Technology in mobile devices is continuing to advance at an incredible rate, but some of the old security themes continue to persist, mobile phone theft being one of them. This talk looks at the topic of mobile phone theft and what industry’s role has been in helping to prevent it and whether that has been entirely successful. The talk looks at what could happen next and whether it is possible to standardise usable anti-theft mechanisms within devices. It will also look at technologies such as biometrics for access control and whether Police and Government actions have been adequate in dealing with the modus operandi of thieves and fencers of stolen phones.
This talk was given by David Rogers on the 3rd of December 2013 as part of Bournemouth University's School of Design, Engineering and Computing's Cyber Seminar series.
2. http://www.mobilephonesecurity.org
The Problem
Millions of mobile phones are stolen each year globally
Some countries have not recognised it as a problem
– UK has led the way
2001 Home Office study:
– 710,000 phones stolen in the UK every year
– Large percentage of this was likely to be insurance fraud
Despite many technical measures, it is still a problem today
3. http://www.mobilephonesecurity.org
Types of Theft
Street theft / theft from user
– Individual handsets (muggings etc.)
Theft from shops
– Multiples (burglaries)
– ‘Steaming’ – group distraction /
disruption theft while shop is open
Bulk theft
– Pallet loads (truck theft etc.)
4. http://www.mobilephonesecurity.org
Youth on Youth Crime
School bag in 2011 is £000s different to 1991
Issues with bullying, theft, abuse of service and re-sale of stolen
handsets
Education is key:
5. http://www.mobilephonesecurity.org
CRAVED
Six elements that make products attractive to thieves:
–
–
–
–
–
–
Concealable
Removable
Available
Valuable
Enjoyable
Disposable
Report argues that “how much depends on ease of disposal”
From: Ron Clarke - ‘Hot Products: understanding,
anticipating and reducing
demand for stolen goods’
http://www.popcenter.org/problems/shoplifting/PDFs/fprs112.pdf
6. http://www.mobilephonesecurity.org
Violent Theft must be Addressed
From: http://www.dailymail.co.uk/news/article-2051414/iPhoneBlackBerry-phones-targetted-thieves-leads-7-rise-knifepointrobbery.html?ito=feeds-newsxml
8. http://www.mobilephonesecurity.org
Root Causes
Value of device
– Can be shipped and sold overseas where it will still work
Features and commodities on device
– Apps, music, money
– WiFi enables device to continue to be used
– Theft of service – still an issue e.g. calls abroad
Possession
– It is just something else someone is carrying (belts have been stolen in the
past!)
– not allowing user to call for help
9. Has been a focus for a long time…
„...what we have got to do is get to a situation where there is no
point in stealing them. The only way we can do that is with
the industry.“
Commissioner Sir Ian Blair 13/04/06
Mobile Phone Security - David Rogers
10. http://www.mobilephonesecurity.org
Car Crime v Phone Crime
Analogy everyone uses in government (especially the ‘Nudge’ unit* in the UK):
“we solved car crime by putting pressure on the manufacturers to introduce security,
we can do the same for mobile phones”
Mobile is different!
–
–
–
–
–
–
Remember CRAVED
Users need to access device very regularly – ease of access is very important
Much lower cost device than a car
Easy to lose, then subsequently stolen
Small, easy to export
High youth on youth crime
Attention to car crime has reduced it significantly but:
– Increases in carjacking and aggravated burglary (for keys)
– Hacking of wireless ignition systems
* Cabinet Office Behavioural Insights Team
12. http://www.mobilephonesecurity.org
How blocking works
Blacklisting (whitelists and greylists exist too)
357213000000290
357213000000128
357213000030123
GSM Association
Country
CEIR
SEIR
EIR
EIR
EIR
EIR
EIR
EIR
EIR
Operator
Also: in UK - NMPR – Police database of property can be checked while on
patrol
UK operators operate a ‘virtual’ SEIR (only take UK data from CEIR)
EIR = Equipment Identity Register, NMPR = National Mobile Phone Register, SEIR = Shared EIR, CEIR = Central EIR
13. http://www.mobilephonesecurity.org
Industry steps over 10 years
Vastly improved IMEI security
– Manufacturers have fought a long battle with embedded systems hackers
Industry “IMEI Weakness and Reporting and Correction Process”
– 42 day reporting for fixes
Progress reported regularly to European Commission
UK charter on mobile phone theft and UK SEIR
Operators still lagging with CEIR sign-up
– Very few connected – getting better though!
