April 17, 2014, 2:58 PM — Yesterday, wireless industry group CTIA announced a partnership between many of the major smartphone makers and all of the leading U.S. wireless carriers that's designed to enable smartphone "kill-switch" functionality on handsets sold in the United States after July 2015.
The partnership, called the "Smartphone Anti-Theft Voluntary Commitment," comes after months of mounting pressure from consumer advocates and politicians on device manufacturers and carriers to implement a kill switch system that could make lost or stolen devices useless, therefore dissuading would-be thieves.
In February, California introduced a bill calling for a mandatory kill switch for mobile phones; shortly thereafter, the U.S. Senate proposed similar federal legislation. Since then, a number of additional related bills were introduced, including another federal bill from the U.S. House of Representatives and one from Minnesota that could be passed "as early as next week," according to Minn. State Representative Joe Atkins. ts
Voluntary Kill Switch Takes Remote Security a Step Further
Many leading smartphone manufacturers, and some carriers, already offer "find-my-phone" features that let users remotely lock and locate their devices. But the majority of these solutions simply reset smartphones to factory settings after a certain number of failed password attempts, which makes them prime goods on the black market.
The CTIA partnership includes a provision that blocks factory resets and makes stolen devices useless after a certain number of failed password attempts, which drastically reduces the street value of devices that have the kill-switch functionality enabled.
A recent report from Associate Professor of Statistics, Data Science and Analytics at Creighton University, William Duckworth, suggests a system like the one proposed by the CTIA partnership could save consumers as much as $2.6 billion a year, due largely to reduced insurance premiums. Until yesterday, it was common belief that wireless carriers resist the implementation of such a kill switch because it would mean less profit from such premiums and from replacing and/or reactivation stolen devices.
If you read the CTIA announcement, you might notice that the word "voluntary" shows up quite often. Indeed, the word is in the official name of the partnership. That use of "voluntary" refers to the fact that device makers and carriers are agreeing to implement a kill-switch system before legislators force it on them.
The more important application of the word applies to smartphone users, because this kill switch is also voluntary for them. In other words, it will be up to consumers to enable the functionality, just like passwords today. Like passwords, consumers will presumably need some sort of passcode to remotely access the kill-switch feature.
The fact is that many smartphone users simply can't be bothered with passwords and don't consider security until it's too late.
Kill Switch Success Depends on the Users
Last month, Jerry Irvine, CIO of Prescient Solutions, an IT outsourcing services firm, stressed this fact to me in a conversation. It's not only true of consumers, but also corporate executives, who should presumably be more security conscious.
"I was recently in a meeting with about 25 CFOs of multimillion dollar accounts," Irvine said. "I asked how many of them had PINs on their phones, and less than a half a dozen said they did."
I suspect it will be a similar situation with the kill-switch option. You'll presumably only have to opt-in to the service once when you set up a new device. That's obviously much less intrusive than entering in a password every time you want to use your phone. But smartphone owners will still need to opt-in and remember their kill-switch passwords.
Then there are the privacy implications. Some people simply won't opt in to a program that gives device makers or carriers remote control over their devices, for fear that wireless carriers, government agencies or hackers could misuse the permissions.
At the very least, the kill switch should deter thieves, and that's a step in the right direction. But it will not solve the problem of smartphone theft.
Consider that the people stealing phones probably aren't the most reasonable folks in the world. A "steal first, consider kill switch later" approach seems likely -- even if it means ditching every other stolen device because it can't be unlocked. If half of all U.S. smartphone users opt-in to the kill-switch program, one in two stolen smartphones could still be sold on the black market. If you're a thief, those aren't bad odds.
I give the device makers and carriers credit for "voluntarily" implementing a kill switch...even they're only doing it because mandatory legislation seems imminent. I don't believe the kill-switch option should be forced on users, just as I don't believe passwords should be mandatory all on smartphones. As is the case with all information security measures, the responsibility ultimately falls on the user.