èƵ

Mobile targets

A CELLPHONE is stolen every 45 seconds in Britain. The government says the
cellphone industry isn’t doing enough to make the phones less attractive targets
for thieves. But while some astonishing blunders by the networks and handset
manufacturers make it easy for criminals to resell working phones, the
government must share the blame.

“We repeatedly warned the Home Office about this problem, and the Department
of Trade before them,” says Ross Anderson at Cambridge University. The
Foundation for Information Policy Research, which monitors the impact of
technology on society and which Anderson co-founded, has continually pointed out
to the government how easily stolen phones can be reused. “We were resolutely
ignored,” says Anderson.

When a phone is stolen, the owner’s account—details of which are stored
on the SIM card slotted into the phone—is frozen. This prevents anyone
making calls and fraudulently running up airtime bills.

But thieves can still use the phone itself. Software available over the
Internet can prompt most phones to reveal the PIN numbers used to lock
keypads—although many users never bother locking them anyway. Then, by
simply swapping the owner’s SIM card for a new one, the phone can often be used.
But some handset makers are tackling this: most Nokia phones now freeze if
anyone swaps the SIM card.

But where the industry really seems to have blundered is over the serial
numbers programmed into every handset. This 15-digit serial number is known as
an International Mobile Equipment Identity (IMEI) code. It is designed to work
on the GSM networks used in most countries round the world. The British
Approvals Board for Telecommunications issues numbers for GSM phones made and
sold everywhere in the world except North America. Handset makers typically
apply to the BABT for blocks of a million numbers, which are programmed into
phones on the production line.

Two of Britain’s four cellphone networks, Orange and One2One, have installed
software that can identify stolen mobile phones by their IMEIs and bar them from
further use. But the other two, BT Cellnet and Vodafone, which together control
55 per cent of the market, or some 24 million subscribers, say the software
isn’t worth the £16 million it would cost to install. But unless all
networks use barring software stolen phones will still be usable.

The objecting networks say the barring system is flawed because the numbers
are not unique. “Handset manufacturers can duplicate the numbers—about 10
per cent are duplicated,” says Carol Williams of BT Cellnet. So blocking IMEIs,
the argument goes, would lead to innocent users being barred. The same problems
are evident in Australia, where 100,000 mobiles were stolen last year.

BABT says that reputable manufacturers could only duplicate IMEIs by mistake.
“Some firms have 20 production lines in one building, so there is that
possibility,” says spokesman Les Rowland. And less reputable manufacturers could
easily churn out cheap phones with duplicated IMEIs.

Ensuring that manufacturers don’t duplicate IMEIs and making the numbers more
difficult to change would make life more difficult for criminals. Some phones
already shut down if the IMEI is tampered with.

The mobile phone networks are compounding weaknesses in the IMEI system by
not sharing lists of IMEIs of stolen phones. Even Orange and One2One fail to do
this, so a stolen phone barred from one network can still be used on another.
And to be effective, this information would have to be shared internationally.
Otherwise phones stolen in one country can simply be shipped abroad and used
there.

Just over the horizon are the expensive new handsets that will be needed to
use the high-speed, third generation (3G) networks. These will provide new
security features, but Mark Squires at Nokia says that at least one of them will
still rely on being able to track IMEI numbers. Future 3G tracking software will
check where calls are made from, and if it finds that two more or less
simultaneous calls are made many miles apart from what appears to be the same
phone, at least one of them must be using a fake ID.

For 3G phones, the industry is also considering technologies such as
fingerprint and voice recognition. But fingerprint readers are not 100 per cent
reliable, and people won’t like being locked out of their own phones. More
outlandish ideas include self-destructing phones—see Frontiers p 18.

For now, one way to crack down on stolen GSM mobiles—without involving
the networks— would be for governments to allow police forces to use a
device known as an International Mobile Subscriber Identity (IMSI) Catcher,
which has been developed by the Munich-based firm Rohde & Schwarz. Though
designed primarily to capture the IMSI number, which records details of a
subscriber’s account stored on the SIM card, the Catcher also records the
phone’s IMEI.

By exploiting a security loophole in the GSM standard the IMSI-Catcher can
get the details of all phones within a certain radius. Anderson speculates how
such a device might be used: “You could frisk passing youths for stolen mobiles
without their knowing it, and jump on them when the alarm goes off,” he says. If
people were required to produce some proof of ownership, the Catcher could even
work when there are duplicate IMEI numbers in circulation, acting as a deterrent
to phone theft in general.

But there would be a price to pay for such a technology. Catchers cause
interference to perfectly innocent phone calls, and Hannes Fedarrath of Dresden
University of Technology says that the German telecoms companies are unhappy
about their use. More importantly, they compromise the privacy of cellphone
users. The company producing the Catcher offers two types, says Helga Schumacher
of the German data protection commission—one of which captures
conversations as well as serial numbers. This threat of a greater intrusion into
people’s privacy has dogged the Catcher, and Rohde & Schwarz wouldn’t talk
about the machine at all when contacted by èƵ.

Because of this threat to personal privacy, Germany has this month introduced
legal restrictions which prohibit the Catcher’s use, except in serious cases
such as those involving organised or drug-related crime. So even in Germany,
they can’t be used to track down stolen phones. But civil liberties campaigners
are now worried that the Catcher may be sold to other governments or secret
services.

To monitor a phone call the Catcher exploits another weakness in the GSM
network to defeat the encryption that normally protects callers’ privacy. It
sends a degraded signal to the local base station to mimic the effects of poor
reception. In such situations, the GSM network is designed to instruct the phone
to stop encrypting its signal, because an unencrypted signal requires less
bandwidth and so should suffer less interference.

Without firm action by cellphone companies, governments may well see the
IMSI-Catcher as the most convenient way to crack down on cellphone theft. But
their implications for privacy are far-reaching. The price may be letting Big
Brother in by the back door.

Mobile phone theft

More from èƵ

Explore the latest news, articles and features