– National governments still need to take an active lead, but very few have
– Some operators not investing in EIRs
14.
15. Handset Embedded Security Evolution
RIM / Nokia proprietary
security features
Google / Apple
Proprietary hardware
security features
TCG MPWG
Specification
Banking / film industry
requirements
Fragmented Security
EICTA / GSMA 9 Principles
OMTP Trusted
Environment:
OMTP TR0
OMTP Advanced Trusted
Environment: OMTP TR1
WAC
webinos
GSMA Pay-Buy-Mobile
2002
2003
2004
2005
2006
2007
2008
2009
2010/11 2012
16. http://www.mobilephonesecurity.org
Mobile Telephones (Re-Programming) Act (2002)
http://www.legislation.gov.uk/ukpga/2002/31/contents
Offences:
– Change a unique device identifier
– Interfere with the operation of a unique device identifier
– Possession (with intent) of tool and offering to re-program
Maximum 5 years imprisonment
2009-2011 - 2 years, 5 investigations, no convictions*
Problem – most tools were dual use (maintenance, SIMlock removal AND IMEI
change). Very difficult and costly to prove
Other offences involved are often more serious
– e.g money laundering
Deterrent effect?
* Source: National Mobile Phone Crime Unit
17. http://www.mobilephonesecurity.org
Recycling and Export
Lots of stolen phones are exported, re-sold abroad through the
web or “recycled”
Recyclers Charter and Code of Practice
– Check incoming phones are not stolen
Some foreign recyclers offering to take blocked phones from the
UK
Very difficult to work out exactly how many stolen phones are
exported as they just disappear
– Each network looks after their own data
– Evidence to suggest that stolen phones are exported to classic shipment hubs
overseas such as Dubai
18. http://www.mobilephonesecurity.org
Regional Theft Guard
Investigated at length by industry
An alternative method of disabling mobiles as not all operators
were using the CEIR
3 solutions were investigated but proved to be at issue:
–
–
–
–
Could be subverted by other means once in place
High threat of collusion at a low level
Tough to prove originating operator / owner – e.g. whether stolen
Not a panacea by any means
21. http://www.mobilephonesecurity.org
Global Blacklisting Problems
Blacklisting for
other reasons
such as fraud
User error – wrong
IMEI
Social engineering of
call centre staff
Lost then
found
Jurisdictional Differences
Network Operator A
cannot trust data
from Network
Operator B
Mass duplicates of
IMEIs from
counterfeit devices
Not blacklisting
quickly enough
Counterfeit devices
deliberately copying
legitimate IMEIs
Is the IMEI “personal data”?
Human error in
call centres
What about other features of the
phone that are not disabled?
22. http://www.mobilephonesecurity.org
Near Field Communications
Samsung, RIM, Google Wallet and others…
Another reason to steal a phone
Demo application developed for capturing credit card numbers
Numerous attack scenarios outlined already
Peer-to-peer payments
From: http://www.retroworks.co/scytale.htm
24. http://www.mobilephonesecurity.org
Biometrics
Still immature on mobile devices
–
–
–
–
Early solutions easy to defeat (e.g. gummy finger etc.)
Requires significant processing power
May see some kind of cloud-based solution emerge (e.g. voice biometrics)
Android 4.0 started facial recognition based on acquisition of Pittsburgh
Pattern Recognition – not widely used by users
– iPhone 5S introduced TouchID
– 990 million devices with fingerprint sensors predicted by 2017
Increased risk for the user
– User as unlock key means user becomes the target of attack
– Same issue as car crime
Also see: http://blog.mobilephonesecurity.org/2013/09/you-are-key-fingerprint-access-on.html
26. Repeating the ‘gummy finger’ - tools needed
One trip to HobbyCraft….
