Reuters is reporting the unsurprising news that London, New York City, and San Francisco are seeing dramatic drops in smartphone thefts after the implementation of kill switches on devices became mandatory. The ability to encrypt the contents of these devices has existed for years (via smartphone encryption that came either turned on by default or otherwise). The capability to render a smartphone useless from a distance is new-ish. Of the two, however, the latter was always better poised to curb thefts. The surprise is that it took this long for the kill switch to take center stage.
Kill Switches and Smartphones: Made for Each Other
Why is the kill switch having such an incredible effect? Because it’s attacking the primary reason why smartphones are being stolen: so they can be given or sold to people who want a smartphone (usually at a discounted price, possibly all the way down to zero dollars).
The kill switch, once triggered, renders the smartphone useless. This means that the thief can end up with an electronic brick in his hands despite his efforts. I write “can end up” because the kill switch only works if the device is connected to the internet. The kill signal must reach the smartphone for it to be effective, after all. And, because of the nature of the smartphone and the apps on it, the odds are that the signal will be received. Even if a stolen device is turned off immediately after it’s stolen, it will have to be turned on when the time comes to sell it, putting the thief at the mercy of the kill signal.
The kill switch is an elegant solution that’s singularly adapted to smartphones. It doesn’t work as well on laptops, for example, because a laptop doesn’t have to be connected to the internet in order to be useful; there’s a realistic possibility that the kill signal won’t reach it. Plus, the internet represents the only viable way to reach a laptop with a kill signal, whereas smartphones have cellular networks as well as the internet.
It also helps that each smartphone comes with a unique global identifier which, as of right now, cannot be spoofed. Laptops also come with such identifiers (such as the MAC address) but these can be spoofed with the right software.
Data Security vs. Asset Protection
All of this being said, a kill switch is not really a data security tool. It’s an asset security tool, like a laptop cable that discourages a thief from stealing a computer. An example of a data security tool would be mobile encryption, which prevents access to the device’s contents unless the correct password, finger swipe, biometrics, etc. are provided.
Encryption doesn’t pose a problem for thieves who steal smartphones (generally) because, if they can sell a working device, they’re happy. This does not preclude thieves from finding it even better to steal a device that’s not encrypted. Any personal data that they can monetize long after selling the physical good must be gold in their books. Encryption’s inability to act as an asset protection tool, however, doesn’t make it’s less important or less effective.
Another important aspect of the kill switch is that it can be coupled with encryption to remotely delete data. More specifically, the data is erased by deleting a device’s encryption key, which is used to unlock the encrypted data. Since the key is gone, the encrypted data remains locked forever.
Related Articles and Sites: