Mobile phone kill switches

Microsoft and Google have just announced so-called kill switches for Windows Phone and Android devices.

Apparently this is a response to a reduction of iPhone thefts reported since Apple introduced Activation Lock into iOS 7.

Kill switches are great in principle but hard to implement properly.

Don't assume that a kill switch will 'brick' a phone.

A kill switch is a way to render a lost or stolen phone useless, but currently they don't really do that. Or not fully, at least.

Users can lock or wipe Android devices remotely using third-party apps and, more recently, the Android Device Manager. Windows Phone users will soon see similar abilities included in the Find My Phone feature.

Wiping resets the device and that effectively means the thief (or whoever finds it) gets to keep a fresh and functional gadget. A locked smartphone can be reset too. The data may be wiped but someone else gets the benefit of your expensive hardware.

It's been possible to lock and wipe mobile devices from the major vendors for a while now. The real news is that these security features will soon be enabled by default.

The official statement from Attorney General Schneiderman includes, right at the end, the following:

"Because kill switches are only available on an opt-in basis, not enough consumers are signing-up. This underscores the urgency... to make kill switches a standard opt-out function on all phones."

So we've had kill switches for a while and now they will be opt-out. So far so good.

The kill switches used or planned by Apple, Google and Microsoft are based on software. As we know, there are ways to resurrect a phone locked down by software.

A more effective option would be to build new phones with hardware kill switches. Imagine a fuse that can be blown remotely. The device would then be properly 'killed' and would require expensive repairs to restore the device.

Hardware kill switches bring their own problems.

1. How do you test that they work without destroying your new phone?
2. If you can't test the kill switch, how confident are you that it will work when you need it?
3. You might 'brick' your lost phone and then find it down the back of the sofa.

If introducing software security features reduces thefts of expensive devices then it's worth doing, but users should be aware of the limitations inherent in this approach.

One final thought: if an unauthorised individual or organisation was to gain access to your account they would be able to kill your phone, tablet or other mobile device. If the kill switch was a software version then you'd experience significant inconvenience. If it was of a hardware type you'd face additional cost.

Smartphone security

In 1999 a PC this powerful
would cost twice as much and
be 100 times bigger

At the moment we are, in terms of mobile malware development, in 1998.

Remember when we all used Windows 95 and connected with modems? The threats of the day were Trojans that would dial premium numbers to generate/steal money from victims.

As far as I can tell, that’s where we are today with smartphones.

Modern, powerful mobile handsets are essentially PCs with a modem, run by users who access banks and other financially-connected sites. I've yet to see any evidence of iOS or Android-compatible drive-by attacks so right now social engineering seems to be the most significant threat.

As such, a slight variation on the advice we used to give in the late 1990s is probably suitable:

1. Keep your phone’s firmware up to date (updates from vendor, via Android Settings).
2. Keep your software up to date (via Google Play updates). These updates can be set to run automatically.
3. Only install from official stores such as Google Play. Don’t side-load (i.e. install from removable media).
4. Ensure the software comes from the original developer. Google Play lists the developer and highlights very popular ones with the ‘Top Developer’ label.
5. Check the reviews of each application you want.
6. Check the permissions that each application requires and reject it if it wants too much (in your opinion).
7. When updating manually, review any new permissions the updated application requires.
8. Avoid pirated/cracked software, whatever the source.
9. Install an anti-malware product. After all, even the official stores have been found to host malicious files.

While all this will help, I doubt that normal people will neither bother nor be able to fully understand or remember the details. That's not their fault, though. It's the fault of the mobile industry. It should be easier to be more secure.

This article updates last year's notes on Android security tips.