A recent article on CNET titled “Android, Windows Phone to add kill switch to thwart theft” missed the point on how to actually stop Smartphone theft. The article talks about Google, Microsoft and Apple adding a ‘kill switch’ to phones to "…remove all data and information in the event their devices were stolen." That’s great, but it doesn’t actually stop theft.
As an Android user, the ability to remotely find, lock and wipe my phone gives me great confidence that my data is safe(r) than if there were no ‘kill switch’. But cancelling my mobile provider account and wiping my device doesn’t stop thieves, muggers and miscreants from getting a five-finger-discount on an new Nexus 5, Apple iPhone 5s or Samsung Galaxy S5 – it just assures the crooks that they’ll be able to activate ‘their’ new phone without any old data on it.
Having worked in the mobile phone activation world (many years ago), I know that the devices are controlled by one simple thing – the ESN/MEID (Electronic Serial Number.) Whenever a phone sends or receives a call (or data), the towers use the ESN to identify THAT device on the network so it can route calls and data to you.
When credit cards get stolen, it’s often not the actual card, but the number itself. So most of the time, the consumer has no idea their account has been compromised. And, the thieves know that they have a very short amount of time to use stolen credit cards before they are turned off. The physical device being stolen is the issue.
If I can steal a phone and just wipe it and have a ‘new’ phone, there’s no deterrent.
Solution
Features like Google’s Android Device Manager are FANTASTIC features, but do little to stop the theft. The real solution is at the carrier level. A simple ‘black list’ of stolen devices that the carriers are required by law to check anytime someone wants to activate a device, would stop the vast majority of device theft. If it’s on the list, the carrier isn’t allowed to activate it.
For SIM-based phones, when carriers do regular auditing of the devices on their network, if a device from the black list is being used, they must notify the mobile account user immediately that the device their using was stolen and will be disabled. Sure, some consumers will be affected, but only at first. If a law was passed requiring carriers to be responsible for only activating ‘legal’ phones. Crooks would know that a phone is useless to steal if it just gets ‘bricked’ within a day or two. And would-be-buyers would learn pretty quickly that they need to verify if a phone was stolen before buying it on eBay and Craigslist.
If you steal a car, then try to register it in your name, DMV won’t give you a sticker or license plate.
Sure, there will still be the phreakers who clone ESNs and steal service, but those aren’t usually the same guys who snatch the phone from your hand on a busy street and run.
I’ve been talking about this for many years – I’m glad it’s finally getting some kind of attention.