This talk was given at Oxford University on the 26th of October 2011 as part of their Information Security and Privacy Programme.
Over the past ten years, considerable effort has been put into engineering preventative solutions, policing and locating lost and stolen devices. Unfortunately theft of mobile devices continues to be an issue. Youth on youth crime is a particular issue in today’s world, where children take hundreds of pounds worth of electronic equipment to school with them every day. This talk will explore the issues and ask the following questions: Are we looking at a social issue rather than a technological one? Does new technology such as NFC and basing our lives in the cloud increase the risk of theft? Would the introduction of biometrics on phones put us as users at more of a risk than if we didn’t have it?
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
About Me 12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile
Worked with industry and government on IMEI and SIMlock security Pioneered some early work in mobile phone forensics Brought industry together on security information sharing
Director of External Relations at OMTP Programme Manager for advanced hardware security tasks Chair of Incident Handling task
Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions Blog: http://blog.mobilephonesecurity.org, Twitter: @drogersuk
About Copper Horse Solutions Ltd. Established in 2011 Software and security company
Focussed on the mobile phone industry Services:
Mobile phone security consultancy Industry expertise Standards representation Mobile application development
Six elements that make products attractive to thieves: Concealable Removable Available Valuable Enjoyable Disposable
Report argues that “how much depends on ease of disposal”
http://www.mobilephonesecurity.org
From: Ron Clarke - ‘Hot Products: understanding,anticipating and reducingdemand for stolen goods’ http://www.popcenter.org/problems/shoplifting/PDFs/fprs112.pdf
“we solved car crime by putting pressure on the manufacturers to introduce security, we can do the same for mobile phones”
Mobile is different! Remember CRAVED Users need to access device very regularly – ease of access is very
important Much lower cost device than a car Easy to lose, then subsequently stolen Small, easy to export High youth on youth crime
Attention to car crime has reduced it significantly but: Increases in carjacking and aggravated burglary (for keys) Hacking of wireless ignition systems
Change a unique device identifier Interfere with the operation of a unique device identifier Possession (with intent) of tool and offering to re-program
Maximum 5 years imprisonment
In the last 2 years, 5 investigations, no convictions*
Problem – most tools were dual use (maintenance, SIMlock removal AND IMEI change). Very difficult and costly to prove
Other offences involved are often more serious e.g money laundering
Lots of stolen phones are exported, re-sold abroad through the web or “recycled”
Recyclers Charter and Code of Practice Check incoming phones are not stolen
Some foreign recyclers offering to take blocked phones from the UK
Very difficult to work out exactly how many stolen phones are exported as they just disappear Each network looks after their own data Evidence to suggest that stolen phones are exported to classic shipment
Investigated at length by industry An alternative method of disabling mobiles as not all
operators were using the CEIR 3 solutions were investigated but proved to be at issue:
Could be subverted by other means once in place High threat of collusion at a low level Tough to prove originating operator / owner – e.g. whether stolen Not a panacea by any means
Still immature on mobile devices Early solutions easy to defeat (e.g. gummy finger etc.) Requires significant processing power May see some kind of cloud-based solution emerge (e.g. voice
biometrics) Android 4.0 has facial recognition based on acquisition of Pittsburgh
Pattern Recognition Increased risk for the user
User as unlock key means user becomes the target of attack Same issue as car crime
Eyelashes too long Long fingernails Arthritis Circulation problems People wearing hand cream People who’ve just eaten greasy foods People with brown eyes Fingerprint abrasion, includes: Manual labourers, typists, musicians People with cuts Disabled people
“Cloud” and 3rd party client applications: Offline backup Lock and wipe functionality Locate my phone Traditional anti-virus vendors are providing packaged functionality Parental controls
Not just technology – also consumer awareness and education
Mobile industry is still well aware of the problem and willing to help
Design Out Crime Competition Usual “detect if user walks away” etc
Over The Air event – Competition sponsored by NMPCU Winner: “Freeze Punk”
Motion sensor using camera – e.g. in hotels / on tables
Another app for users without PINs: dummy banking app which initiates a tracking feature as it connects to the web can inform friends nearby to the phone
Real life usage is often not compatible with anti-theft solutions Barrier to disable feature – e.g. PIN