California is poised to enact a consumer-friendly law requiring smartphone manufacturers to install “kill switches” — that is, antitheft technology that would be activated by the carrier when a consumer alerts it that a device has been stolen or lost. The technology not only wipes the device of personal data but also renders it inoperable.
The state legislature passed the bill on Monday and has sent it to Gov. Jerry Brown to sign.
If he does, California will be the second state to have such a requirement. Minnesota adopted a kill switch law in May. Interest in kill switch technology has spiked in recent years due to the increasingly widespread theft of smartphones — a problem that promises only to intensify as the number of smartphones continues to grow.
Many local law enforcement agencies and police departments have been advocating for such a switch, believing that it will deter theft. Carriers and smartphone device makers in the past have protested the measure for various reasons, but perhaps in the face of overwhelming demand, they have stopped objecting.
The measure is a huge win for consumers, Adam Ely, COO and cofounder of Bluebox Security, told the E-Commerce Times. It will only be a matter of time before such features become ubiquitous, even if only a small number of states require them.
“To keep manufacturing costs low, manufacturers will include the kill switch features in the OS shipped on all devices in the U.S. market, thus making this a common feature to all users,” he said.
Security Concerns Never Die
There are some legitimate security concerns over the kill switch mandate. Though security experts tend to support the bill in theory, they fear the devil could show up in the details.
For instance, if phone manufacturers and carriers are required to implement the technology quickly, it could result in substandard work with serious security vulnerabilities, Ken Westin, a security analyst and mobile security and privacy expert at Tripwire, told the E-Commerce Times.
Even a solid kill switch probably could be hacked, he added.
“Phone thieves are a tenacious group, and workarounds and hacks to these features are inevitable,” Westin maintained.
Another concern is that there will be a window of time between a consumer alert and when the phone can be wiped.
“In order to wipe the device, it will have to connect to the carrier network, and during that window before the connection, thieves will try to root a phone or utilize other methods that block the network connection necessary to wipe the phone, thwarting the kill switch technologies,” Westin explained.
In general, hardware-based implementations are more difficult to circumvent than software-based implementations, Greg Kazmierczak, CTO of Wave Systems, told the E-Commerce Times.
“Today, thieves steal phones because they are valuable from a resale perspective,” he said.” A software-based kill switch might be good enough to discourage theft of phones for resale purposes.”
Eventually, thieves will be more interested in the data that is on the phone rather than the actual device, Kazmierczak continued.
For that reason, the industry should implement the best of what mobile security has to offer, he said — a hardware-based device ID that identifies the smartphones to the network, with the controls housed in the network rather than in the phones.
“This would alleviate the need to implement a kill switch, which can be abused or implemented poorly,” he said.
As security execs discuss the various ways a smartphone can be secured, some are pointing out an important piece of the discussion that is going unsaid.
The kill switch would give carriers even more control of devices — the ability to track and wipe devices on a national scale, Charles Tendell, founder and CEO of Azorian Cyber Security, told the E-Commerce Times.
“Because it’s a software feature, the manufacturer will have to give carrier access to the device,” he said, “and the cost of developing multiple solutions for multiple carriers is astronomical. The solution will likely be baked into the device at a software level, and the codes to access distributed to each carrier in the region.”
For those reasons, it may be better to focus on user education than mandating industry solutions, said Ritch Blasi, SVP of mobile and wireless at Comunicano.
The argument that carriers didn’t want the switch because they were making money off consumers having to buy replacement devices doesn’t make sense, he suggested.
“There isn’t much margin there,” Blasi told the E-Commerce Times. “Most often subsidies — and now no-contract financing plans — are break-even, and it’s the service plans that drive carriers’ revenues. So, if putting a kill switch into a phone adds (US)$20 more to the cost, the price of the phone will simply increase to cover the cost.”
The larger point is that consumers need to take responsibility for their data and devices, Blasi said.
“Several major carriers and manufacturers have agreed to put kill switches on devices in 2015 — so instead of states legislating this as a mandate, maybe their time would be better spent educating people about the need to password protect their devices to ensure privacy and security.”