shiny expensive things: the global problem of mobile phone theft
DESCRIPTION
Technology in mobile devices is continuing to advance at an incredible rate, but some of the old security themes continue to persist, mobile phone theft being one of them. This talk looks at the topic of mobile phone theft and what industry’s role has been in helping to prevent it and whether that has been entirely successful. The talk looks at what could happen next and whether it is possible to standardise usable anti-theft mechanisms within devices. It will also look at technologies such as biometrics for access control and whether Police and Government actions have been adequate in dealing with the modus operandi of thieves and fencers of stolen phones. This talk was given by David Rogers on the 3rd of December 2013 as part of Bournemouth University's School of Design, Engineering and Computing's Cyber Seminar series.TRANSCRIPT
Copyright © 2013 Copper Horse Solutions Ltd. All rights reserved. 1
Shiny Expensive Things: The Global Problem of Mobile Phone Theft
David RogersSchool of Design, Engineering and Computing
Bournemouth University3rd December 2013
The Problem
Millions of mobile phones are stolen each year globally Some countries have not recognised it as a problem
– UK has led the way 2001 Home Office study:
– 710,000 phones stolen in the UK every year– Large percentage of this was likely to be insurance fraud
Despite many technical measures, it is still a problem today
http://www.mobilephonesecurity.org
Types of Theft
Street theft / theft from user– Individual handsets (muggings etc.)
Theft from shops– Multiples (burglaries)– ‘Steaming’ – group distraction /
disruption theft while shop is open Bulk theft
– Pallet loads (truck theft etc.)
http://www.mobilephonesecurity.org
Youth on Youth Crime
School bag in 2011 is £000s different to 1991 Issues with bullying, theft, abuse of service and re-sale of stolen
handsets Education is key:
http://www.mobilephonesecurity.org
CRAVED
Six elements that make products attractive to thieves:– Concealable– Removable– Available– Valuable– Enjoyable– Disposable
Report argues that “how much depends on ease of disposal”
http://www.mobilephonesecurity.org
From: Ron Clarke - ‘Hot Products: understanding,anticipating and reducingdemand for stolen goods’ http://www.popcenter.org/problems/shoplifting/PDFs/fprs112.pdf
Violent Theft must be Addressed
http://www.mobilephonesecurity.org
From: http://www.dailymail.co.uk/news/article-2051414/iPhone-BlackBerry-phones-targetted-thieves-leads-7-rise-knifepoint-robbery.html?ito=feeds-newsxml
Police Awareness Campaigns
UK Home Office TV Advert Campaign
Mobile Phone Security - David Rogers
Root Causes
Value of device– Can be shipped and sold overseas where it will still work
Features and commodities on device– Apps, music, money– WiFi enables device to continue to be used– Theft of service – still an issue e.g. calls abroad
Possession– It is just something else someone is carrying (belts have been stolen in the
past!)– not allowing user to call for help
http://www.mobilephonesecurity.org
„...what we have got to do is get to a situation where there is no point in stealing them. The only way we can do that is with the industry.“
Commissioner Sir Ian Blair 13/04/06
Has been a focus for a long time…
Mobile Phone Security - David Rogers
Car Crime v Phone Crime
Analogy everyone uses in government (especially the ‘Nudge’ unit* in the UK):
“we solved car crime by putting pressure on the manufacturers to introduce security, we can do the same for mobile phones”
Mobile is different!– Remember CRAVED– Users need to access device very regularly – ease of access is very important– Much lower cost device than a car– Easy to lose, then subsequently stolen– Small, easy to export– High youth on youth crime
Attention to car crime has reduced it significantly but:– Increases in carjacking and aggravated burglary (for keys)– Hacking of wireless ignition systems
http://www.mobilephonesecurity.org
* Cabinet Office Behavioural Insights Team
Explanation of how a phone is disabled after theft
http://www.mobilephonesecurity.org
How blocking works
Blacklisting (whitelists and greylists exist too)
Also: in UK - NMPR – Police database of property can be checked while on patrol
UK operators operate a ‘virtual’ SEIR (only take UK data from CEIR)
http://www.mobilephonesecurity.org
CEIR
357213000000290357213000000128357213000030123
EIREIREIREIR
SEIR
Operator
GSM AssociationCountry
EIREIREIR
EIR = Equipment Identity Register, NMPR = National Mobile Phone Register, SEIR = Shared EIR, CEIR = Central EIR
Industry steps over 10 years
Vastly improved IMEI security– Manufacturers have fought a long battle with embedded systems hackers
Industry “IMEI Weakness and Reporting and Correction Process”– 42 day reporting for fixes
Progress reported regularly to European Commission UK charter on mobile phone theft and UK SEIR Operators still lagging with CEIR sign-up
– Very few connected – getting better though!– National governments still need to take an active lead, but very few have– Some operators not investing in EIRs
http://www.mobilephonesecurity.org
2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012
EICTA / GSMA 9 Principles
OMTP Trusted Environment:
OMTP TR0
OMTP Advanced Trusted Environment: OMTP TR1
TCG MPWG Specification
GSMA Pay-Buy-Mobile
Fragmented Security
Handset Embedded Security Evolution
Google / Apple Proprietary hardware
security features
Banking / film industryrequirements
WAC
RIM / Nokia proprietary security features
webinos
Mobile Telephones (Re-Programming) Act (2002)
http://www.legislation.gov.uk/ukpga/2002/31/contents Offences:
– Change a unique device identifier– Interfere with the operation of a unique device identifier– Possession (with intent) of tool and offering to re-program
Maximum 5 years imprisonment
2009-2011 - 2 years, 5 investigations, no convictions*
Problem – most tools were dual use (maintenance, SIMlock removal AND IMEI change). Very difficult and costly to prove
Other offences involved are often more serious– e.g money laundering
Deterrent effect?