100g Gedeo Siligum
(Silicone Moulding Paste)
£9.99
250ml Gedeo Latex
£3.99
Total Cost: £13.98
26
Note: Experiment conducted in 2005 by the author on an optical scanner. Originally described by Ton van der Putte in 2000 and by
Tsutomu Matsumoto in 2002
27. http://www.mobilephonesecurity.org
Challenges for Biometrics
False negatives:
–
–
–
–
–
–
–
–
–
–
Eyelashes too long
Long fingernails
Arthritis
Circulation problems
People wearing hand cream
People who’ve just eaten greasy foods
People with brown eyes
Fingerprint abrasion, includes: Manual labourers, typists, musicians
People with cuts
Disabled people
30. http://www.mobilephonesecurity.org
Helpful Technology
“Cloud” and 3rd party client applications:
–
–
–
–
–
Offline backup
Lock and wipe functionality
Locate my phone
Traditional anti-virus vendors are providing packaged functionality
Parental controls
Not just technology – also consumer awareness and education
Mobile industry is still well aware of the problem and willing to
help
31. http://www.mobilephonesecurity.org
Tracking Stolen Phones
Being introduced as standard on many handsets
Privacy concerns if misused
What good is it if your phone appears abroad?
From: http://www.apple.com/iphone/built-in-apps/find-my-iphone.html
And: http://www.samsungdive.com/DiveMain.do
34. Political Initiatives
• Not just US and UK, South American countries (through CITEL)
taking a strong lead and others are gradually following
35. Political Bandwagon?
“Each of your companies promote the
security of your devices, their software and
information they hold, but we expect the
same effort to go into hardware security so
that we can make a stolen handset
inoperable and so eliminate the illicit
second-hand market in these products”
Boris Johnson, Mayor of London, July 2013
1st December 2013
• But: cutting the National Mobile Phone
Crime Unit’s budget at the same time!
http://www.telegraph.co.uk/technology/news/10192726/Smartphone-manufacturers-told-to-introduce-kill-switch.html
http://www.telegraph.co.uk/comment/columnists/borisjohnson/10487320/Is-it-beyond-the-wit-of-tech-wizards-to-stop-phone-theft.html
36. New solutions example: Activation Lock
Apple introduced in iOS7 (but under some political pressure)
This is the right thing to do
Politicians are right that this type of thing is CSR*
Functionality becomes the target of hacks though
* Corporate Social Responsibility
http://cir.ca/news/prosecutors-rally-against-phone-theft
37. “Kill Switch”
Doesn’t accurately describe solutions being deployed by Apple,
Samsung
– Not all the same! Some apparently subscription based
Politicians and media love the term
If we really had a true ‘kill switch’ it would be a massive target for
cyber attacks
– Imagine killing every phone in the world?
Some technological solutions are becoming viable
– Not all about operators blacklisting IMEIs anymore
– Devices phone home to OS vendors
•
•
•
•
Value is in the things they access – e.g. software updates, app stores
OS vendors could take whitelists from GSMA
Verify location if stolen – give legitimate owner the option about what to do
Work with law enforcement to understand theft fencing / trade routes
38. Divide and Conquer?
Politicians are looking at the problem too simplistically
Separate operator and vendor meetings don’t help
– Just creates a blame game
– It didn’t work in 2001 and it doesn’t work in 2013
Some politicians stating that industry is deliberately profiting
from theft so is therefore not taking action
– This is crazy and false
– Have to remember it is the criminal who steals the phone
– More action is needed on all sides and some could do much better
All parties need to work together
– Government, Police, users and industry are all part of the solution
– Need to keep looking at things such as insurance fraud
– GSMA Device Security Steering Group is doing a lot of work on the
technical side
39. Statistics – people will always steal things?
9,000,000
8,000,000
7,000,000
6,000,000
5,000,000
4,000,000
3,000,000
2,000,000
1,000,000
-
Acquisitive crimes
2011-12
2010-11
2009-10
2008-09
2007-08
2006-07
2005-06
2004-05
2003-04
2002-03
2001-02
Involving mobile phones
Source: Crime Survey for England & Wales
http://webarchive.nationalarchives.gov.uk/20110218135832/rds.h
omeoffice.gov.uk/rds/pdfs07/bcs25.pdf
• How much has mobile phone ownership gone up in the last 10 years?
• We need to compare theft stats against ownership figures to give a true picture
40. Digging into the UK ONS mobile theft stats
Phone theft fell between 2008 and 2010 – the authors attribute it to the
MICAF charter.
