necessarily a technological one. Any proposed solution to device theft has to take all mobile security problems into consideration; the law of unintended consequences may strike again.
Using technology to solve a crime problem may only go so far.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.