http://www.mobilephonesecurity.org
* Source: National Mobile Phone Crime Unit
Recycling and Export
Lots of stolen phones are exported, re-sold abroad through the web or “recycled”
Recyclers Charter and Code of Practice– Check incoming phones are not stolen
Some foreign recyclers offering to take blocked phones from the UK
Very difficult to work out exactly how many stolen phones are exported as they just disappear– Each network looks after their own data– Evidence to suggest that stolen phones are exported to classic shipment hubs
overseas such as Dubai
http://www.mobilephonesecurity.org
Regional Theft Guard
Investigated at length by industry An alternative method of disabling mobiles as not all operators
were using the CEIR 3 solutions were investigated but proved to be at issue:
– Could be subverted by other means once in place– High threat of collusion at a low level– Tough to prove originating operator / owner – e.g. whether stolen– Not a panacea by any means
http://www.mobilephonesecurity.org
Counterfeits
http://www.mobilephonesecurity.org
From: http://reviews.ebay.com/Avoid-Buying-Fake-Nokia-Cell-Phone-Battery-On-eBay_W0QQugidZ10000000001916166And: http://www.slashgear.com/uk-could-become-key-counterfeit-route-after-trademark-ruling-1452340/
Counterfeits (2)
http://www.mobilephonesecurity.org
From: http://www.littleredbook.cn/2009/07/06/obamas-sponsorship-of-shanzhai-blockberry-chinese-netizens-reactions/
Global Blacklisting Problems
http://www.mobilephonesecurity.org
Jurisdictional Differences
Is the IMEI “personal data”?
What about other features of the phone that are not disabled?
Counterfeit devices deliberately copying
legitimate IMEIs
User error – wrong IMEI
Human error in call centres
Lost then found
Blacklisting for other reasons such as fraud
Network Operator A cannot trust data
from Network Operator B
Mass duplicates of IMEIs from
counterfeit devicesNot blacklisting quickly enough
Social engineering of call centre staff
Near Field Communications
Samsung, RIM, Google Wallet and others…
Another reason to steal a phone
Demo application developed for capturing credit card numbers Numerous attack scenarios outlined already Peer-to-peer payments
From: http://www.retroworks.co/scytale.htm
http://www.mobilephonesecurity.org
Access control is becoming much more important
http://www.mobilephonesecurity.org
From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm
Biometrics
Still immature on mobile devices– Early solutions easy to defeat (e.g. gummy finger etc.)– Requires significant processing power– May see some kind of cloud-based solution emerge (e.g. voice biometrics)– Android 4.0 started facial recognition based on acquisition of Pittsburgh
Pattern Recognition – not widely used by users– iPhone 5S introduced TouchID– 990 million devices with fingerprint sensors predicted by 2017
Increased risk for the user– User as unlock key means user becomes the target of attack– Same issue as car crime
http://www.mobilephonesecurity.org
Also see: http://blog.mobilephonesecurity.org/2013/09/you-are-key-fingerprint-access-on.html
Apple TouchID Hack / Reported Issues
http://www.mobilephonesecurity.org
26
Repeating the ‘gummy finger’ - tools needed
One trip to HobbyCraft….
100g Gedeo Siligum (Silicone Moulding Paste) £9.99
250ml Gedeo Latex£3.99
Total Cost: £13.98
Note: Experiment conducted in 2005 by the author on an optical scanner. Originally described by Ton van der Putte in 2000 and by Tsutomu Matsumoto in 2002
Challenges for Biometrics
False negatives:
– Eyelashes too long– Long fingernails– Arthritis– Circulation problems– People wearing hand cream– People who’ve just eaten greasy foods– People with brown eyes– Fingerprint abrasion, includes: Manual labourers, typists, musicians– People with cuts– Disabled people
http://www.mobilephonesecurity.org
Biometrics (2)
http://www.mobilephonesecurity.org
From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm
Result of: “User Is The Key”
Sources: ITV, Evening Standard, BBC
http://www.mobilephonesecurity.org
Helpful Technology
“Cloud” and 3rd party client applications:– Offline backup– Lock and wipe functionality– Locate my phone– Traditional anti-virus vendors are providing packaged functionality– Parental controls
Not just technology – also consumer awareness and education Mobile industry is still well aware of the problem and willing to
help
http://www.mobilephonesecurity.org
Tracking Stolen Phones
Being introduced as standard on many handsets Privacy concerns if misused
What good is it if your phone appears abroad?
http://www.mobilephonesecurity.org
From: http://www.apple.com/iphone/built-in-apps/find-my-iphone.htmlAnd: http://www.samsungdive.com/DiveMain.do
3rd Party Solutions
Traditional AV vendors can finally add real value Packaged, holistic apps:
http://www.mobilephonesecurity.org
From: https://www.mylookout.com/features/missing-device/
Point of Sale Registration?
http://www.immobilise.com
http://www.mobilephonesecurity.org
Political Initiatives
• Not just US and UK, South American countries (through CITEL) taking a strong lead and others are gradually following
Political Bandwagon?
“Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products”
Boris Johnson, Mayor of London, July 2013
http://www.telegraph.co.uk/technology/news/10192726/Smartphone-manufacturers-told-to-introduce-kill-switch.htmlhttp://www.telegraph.co.uk/comment/columnists/borisjohnson/10487320/Is-it-beyond-the-wit-of-tech-wizards-to-stop-phone-theft.html
1st December 2013
• But: cutting the National Mobile Phone Crime Unit’s budget at the same time!
New solutions example: Activation Lock
Apple introduced in iOS7 (but under some political pressure) This is the right thing to do Politicians are right that this type of thing is CSR* Functionality becomes the target of hacks though
* Corporate Social Responsibility
http://cir.ca/news/prosecutors-rally-against-phone-theft
“Kill Switch”
Doesn’t accurately describe solutions being deployed by Apple, Samsung– Not all the same! Some apparently subscription based
Politicians and media love the term If we really had a true ‘kill switch’ it would be a massive target for
cyber attacks– Imagine killing every phone in the world?
Some technological solutions are becoming viable– Not all about operators blacklisting IMEIs anymore– Devices phone home to OS vendors
• Value is in the things they access – e.g. software updates, app stores• OS vendors could take whitelists from GSMA• Verify location if stolen – give legitimate owner the option about what to do• Work with law enforcement to understand theft fencing / trade routes
Divide and Conquer?
Politicians are looking at the problem too simplistically Separate operator and vendor meetings don’t help
– Just creates a blame game– It didn’t work in 2001 and it doesn’t work in 2013
Some politicians stating that industry is deliberately profiting from theft so is therefore not taking action– This is crazy and false– Have to remember it is the criminal who steals the phone– More action is needed on all sides and some could do much better
All parties need to work together– Government, Police, users and industry are all part of the solution– Need to keep looking at things such as insurance fraud– GSMA Device Security Steering Group is doing a lot of work on the technical
side
Statistics – people will always steal things?
2001
-02
2002
-03
2003
-04
2004
-05
2005
-06
2006
-07
2007
-08
2008
-09
2009
-10
2010
-11
2011
-12
- 1,000,000 2,000,000 3,000,000 4,000,000 5,000,000 6,000,000 7,000,000 8,000,000 9,000,000
Acquisitive crimes
Involving mobile phones
Source: Crime Survey for England & Wales
http://webarchive.nationalarchives.gov.uk/20110218135832/rds.homeoffice.gov.uk/rds/pdfs07/bcs25.pdf
• How much has mobile phone ownership gone up in the last 10 years?• We need to compare theft stats against ownership figures to give a true picture
Digging into the UK ONS mobile theft stats
Phone theft fell between 2008 and 2010 – the authors attribute it to the MICAF charter.
There was a decrease in theft rates among children aged 10-17 The figures are only estimates and are extrapolated from the survey of a small
number of people The estimated increase last year has not risen above the 2008/09 figures. The survey asks people if they had a phone stolen – but that could be that
person’s perception still, it could easily have been lost. The report acknowledges that phone theft peaked in 2003/04 and states that “it
is clear that mobile phone theft incidents remain a small fraction of overall acquisitive crime”.
Incidents of mobile phone theft are more likely to be reported to the network provider than the Police.
25% of incidents were not reported to the network provider:– 43% of these “the phone was returned to the owner” – i.e. it probably wasn’t actually
stolen! http://webarchive.nationalarchives.gov.uk/20110218135832/rds.homeoffice.gov.uk/rds/pdfs07/bcs25.pdf
Copyright © 2013 Copper Horse Solutions Ltd. All rights reserved. 41
Questions?
david.rogers {@} copperhorse.co.uk@drogersuk
Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-guide-for-users/paperback/product-21197551.html
References
Immobilise: http://www.immobilise.com Mobile Phone (Re-programming) Act 2002:
http://www.legislation.gov.uk/ukpga/2002/31/contents NMPCU: http://www.met.police.uk/mobilephone/ CCSG / MICAF: http://www.micaf.co.uk/home.asp 9 Principles: http://
www.gsma.com/publicpolicy/wp-content/uploads/2012/10/Security-Principles-Related-to-Handset-Theft-3.0.0.pdf
OMTP TR1: http://www.gsma.com/newsroom/omtp-documents-1-1-omtp-advanced-trusted-environment-omtp-tr1-v1-1