There was a decrease in theft rates among children aged 10-17
The figures are only estimates and are extrapolated from the survey of a small
number of people
The estimated increase last year has not risen above the 2008/09 figures.
The survey asks people if they had a phone stolen – but that could be that
person’s perception still, it could easily have been lost.
The report acknowledges that phone theft peaked in 2003/04 and states that
“it is clear that mobile phone theft incidents remain a small fraction of overall
acquisitive crime”.
Incidents of mobile phone theft are more likely to be reported to the network
provider than the Police.
25% of incidents were not reported to the network provider:
– 43% of these “the phone was returned to the owner” – i.e. it probably wasn’t actually
stolen!
http://webarchive.nationalarchives.gov.uk/20110218135832/rds.h
omeoffice.gov.uk/rds/pdfs07/bcs25.pdf
Street theft impacts the user the most and can do in a physical and violent way.Theft from shops is still prevalent and impacts the store locally in terms of lost sales and the ultimately the company more widely in terms of increases in insurance premiums.Bulk theft goes under the radar of a lot of people. Mobile phones are targeted by organised criminal gangs from both storage warehouses through to lorries being hijacked. The Transport Asset Protection Association figures from August 2011 show that well over the biggest proportion of cargo thefts are electronics. Laptops, mobile phones and cameras are the most stolen products. The UK remains a hotspot for crime.This presentation concentrates mainly on the issues that affect users the most – street crime.Youth on youth crime is a particular problem
Robberies increase during times of hardship
This is not to say that further pressure is not necessary. A couple of manufacturers are still dragging their heels on security. New challenges such as additional bearers (e.g. WiFi) mean that IMEI blocking is not going to be 100% effective.It should be said that mobile operators have managed to stay below the radar and have not significantly invested in improving EIRs or in some cases overseas, are not using them at all to block phones.
(verbal run through of what happens)
UK crime reduction charter agreed between MICAF and Home Office with tests against SEIR blocking timesA lot of edge issues around unblocking / delisting such as: http://paulclarke.com/honestlyreal/2010/07/my-phones-been-blacklisted/
Hardware security in devices has massively improved with the introduction of various standards, including OMTP’s Advanced Trusted Environment, TR1. Some work needs to be done by a couple of manufacturers.
Manufacturers and their authorised agents (i.e. regional repair centres doing legitimate programming) are exemptThis act could also be theoretically used to target hardware hacking. Unique identifier also offers the opportunity to protect MAC address? Should this be a focus in the future? What about MAC address blocking?Offences like money laundering carry a much higher sentence and are more easy to prove than IMEI reprogramming
Non-use of the CEIR means that phones are just disappearing abroad
Fake phones are a real problem. This issue directly affects consumers in terms of the quality of the product they’re getting – for example exploding batteries are frequently fake because they don’t have the correct protection circuits. The RF performance of counterfeit devices has been shown to be really poor. Often these devices have dual SIM capability which is not something that you normally see in legitimate devices.From a theft / blocking point of view, many of these devices do not use correct or legitimate IMEIs. This leads to lots of duplicates. Counterfeit devices from China, known as “Shanzhai” are a particular problem in African countries. The MMF estimates that around 50% of phones in Uganda are fake.
There are countless examples such as this “Blockberry”, supposedly endorsed by Barrack Obama!
Managing a global blacklist is a nightmare.Sometimes just moving operators and giving the call centre operator a sob story is enough to make them de-list the blocked handset.
Easy to launder mobile wallet cash – just go and buy something for less than £10 in Argos then sell it on ebay / market stall
There are lots of different solutions out there, from PINs to pictures. The problem is that users opt for convenience and don’t think they need the PINlock until it is too late.
There are problems with cloud based solutions for authenticating to devices. The device may not always be able to get network.
There are problems with cloud based solutions for authenticating to devices. The device may not always be able to get network.
Biometrics put the whole access problem on the user
But even without biometrics, some horrific crimes can be committed for the thing that people have to “know”
This is Samsung’s ad campaign from India which tells a story with the moral “how far will you run with a stolen phone”. Video: http://youtu.be/9XkFfw6wduY
Backup, lock and wipe, just lock only, disable, locate featuresSome of these apps can also not be removed by a hard reset