Why Won't Cellular Carriers Brick Stolen Phones?

Imagine you're riding the subway in a major American city. At a stop, a stranger reaches into the train car, grabs your iPhone right out of your hand and runs off as the train doors close.

You report the theft to your cellular carrier and ask the company to deactivate the handset.  Its representatives tell you that's not possible. Instead, they will deactivate only the SIM card, which means that while your number will no longer work, the handset still will.

Meanwhile, the thief resells your phone to an unscrupulous shop owner, who removes the original SIM (Subscriber Identity Module) card, factory-resets the unit and sells it to an unsuspecting customer. The thief and the shop owner both make money, your carrier gains a new subscriber, and you're stuck paying for a new iPhone.

In many European countries and in Australia, this story would have a different ending. There a stolen phone is permanently "blacklisted" from the airwaves soon after a theft is reported, even if the SIM card is changed. The thief would have a nearly useless device on his hands.

Even though there is evidence from overseas that blacklisting phones does indeed deter casual theft, not all American carriers have implemented this system, and the holdouts will neither confirm nor deny that they plan to. 

Political pressure

In August 2011, Sen. Charles Schumer (D-N.Y.) asked two of those holdouts, AT&T Mobility and T-Mobile USA, to implement blacklists. He cited a New York Police Department study that showed nearly half the reported robberies in the city were of cellphones.

"Deactivate the phone so it is no longer valuable on the black market — like a car without a motor,"  Schumer said as he stood outside a Manhattan AT&T store, according to a report in the New York Daily News.

Schumer addressed the issue again in a January press statement, just before AT&T hosted a meeting of cellular carriers from around the world.

"We have the technology to make phones worthless to criminals — and kibosh this rapidly expanding criminal market — but too few cell phone firms are incorporating this device-disabling technology," Schumer said. "By adopting the latest technology that allows companies to disable phones after they've been stolen, companies like AT&T could reduce cellphone theft dramatically."

So why haven't American carriers that use SIM cards implemented such a policy?

In an email to SecurityNewsDaily, AT&T would say only it was working to "identify the most comprehensive, technically feasible and expeditious solution to address this important issue."

"Consumer safety is a top priority for AT&T and we take very seriously the theft of wireless devices," a company spokeswoman said. "AT&T has been actively exploring an international, industry-wide solution to permanently disable stolen devices on all networks."

(Such an international industry-wide solution already exists. Carriers in 19 countries, most in Europe, share a blacklist of stolen phones, and many other carriers have blacklists of their own.)

T-Mobile also deflected the question.

"T-Mobile recommends that the most important action a customer can take if a phone is lost or stolen is to notify the carrier immediately," the company told SecurityNewsDaily in an email. "T-Mobile is then able to disable a customer's SIM card to prevent any third-party charges from accruing. T-Mobile does not currently disable the handset as well."

Yet T-Mobile's parent company, Deutsche Telekom, does disable stolen handsets in Germany and adds their ID numbers to the international blacklist.

Jot Carpenter of CTIA — The Wireless Association told SecurityNewsDaily that his trade group had "been in active discussions with FCC and law enforcement regarding potential solutions, and we will be happy to expand those discussions to include other policymakers."

Carpenter is vice president of government affairs at the association, which represents American cellular carriers and other wireless services,

But would such a blacklist of stolen phones work in the United States?

Such a program "might be a deterrent" because a deactivation program would cut the value of a stolen phone, said Don DeBolt, director of threat research at Islandia, N.Y., security firm Total Defense. "And if you can raise the bar on how difficult it is, that helps."

Technical difficulties

So why the holdup?

The reasons for delaying a blacklist in the U.S. are partly technical. Australia and most European countries have only one wireless telephony standard: the Global System for Mobile Communications (GSM). The handsets for these networks will not operate without a removable SIM card, which holds the basic cellular-service account information.

Since the account information is held on the SIM card rather than on the phone itself, it's easy for a customer — or a thief — to switch handsets simply by transferring his SIM card from one phone to another.

In the U.S. the situation is more complicated. While AT&T and T-Mobile USA use the GSM standard, most other American cellular carriers, including Sprint and Verizon Wireless, use CDMA (Code Division Multiple Access), a rival standard in which there is no SIM card.

Each CDMA handset, no matter what its phone number, is identified on the network by its Electronic Serial Number, or ESN. That number tells the network the phone is legitimate and makes it easy for Sprint and Verizon Wireless to block stolen phones, which both companies will do as soon as you inform them of the theft.

