Information Security, Ethical Hacking, website Security, Database Security, IT Audit and Compliance, Security news, Programming, Linux and Security.
Wednesday, 27 August 2014
How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law
Beginning next year, if you buy a cell phone in California that gets lost or stolen, you’ll have a built-in ability to remotely deactivate the phone under a new “kill switch” feature being mandated by California law—but the feature will make it easier for police and others to disable the phone as well, raising concerns among civil liberties groups about possible abuse.
The law, which takes effect next July, requires all phones sold in California to come pre-equipped with a software “kill switch” that allows owners to essentially render them useless if they’re lost or stolen. Although the law, SB 962, applies only to California, it undoubtedly will affect other states, which often follow the Golden State’s lead. It also seems unlikely phone manufacturers would exclude the feature from phones sold elsewhere. And although the legislation allows users to opt out of the feature after they buy the phone, few likely will do so.
The law raises concerns about how the switch might be used or abused, because it also provides law enforcement with the authority to use the feature to kill phones. And any feature accessible to consumers and law enforcement could be accessible to hackers, who might use it to randomly kill phones for kicks or revenge, or to perpetrators of crimes who might—depending on how the kill switch is implemented—be able to use it to prevent someone from calling for help.
“It’s great for the consumer, but it invites a lot of mischief,” says Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, which opposes the law. “You can imagine a domestic violence situation or a stalking context where someone kills [a victim's] phone and prevents them from calling the police or reporting abuse. It will not be a surprise when you see it being used this way.”
Apple, Blackberry, Google, Samsung and other tech firms were initially opposed to the bill, but dropped their opposition after law enforcement groups lobbied for it and after the bill was amended to, among other things, delay the date the law would go into effect and exempt tablets from the mandate.
The CTIA, a trade group for the telecommunications industry, continues to opposed it, however, calling the law “unnecessary” because other solutions already exist to address the problem of stolen phones, including stolen-phone databases and anti-theft applications that cell-phone owners can use.
More importantly, however, the EFF continues to oppose it on grounds that it could be abused by law enforcement. The organization has focused in particular on the law’s failure to specify who can activate the kill switch and how it may be abused by others.
In a letter sent to California legislators earlier this year, the organization cited a controversial incident in 2011 when transportation officials in the San Francisco Bay Area shut off wireless cell phone service during protests, stemming from the shooting of a young man by transit police, at BART stations. The incident prompted an amendment to California’s public utilities code to limit the circumstances under which law enforcement can sever communication services—an amendment that also would govern the use of the kill switch.
Under that amendment, law enforcement, or a communications provider acting at the behest of law enforcement, can interrupt service only by court order for the purpose of protecting public safety or preventing the use of that service for an illegal purpose. “The order shall clearly describe the specific communications service to be interrupted with sufficient detail as to customer, cell sector, central office, or geographical area affected, shall be narrowly tailored to the specific circumstances under which the order is made, and shall not interfere with more communication than is necessary to achieve the purposes of the order,” according to section 7908 of the California Public Utilities code.
Regardless of these limitations, the EFF argues that the kill switch law provides law enforcement agencies with not only the legal means but also the technical means to do something that previously would have been considered too invasive. And since the public utilities code that limits how authorities in this state can use the kill switch does not apply elsewhere, the same protections don’t exist outside the state.
“[T]he fact remains that the presence of such a mechanism in every phone by default would not be available but for the existence of the kill switch bill,” EFF wrote in its letter. “Within two years, we would have legitimized a process that was seen to be quite extreme. While users have the ability to opt-out of such a tool, it is widely known that default settings are rarely changed.”
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment