Improving Anti-Theft Measures for Mobile Devices

I’m pleased to say that the latest version of the GSMA SG.24 Anti-Theft Device Feature Requirements has been published. Many members of the Device Security Group I chair at the GSMA have been personally committed to trying to reduce the problem of mobile theft over many years. This represents just one small part of these continued efforts.

There is no magic solution to the problem of mobile theft as I’ve discussed many times (some listed below). The pragmatic approach we’ve taken is to openly discuss this work with all the interested parties including OS vendors such as Apple, Google and Microsoft as well as to reach out to Police and government particularly in the US and the UK where the subject has been of high interest. We’ve taken their feedback and incorporated it into the work. Everyone has a part to play in reducing theft of mobile devices, not least the owner of the device itself.

Some extra resources:

Some previous blogs on mobile theft:

Victim blaming when it comes to fraud

I was quoted today in a Guardian article after the Metropolitan Police Commissioner, Sir Bernard Hogan-Howe suggested that fraud victims should not be compensated by banks in cyber crime situations.

Image of what people are being conditioned to think a cyber criminal looks like! (Or perhaps I should have gone with hacker in hoodie?!)

His point is that people use weak passwords and don’t upgrade their systems so end up as easy pickings for online criminals. Whilst of course users need to take responsibility for their own actions (or inaction) it is nowhere near as simple as that, especially when it comes to things like deliberate social engineering of people and website insecurity.

My full quote was as follows: “I think the Met Chief’s comments are short-sighted. There are many reasons consumers are defrauded and a lot of those are not really things that they can control. To trivialise these to all being about user concerns misses the point. How does a consumer control the theft of their data from a website for example? We all have a role to play and a lot of work is underway in bodies like the worldwide web consortium (W3C) to reduce the use of passwords and to increase the use of hardware-backed security. The banks are doing a good job in a difficult environment but they are ultimately responsible for identifying and preventing fraud issues when they occur.”

The W3C’s work on web authentication is underway, which will standardise the work of the FIDO Alliance for the web in order to help eliminate the password. This of course will take a while and we won’t fully eliminate passwords from the web for many years. To further protect consumers, there is another effort to bring hardware security backing to important elements of the web, this will also hopefully be chartered to do that in W3C. In the software updates world, Microsoft have led the way on desktops and Apple in mobile for ensuring people are patched quickly and effectively. We still have a long way to go and I’m leading some work in the mobile industry, through the GSMA to try and make things better.

The Met and the wider police have a key role in investigating cyber crime, something they’ve not done well at all over the past few years, so they have failed consumers repeatedly. Blaming users is something akin to throwing stones in glasshouses.

When the “Apple Encryption Issue” reached Piers Morgan

How can we have an intelligent and reasoned debate about mobile device forensics?

I woke up early this morning after getting back late from this year’s Mobile World Congress in Barcelona. It has been a long week and I’ve been moderating and speaking at various events on cyber security and encryption throughout the week. It won’t have escaped anyone’s notice that the “Apple encryption issue” as everyone seems to have referred to it, has been at the top of the news and I have been asked what I think pretty much every day this week. Late last night, I’d seen a twitter spat kicking off between comedy writer and director Graham Linehan and Piers Morgan on the topic, but went to bed, exhausted from the week.

It was still being talked about this morning. My friend Pat Walshe who is one of the world’s leading mobile industry privacy specialists, had quoted a tweet from Piers Morgan:

Ironically, Piers Morgan himself has been accused of overseeing the hacking of phones, something which he has repeatedly denied, despite Mirror Group Newspapers admitting that some stories may have been obtained by illegal means during his tenure and having recently paid compensation to victims of phone (voicemail) hacking, a topic about which I have written in the past.

This week I’ll be up at York St John University where they’ve asked me to teach cyber security to their undergraduate computer scientists. The reason I agreed to teach there was because they highly value ethical concerns, something which I will be weaving into all our discussions this week. The biggest question these students will have this week will be the “what would you do?” scenario in relation to the San Bernadino case.

The truth is, this is not a question of technology engineering and encryption, it is a question of policy and what we as a society want and expect.

