Mobile Phone Theft: An unsolvable problem?
Post on 28-Jan-2015
104 Views
Preview:
DESCRIPTION
Transcript
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
MOBILE PHONE THEFT: AN UNSOLVABLE PROBLEM?OXFORD UNIVERSITY INFORMATION SECURITY & PRIVACY SEMINAR SERIES
David Rogers, Copper Horse Solutions Ltd.
26th October 2011
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
About Me 12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile
Worked with industry and government on IMEI and SIMlock security Pioneered some early work in mobile phone forensics Brought industry together on security information sharing
Director of External Relations at OMTP Programme Manager for advanced hardware security tasks Chair of Incident Handling task
Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions Blog: http://blog.mobilephonesecurity.org, Twitter: @drogersuk
About Copper Horse Solutions Ltd. Established in 2011 Software and security company
Focussed on the mobile phone industry Services:
Mobile phone security consultancy Industry expertise Standards representation Mobile application development
http://www.copperhorsesolutions.com
SOME INFORMATION
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE PROBLEM
Millions of mobile phones are stolen each year globally Some countries have not recognised it as a problem
UK has led the way 2001 Home Office study:
710,000 phones stolen in the UK every year Large percentage of this was likely to be insurance fraud
Despite many technical measures, it is still a problem today
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TYPES OF THEFT
Street theft / theft from user Individual handsets (muggings etc.)
Theft from shops Multiples (burglaries)
Bulk theft Pallet loads (truck theft etc.)
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
YOUTH ON YOUTH CRIME
School bag in 2011 is £000s different to 1991 Issues with bullying, theft, abuse of service and re-sale of
stolen handsets Education is key:
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CRAVED
Six elements that make products attractive to thieves: Concealable Removable Available Valuable Enjoyable Disposable
Report argues that “how much depends on ease of disposal”
http://www.mobilephonesecurity.org
From: Ron Clarke - ‘Hot Products: understanding,anticipating and reducingdemand for stolen goods’ http://www.popcenter.org/problems/shoplifting/PDFs/fprs112.pdf
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ROOT CAUSES
Value of device Can be shipped and sold overseas where it will still work
Features and commodities on device Apps, music, money WiFi enables device to continue to be used Theft of service – still an issue e.g. calls abroad
Possession It is just something else someone is carrying (belts have been stolen
in the past!) not allowing user to call for help
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CAR CRIME V PHONE CRIME
Analogy everyone uses in government:
“we solved car crime by putting pressure on the manufacturers to introduce security, we can do the same for mobile phones”
Mobile is different! Remember CRAVED Users need to access device very regularly – ease of access is very
important Much lower cost device than a car Easy to lose, then subsequently stolen Small, easy to export High youth on youth crime
Attention to car crime has reduced it significantly but: Increases in carjacking and aggravated burglary (for keys) Hacking of wireless ignition systems
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
Explanation of how a phone is disabled after theft
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HOW BLOCKING WORKS
Blacklisting (whitelists and greylists exist too)
Also: in UK - NMPR – Police database of property can be checked while on patrol
http://www.mobilephonesecurity.org
CEIR
357213000000290357213000000128357213000030123
EIREIREIREIR
SEIR
Operator
GSM AssociationCountry
EIREIREIR
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
INDUSTRY STEPS OVER 10 YEARS
Vastly improved IMEI security Manufacturers have fought a long battle with embedded systems
hackers Industry “IMEI Weakness and Reporting and Correction
Process” 42 day reporting for fixes
Progress reported regularly to European Commission UK charter on mobile phone theft and UKSEIR Operators still lagging with CEIR sign-up
Very few connected National governments need to take the lead Some operators not investing in EIRs
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
MOBILE TELEPHONES (RE-PROGRAMMING) ACT (2002)
http://www.legislation.gov.uk/ukpga/2002/31/contents Offences:
Change a unique device identifier Interfere with the operation of a unique device identifier Possession (with intent) of tool and offering to re-program
Maximum 5 years imprisonment
In the last 2 years, 5 investigations, no convictions*
Problem – most tools were dual use (maintenance, SIMlock removal AND IMEI change). Very difficult and costly to prove
Other offences involved are often more serious e.g money laundering
Deterrent effect?