For AT&T or T-Mobile's GSM networks, blocking the handset — rather than the account — has to be done differently. GSM handsets are tagged according to their IMEI (International Mobile Equipment Identity) numbers. That's a 15-digit number given to every individual phone built for a GSM network, and it's usually found printed in the battery compartment.

In effect, a CDMA phone has only one ID number, which identifies both the handset and the cellular account. A GSM phone has two ID numbers, one for the account and another for the handset.

In order to make sure a stolen phone won't work, a GSM network's computers have to be told that the stolen phone's IMEI, not the SIM card for the account, has been invalidated. This is what European and Australian GSM carriers do as a matter of policy. Blacklist databases in those countries are also often linked to those of law-enforcement and regulatory bodies.

The Australian Mobile Telecommunications Association says blocking IMEIs has worked as a deterrent to thieves; its statistics show that since its blacklist program was started in 2004, the number of blocking requests (usually in response to a theft) has dropped 25 percent from 169,600 mobile handset blocks in the first year to 127,750 in 2011. 

Can a technically skilled thief change the IMEI number of a stolen phone? Yes, but it isn't easy, and it isn't the kind of thing the average bus or subway pickpocket has the ability, inclination or time to do.

Will it work?

Not everyone thinks a blacklist will be a panacea. Sean Ginevan, product manager at MobileIron, a wireless security firm in Mountain View, Calif., said the turnover time between the theft and resale of a stolen handset may be too short.

"By the time the end user goes to AT&T, the thief has made back his money," Ginevan said.

A handset doesn't have to work for long, and most thieves will simply sell it as quickly as possible.

"Unless the network operator locates the hardware identifier on the network and ties that back to the user for the police," he said, "it's not necessarily a deterrent."

In addition, an IMEI blacklist might work in only one country at a time. While carriers in 19 countries link their own blacklists to the GSM Association's worldwide IMEI database of blacklisted phones, not all yet do. A thief could simply steal a dozen American iPhones, then resell them to a fence who would ship them to China or Russia for further resale.

"The GSM operators in the USA do not currently use our IMEI Database," a representative for the GSM Association told SecurityNewsDaily, "but the North American Fraud Forum and Security Group has initiated a project to investigate what range of measures could be appropriate to combat handset theft in the USA."

AT&T co-chairs the North American Fraud Forum and Security Group of the GSM Association, according to company representatives.

IMEIs are also less than perfect as an authenticator. The British telecoms regulator, OfCom, says perhaps 10 percent of IMEIs in British networks are duplicates. Some of this is likely due to post-theft tinkering, but a lot of it may be due to manufacturer indifference, since some countries didn't originally require IMEIs on phones sold domestically.

For example, until 2009, many cheap Chinese-made phones sold in India had no legitimate IMEI at all. The Indian federal government has since cracked down on this and now requires IMEIs.

And it isn't entirely the fault of the carriers that building an IMEI database in the U.S. is hard. Sean Sullivan, security researcher at Helsinki, Finland, company F-Secure, noted that many carriers are still trying to unify their own networks.

Verizon Wireless, Sprint and AT&T Mobility, for instance, are all the products of mergers.  Building a shared database among former competitors is not as easy as it sounds.

Hidden costs and benefits

Then there's the financial issue. Even a stolen phone can become a source of revenue if it ends up with someone who buys legitimate service. And since the original owner is likely to be under contract and will have to buy a new handset on the same network, the carrier wins on both ends.

All that aside, there's a bigger issue that hasn't been discussed. The personal information on a stolen phone can be much more valuable than the handset itself.

Most people set up their smartphones to automatically log into their email and social-networking accounts, and many link their phones to their bank accounts. Combine that with all the information in the contacts list, the calendar and the texting and calling archives, and you've got a perfect package for an identity thief.

Ginevan said one of the first concerns if your phone is stolen is whether the thief is using your banking app. He noted that most people stealing phones want the hardware, not your identity.

"If I am a thief, I'll probably do a factory restore," Ginevan said.

But that isn't always the case. You may want to consider installing remote-wipe capability, which will factory-reset the device in case the phone is stolen, or encryption software, which will make data inaccessible without a password.

Rather than trying to get the phone back or making sure a thief can't use it, Ginevan said, "it's probably more important to encrypt and wipe the device."

SecurityNewsDaily