The moral aspects have been widely debated with Apple’s Tim Cook bringing, in my view, the debate to a distasteful low by somehow linking the issue to cancer. I’ve tried to stay out of the debate up until now because it has become a circus of people who don’t understand the technical aspects pontificating about how easy it is to break into devices versus encryption activists who won’t accept anything less than “encrypt all the things” (some of whom also don’t understand the technical bits). I sincerely hope that there isn’t a backlash on me here from either side for just voicing an opinion, some friends of mine have deliberately stayed quiet because of this – I’m exercising my right to free speech and I hope people respect that.

The truth is, this is not a question of technology engineering and encryption, it is a question of policy and what we as a society want and expect. If a member of my family is murdered do I expect the police to be able to do their job and investigate everything that was on that person’s phone? Absolutely. Conversely, if I was accused of a crime that I didn’t commit and I wasn’t in a position to handover the password (see Matthew Green’s muddy puddle test), would I also want them to do it? Of course. It is called justice.

Dealing with the world as it is

The mobile phones and digital devices of today replace all of our previous scraps of notepaper, letters, diaries, pictures etc that would have been left around our lives. If someone is murdered or something horrific happens to someone, this information could be used to enable the lawful investigation of a crime. The Scenes of Crime Officer of the past and defence team would have examined all of these items and ultimately present the evidence in court, contributing to a case for or against. Now consider today’s world. Everything is on our phone – our diaries and notes are digital, our pictures are on our phones, our letters are emails or WhatsApp messages. So in the case of the scene of a crime, the police may literally be faced with a body and a phone. How is the crime solved and how is justice done? The digital forensic data is the case.

Remember, someone who has actually committed a crime is probably going to say they didn’t do it. The phone data itself is usually more reliable than witnesses and defendant testimony in telling the story of what actually happened and criminals know that. I’ve been involved with digital forensics for mobile devices in the past and have seen first-hand the conviction of criminals who continually denied having committed a serious crime, despite their phone data stating otherwise. This has brought redress to their victim’s families and brought justice for someone who can no longer speak.

There is no easy answer

On the other side of course, we’re carrying these objects around with us every day and the information can be intensely private. We don’t want criminals or strangers to steal that information. The counter-argument is that the mechanisms and methods to facilitate access to encrypted material would fall into the hands of the bad guys. And this is the challenge we face – there is absolutely no easy answer to this. People are also worried that authoritarian regimes will use the same tools to help further oppress their citizens and make it easier for the state to set people up. Sadly I think that is going to happen anyway in some of those places, with or without this issue being in play.

US companies are also fighting hard to sell products globally and they need to recover their export position following the Snowden revelations. It is in their business interests to be seen to fight these orders in order to s
ell product. It appears that Tim Cook wants to reinforce Apple’s privacy marketing message through this fight. Other less scrupulous countries are probably rubbing their hands in glee watching this show, whilst locally banning encryption, knowing that they’ll continue doing that and attempting to block US-made technology whatever the outcome of the case.

Hacking around

Even now, I have seen tweets from iPhone hackers who are more than capable of an attempt to solve this current case and no doubt they would gain significant amounts financially from doing so – because the method that they develop could potentially be transferable.

This is the same battle that my colleagues in the mobile world fight on a daily basis – a hole is found and exploited and we fix it; a continual technological arms race to see who can do the better job. Piers Morgan has a point, just badly put – given enough time, effort and money the San Bernadino device and encryption could be broken into – it will just be a hell of a lot. It won’t be broken by a guy in a shop on Tottenham Court Road (see my talk on the history of mobile phone hacking to understand this a bit more).

Something that has not been discussed is that we also have a ludicrous situation now whereby private forensic companies seem to be ‘developing’ methods to get into mobile handsets when in actual fact many of them will either re-package hacking and rooting tools and pass them off as their own solutions, as well as purchasing from black and grey markets for exploits, at premium prices. This is very frustrating for the mobile industry as it contributes to security problems. Meanwhile, the Police are being forced to try and do their jobs with not just one hand tied behind their back, it now seems like two. So what should we do about that? What do we consider to be “forensically certified” if the tools are based on fairly dirty hacks?

How do we solve the problem?

We as democratic societies ask and expect our Police forces to be able to investigate crimes under a legal framework that we all accept via the people we elect to Parliament or Senate. If the law needs to be tested, then that should happen through a court – which is exactly what is happening now in the US. What we’re seeing is democracy in action, it’s just messy but at least people in the US and the UK have that option. Many people around the world do not.