http://www.mobilephonesecurity.org
* Source: National Mobile Phone Crime Unit
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
RECYCLING AND EXPORT
Lots of stolen phones are exported, re-sold abroad through the web or “recycled”
Recyclers Charter and Code of Practice Check incoming phones are not stolen
Some foreign recyclers offering to take blocked phones from the UK
Very difficult to work out exactly how many stolen phones are exported as they just disappear Each network looks after their own data Evidence to suggest that stolen phones are exported to classic shipment
hubs overseas such as Dubai
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
REGIONAL THEFT GUARD
Investigated at length by industry An alternative method of disabling mobiles as not all
operators were using the CEIR 3 solutions were investigated but proved to be at issue:
Could be subverted by other means once in place High threat of collusion at a low level Tough to prove originating operator / owner – e.g. whether stolen Not a panacea by any means
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
SITUATION NOW
http://www.mobilephonesecurity.org
From: http://www.dailymail.co.uk/news/article-2051414/iPhone-BlackBerry-phones-targetted-thieves-leads-7-rise-knifepoint-robbery.html?ito=feeds-newsxml
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CURRENT STATS IN UK
Mobile phone theft is increasing (FY 2010/11)
Nationally mobile phone thefts in all crime: +9.7% Nationally mobile phones stolen during personal robbery:
+13.4% And in London during robbery: +21.4%
60% of all mobiles stolen in personal robbery in London are Blackberry or iPhone
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
COUNTERFEITS
http://www.mobilephonesecurity.org
From: http://reviews.ebay.com/Avoid-Buying-Fake-Nokia-Cell-Phone-Battery-On-eBay_W0QQugidZ10000000001916166And: http://www.slashgear.com/uk-could-become-key-counterfeit-route-after-trademark-ruling-1452340/
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
COUNTERFEITS (2)
http://www.mobilephonesecurity.org
From: http://www.littleredbook.cn/2009/07/06/obamas-sponsorship-of-shanzhai-blockberry-chinese-netizens-reactions/
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
GLOBAL BLACKLISTING PROBLEMS
http://www.mobilephonesecurity.org
Jurisdictional Differences
Is the IMEI “personal data”?
What about other features of the phone that are not disabled?
Counterfeit devices deliberately copying
legitimate IMEIs
User error – wrong IMEI
Human error in call centres
Lost then found
Blacklisting for other
reasons such as fraud
Network Operator A cannot trust data
from Network Operator B
Mass duplicates of IMEIs from
counterfeit devicesNot blacklisting quickly enough
Social engineering of call centre staff
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
NEAR FIELD COMMUNICATIONS
Samsung, RIM, Google Wallet and others…
Another reason to steal a phone
Demo application developed for capturing credit card numbers
Numerous attack scenarios outlined already Peer-to-peer payments
From: http://www.retroworks.co/scytale.htm
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
Access control is becoming much more important
http://www.mobilephonesecurity.org
From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BIOMETRICS
Still immature on mobile devices Early solutions easy to defeat (e.g. gummy finger etc.) Requires significant processing power May see some kind of cloud-based solution emerge (e.g. voice
biometrics) Android 4.0 has facial recognition based on acquisition of Pittsburgh
Pattern Recognition Increased risk for the user
User as unlock key means user becomes the target of attack Same issue as car crime
http://www.mobilephonesecurity.org
From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CHALLENGES FOR BIOMETRICS
False negatives:
Eyelashes too long Long fingernails Arthritis Circulation problems People wearing hand cream People who’ve just eaten greasy foods People with brown eyes Fingerprint abrasion, includes: Manual labourers, typists, musicians People with cuts Disabled people
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BIOMETRICS (2)
http://www.mobilephonesecurity.org
From: http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
RESULT OF: “USER IS THE KEY”
Sources: ITV, Evening Standard, BBC
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HELPFUL TECHNOLOGY
“Cloud” and 3rd party client applications: Offline backup Lock and wipe functionality Locate my phone Traditional anti-virus vendors are providing packaged functionality Parental controls
Not just technology – also consumer awareness and education
Mobile industry is still well aware of the problem and willing to help
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRACKING STOLEN PHONES
Being introduced as standard on many handsets Privacy concerns if misused
What good is it if your phone appears abroad?
http://www.mobilephonesecurity.org
From: http://www.apple.com/iphone/built-in-apps/find-my-iphone.htmlAnd: http://www.samsungdive.com/DiveMain.do
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
3RD PARTY SOLUTIONS
Traditional AV vendors can finally add real value Packaged, holistic apps:
http://www.mobilephonesecurity.org
From: https://www.mylookout.com/features/missing-device/
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
3RD PARTY SOLUTIONS (2)
Design Out Crime Competition Usual “detect if user walks away” etc
Over The Air event – Competition sponsored by NMPCU Winner: “Freeze Punk”
Motion sensor using camera – e.g. in hotels / on tables
Another app for users without PINs: dummy banking app which initiates a tracking feature as it connects to the web can inform friends nearby to the phone
Real life usage is often not compatible with anti-theft solutions Barrier to disable feature – e.g. PIN
Not easy to design something useful
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
POINT OF SALE REGISTRATION?
http://www.immobilise.com
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
WILL THE POLICE BE OVERWHELMED?
Problem could become not one of theft, but of recovery Users are able to track and identify the location of their
stolen goods No lawful way of users recovering them Users expect Police to do something
Recovery of the phone is the most important thing Detection of crime is becoming extremely successful
Need to think more carefully about how to manage theft and robbery problems
Prevention becomes an imperative
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE ENGINEERING REQUIREMENTS OF AN UNSOLVABLE PROBLEM?
Design a phone that is usable but immediately useless when stolen The phone may have multiple bearers and functions
A phone that can be locked but reactivated if lost and found A global blocking system which is accurate and that works
around the world for every phone A phone that keeps users’ data private and safe from
disclosure if stolen or lost
From: http://www.retroworks.co/scytale.htm
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DISCUSSIONhttp://www.mobilephonesecurity.org
Contact
Email: david.rogers@copperhorses.comTwitter: @drogersukBlog: http://blog.mobilephonesecurity.org
top related