Following the news that Microsoft and Google have just announced a ‘kill switch’ functionality to their phones, which will render them completely useless if they are stolen: http://www.bbc.co.uk/news/technology-27935972, Michael Sutton, VP security research at Zscaler, Mark James, technical team leader at ESET, David Harley, senior research fellow at ESET and Mark Sparshott, EMEA Director at Proofpoint explain why this is good move but needs user education to be really beneficial:
Michael Sutton, VP Zscaler says:
“The kill switch implemented by Apple in iOS 7 has already had an impact by reducing iPhone/iPad thefts so it's not surprising to see Google and Microsoft also moving in this direction. Kill switches are not a foolproof plan as thieves could still sell stolen devices for parts, but it does reduce the overall value of the device for the criminal. Attackers could also leverage kill switch functionality as leverage to demand ransom or activate the kill switch should they gain access to a user's account, but this is not generally a significant concern given the ease of backing up and recovering phone content from built in cloud based services.”
David Harley, senior research fellow at ESET write:
“It isn’t going to be possible to retrofit the kill switch to all models of smartphone. Of course, opportunistic thieves and muggers aren’t likely to check whether a phone is the latest model before deciding whether to steal it. And since they don’t necessarily aim to steal only phones, the target of zero thefts is unlikely to be achieved. I’m actually reluctant to take the statistics quoted at face value: I’m not sure opportunistic criminals are so discriminating that they won’t steal an iPhone in case the kill switch is activated. And while the BBC mentions the fact that some Samsung devices have a kill switch, there are actually statistics in the Attorney General’s report indicating that Samsung thefts increased over the same period. The report suggests that this is because Samsung’s implementation is far more recent and that Samsung thefts will decline in future due to that implementation. But that’s speculation, not statistics.
One of the reasons that many phone users may not be aware of the existence of an existing kill switch mechanism is that the vendors have so far declined to enforce the use of such a mechanism as the default (as law-enforcement agencies have proposed) rather than an opt-in measure. In fact, the Carriers and Trade Association (CITA) representing the telecoms industry has only come round to the idea in recent months.”
Mark James, technical team leader, ESET reacts:
“Any measure to stop theft and resale of stolen items has got to be good, the idea that a mobile phone can be rendered useless if it is “reported stolen” will definitely form a small deterrent for criminals, but only of course if the phone details are recorded by the end user (IMEI) and then reported as lost or stolen. I would imagine it’s a relatively small number that would do this, relatively few people that I know of are aware that IOS 7 uses the Activation Lock feature (providing the end user sets up “find my iphone”) Whilst it’s great that the manufacturers make these features available but they need to inform EVERY user that purchases the phone, maybe even the cellular provider sending a welcome text explaining what needs to be done to be able to use the feature? User education is the key component here.”
Mark Sparshott, EMEA Director at Proofpoint observes:
“With a UK market share of 54.9%1 and growing, the Kill Switch that Google plan to include in the next version of Android could be vital for reducing phone theft in the UK. However getting the kill switch onto the majority of Android handsets may take months or years because most smartphones run old versions of Android2 and many never receive an update to the latest version. This is because Google is reliant on the phone manufacturers to verify the update for each model of handset and the network providers like to incorporate into their customised version of Android and push the update to their customers and they are generally focused on new phones that bring in new revenue rather than updating older phones. So we need to wait for more details from Google on the exact capabilities of the Kill Switch, the versions of Android that will receive it and the reaction of the manufacturers and carriers before we can ascertain what this really means for smartphone theft. In the meantime Android and Windows users can install 3rd party apps listed on the www.CIA.org3 website that deliver Kill Switch capabilities today.
However phone theft for resale is only part of the problem, cybercriminals can make a lot of money by infecting your smartphone without it leaving your pocket. Research from Proofpoint shows that cybercriminals are using targeted email attacks, such as spear-phishing and longlining, that contain links to malicious websites which launch a customised attack based on the operating system and device the user is browsing on. Once a smartphone or other device is compromised cybercriminals can monetise the smartphone in numerous ways1 including identity theft, ad-clicking and extortion (e.g. demand payment to decrypt the owners photos and files) as well turn the smartphone into a robot (‘bot’) and enrolling it into an army of bots (‘botnet’) which is used for other types of cybercrime such as extorting businesses (e.g. DDoS attacks), manipulating share prices (aka Pump & Dump) and launching additional email attacks that exponentially grow the botnet and compound the problem.”