On the technical side, we will need to also consider that there are also a multitude of connected devices coming to the market for smart homes, connected cars and things we haven’t even thought of yet as part of the rapidly increasing “Internet of Things”. I hate to say it, but in the future, digital forensics is going to become ever more complex and perhaps the privacy issues for individuals will centre on what a few large technology companies are doing behind your back with your own data rather than the Police trying to do their job with a legal warrant. Other companies need to be ready to step up to ensure consumers are not the product.

I don’t have a clear solution to the overall issue of encrypted devices and I don’t think you’ll thank me for writing another thousand words on the topic of key escrow. Most of the time I respond to people by saying it is significantly complex. The issues we are wrestling with now do need to be debated, but that debate needs to be intellectually sound and unfortunately we are hearing a lot from people with loud voices, but less from the people who really understand. The students I’m meeting next week will be not only our future engineers, but possibly future leaders of companies and even politicians so it is important that they understand every angle. It will also be their future and every other young person’s that matters in the final decision over San Bernadino.

Personally, I just hope that I don’t keep getting angry and end up sat in my dressing gown until lunchtime writing about tweets I saw at breakfast time.

Updating the Future

Later today I’ll be speaking at B-Sides London about software updates and how they are probably the only effective mechanism that can defend users against the malicious use of discovered, exploitable vulnerabilities. Despite that, we still have a long way to go and the rush towards everything being connected could leave users more exposed than they are now.

The recent “effective power” SMS bug in iOS really showed that even with a relatively minor user interface bug, there can be widespread disruption caused and in that case mainly because people thought it would be funny to send it to their friends.

The state of mobile phone updates

In vertical supply chains that are generally wholly owned by the vendor (as in the Apple case), it is relatively straightforward to deploy fixes to users. The device’s security architecture supports all the mechanisms to authenticate itself correctly, pick up a secure update and unpack it, verify and deliver it to the user. The internal processes for software testing and approval are streamlined and consistent so users can get updates quickly. This is not the case for other operating systems. Android users have a very complicated supply chain to deal with unless they have a Google supplied device. Mobile network interoperability issues can also cause problems, so network operators have to drive test every device and approve the updates that come through. Security updates are often bundled with other system updates, meaning that critical security issues can stay open because users just don’t get them fixed for months on end.

That’s if they get an update at all. Some manufacturers have a very chequered history when it comes to supporting devices after they’ve left the factory. If users are not updated and they’re continually exposed to serious internet security flaws such as those experienced with SSL, who is responsible? At the moment it seems nobody is. There is no regulation that says that users must be updated. There seems to be a shift in the mobile industry towards longer software support lifecycles – Microsoft has committed to 36 months support and Google at least 18 months, but there is still a long way to go in terms of ensuring that patch teams at manufacturers remain available to fix security issues and ensuring that an ‘adequate’ end-of-life for products is achieved and communicated properly to users.

The internet of abandoned devices

A lot of IoT devices have no ability to be updated, let alone securely. The foundations are simply not there. There is no secure boot ROM, a secure anchor of trust from which to start from, there is no secure booting mechanism to carefully build up trust as the device starts and web update mechanisms are often not even secured using SSL. Software builds are often as not unencrypted and certainly not digitally signed.

So with this starting point for our future, it appears that many of the hard lessons of the mobile phone world have not seen transference to the IoT world. Even then, we have a lot of future challenges. Many IoT devices or elements of the automotive space are ‘headless’ – they have no user display or interface, so the user themselves has no inkling of what is going on, good or bad. What is often termed “cyber-physical” can rapidly become real issues for people. A problem with an update to a connected health device can really harm a lot of people. Shortly before Google’s acquisition of Nest, a user had tweeted complaining that his pipes had burst. Understanding that certain services cannot just be turned off to allow for an update is key to engineering in this space.

Many of the devices that are planned to be deployed are severely constrained. Updating a device with memory and battery limitations is going to be possible only in limited circumstances. Many of these devices are going to be physically inaccessible too, but still need to be trusted. It’s not simply a question of replacement of obsolete devices – digging a vibration sensor out of the concrete of a bridge is going to be pretty cumbersome. Some of this space will require systems architecture re-thinking and mechanisms to be able to live with the risk. It may be that is simply impossible to have end-to-end security that can be trusted for any real length of time. As engineers if we start from the point that we can’t trust anything that has been deployed in the field and that some of it can’t be updated at all, we might avoid some serious future issues.

Phone Hacking: A lucrative, but largely hidden history

I’m giving a talk at Defcon London DC4420 tonight. I decided to talk about the history of some stuff that is not really well known about outside of the mobile industry and a few embedded systems hacking circles.

For years, the mobile industry and its suppliers have fought an ongoing battle with people hacking mobile devices. This mainly started out with greyhat crackers from the car radio scene supplying tools to ‘reset’ your car radio PIN code (I’m not sure whether really driven by thieves or end users?).

This matured into SIMlock and IMEI hacking on handsets at the end of the 1990s, driven by very cheap pre-pay handsets. By the way, I was never a big fan of SIMlock, as it just increased targeting of the devices and it just wasn’t that sensible as the time we didn’t have the hardware available in the industry to protect it properly. Mobile phone theft (and re-enablement) was another driver.

Ordinary users were sufficiently motivated to want to pay to remove their SIMlocks and a cottage industry built up to serve it, supplied by tools from some very clever hackers and groups. This made some people very, very rich.

As skills have grown on both sides, the war between industry and the hacking community has grown increasingly sophisticated and tactical. Today it is mostly being played out within the rooting and jailbreaking community, but it looks like so-called ‘kill switch’ and anti-theft mechanisms will be a new motivator.

Anyway, I hope you find this taster presentation to the subject interesting!

Shiny Expensive Things: The Global Problem of Mobile Phone Theft

I was kindly invited down to Bournemouth University the other day by Shamal Faily, to give a talk as part of their Cyber Seminar series. I decided to talk about a quite hot topic which I’m very familiar with, mobile phone theft. The slides are updated from an earlier talk, but cover some of the political involvement in 2012/13 and some information on recent industry action and what should happen next.

CCC bust Apple’s fingerprint scanner?

Just a few days ago I wrote about some of my concerns on biometrics, after the launch of the fingerprint scanner ‘TouchID’ on the iPhone 5S. It appears that they may have been well-founded. The Chaos Computer Club in Germany have released a blog and video which seems to show TouchID being broken by a fake fingerprint. Back to the drawing board again on biometrics? Watch the video for yourself below:

 

You are the Key: Fingerprint Scanning on the iPhone 5S

So, here we are. Another iPhone launch and seemingly even less features. The September 10th launch of the iPhone 5S brings the only physical feature of note: fingerprint scanning via “Touch ID” which is built into the main button of the phone (an elegant way of doing it by the way). This turn of events is more about a push by Apple towards acceptable secure m-payments and stronger user authentication for the web and app store rather than just being completely about access control to the device itself. I’m pretty sure that there’s a strong pull from the business / enterprise sector as well for this kind of technology. In my experience, senior management seem to quite like things they’ve seen in a sci-fi film such as palm-print security access and voice recognition in front of big strong-room doors. Perhaps a blue LED or two to top it off. That of course, is real security. Not.

Just like in the movies! It must be secure!

So what does this technology really bring us and why hasn’t it been implemented before? Let’s concentrate on just the access control piece here.

Leaving your keys hanging around

Unlike PIN numbers, you leave a number of exact replicas of your fingerprints in various public places when you go about your daily business. That’s like leaving an exact imprint of your front door key over twenty times a day on things like the side of your car door, on a coffee cup and on the table of your favourite pub. In all likelihood, the back of your mobile phone probably contains a pretty good copy of your fingerprint right now. In 2008, the German interior minister Wolfgang Schauble found this out when hacktivists collected his fingerprints from a glass. And remember: once you’ve lost your fingerprint you can’t really get it back (you only have a limited number!).

There are some pretty extreme examples of people who’ve been tortured for bank PIN numbers and even one case in Malaysia where a man had his finger cut off to steal his fingerprint protected Mercedes.

There is an argument to say that most street thieves (like burglars) are not going to want a direct confrontation with the owner, but there’s also plenty of evidence of violence during mobile phone theft from people being shot or held at knifepoint, just for their phone.

One could easily imagine a scenario where the user is just forced to open up the device and remove the security protection before the criminal makes off. This scenario could just as easily be argued for users with PIN protection and it seems (from my unscientific hearsay point-of-view!) that we haven’t heard of many instances of thieves doing this. What seems to be more prevalent is either unattended theft or snatch theft where the phone is actually being used (and is therefore unlocked and ready to go).

“The number of phones found on the London Underground alone was 25,000 in 2011”

According to the Office of National Statistics’ report on Mobile Phone Theft [pdf], the Crime Survey of England and Wales for 2011/12 showed that 7 in 10 incidents of mobile phone theft were personal thefts (e.g. pickpocketing or snatch) or ‘other thefts of personal property’. These ‘others’ are defined as: “items stolen while away from home, but not carried on the person (such as theft of unattended property in pubs, restaurants, entertainment venues, workplaces etc.).”

Let’s also bear in mind that a lot of people could believe they’ve been pickpocketed or that their phone was stolen from somewhere when they have in fact just lost their device. The number of phones found on the London underground alone was 25,000 in 2011.

Convenience

What fingerprint biometric technology does give you is convenience, more so given that the sensor for Touch ID is built into the key that you would have to press anyway. Instead of having to make four or more finger movements and the possible engagement of brain to remember a PIN, you instead have almost instantaneous access, which when you consider how many times you have to enter your PIN into your phone every day is surely a good thing. What convenience then hopefully gives you is increased adoption by users, which overall is again a good thing. Most people using fingerprint access control security than a few using a PIN is a much better situation for everyone.

However, this is certainly not all a bed of roses. Usability is a big issue once you look into it (and I’m not sure how much Apple have taken this into consideration).

Some people just simply can’t use fingerprint readers. For example, the very young, the elderly and some disabled people. In addition “False negatives” can be caused by various factors such as:

  • Long fingernails
  • Arthritis
  • Circulation problems
  • People wearing hand cream
  • People who’ve just eaten greasy foods
  • Fingerprint abrasion, includes: the elderly, manual labourers, typists, musicians
  • People with cuts

In some senses, this functionality could be regarded as socially regressive, or at least a not socially inclusive and accessible technology. These types of users must fall back to things like PIN usage to provide access control.

Technology progression

Technical details of the Apple solution are not clear, but a lot of fingerprint technologies have failed in the past and I am sure that this one will come under intense scrutiny by security researchers. I have demonstrated the “gummy finger” attack against an optical fingerprint scanner myself at conferences and in lectures, even creating a working latex ‘replacement’ fingerprint aka ‘Diamonds are Forever’.

Researchers have even gone as far as ‘lifting’ fingerprints, reversing the image (to get it back to the right way round) and etching them in order to create a pattern for new, usable replicas (see the gummy finger link above for more details). Other researchers have also defeated ‘liveness’ or pulse detection too.

Summary

So what do I really think? I think for high-end enterprise use cases (one area that Apple has been really going after in the past couple of years), this does make sense. I can imagine a CEO complying with that kind of policy more than a mandatory very long PIN or password. If they’re really important people though, you can certainly imagine them being targeted to copy their fingerprints as I mentioned at the beginning.

For your average user, maybe just maybe, the convenience aspect will make this a success. What that would mean is more devices secured at rest (i.e. left on café tables), so an opportunistic thief would not be able to get immediate access. It could even provide a different, potentially more secure way of authenticating to banking and payment services over the web or in a shop. I truly hope that users do not become the targets of more violent assaults where they are forced to give fingerprint access to their device.

Lastly, I hope that the Apple security engineering team have done their job correctly. At the end of the day, your fingerprint is translated into 1s and 0s. A representation of this has to be stored on the device in some way. Each time you access your phone, your data is then processed through an algorithm to get compared. If that is not done properly using secure hardware, then there’ll be another set of people producing hacking tools to address a new market for criminals to get around the fingerprint protection. The first commercially sold fingerprint scanner on a phone that I remember was in 2004 in the GI100,a PanTech device that was released in Asia. I looked into and rejected fingerprint scanning as a possibility for mobile phones at Panasonic in 2005 for many reasons (not least the processing capability needed). Nearly 10 years later it’ll be interesting to see whether it really is a useful security technology or just simply a movie-inspired gimmick.

The phone theft debate continues…

A number of articles on mobile phone theft in the papers this weekend (20-21st July 2013). Regular readers will know that I’ve spoken quite a lot about phone theft in the past and at various events.

Snatch thefts are particularly high because the phone is ‘active’ at that point and not locked

The Daily Mail discusses the fact that Apple will publish the update later this year which will enable the “authentication lock” feature which will prevent the re-enablement of stolen phones after theft. It also mentions that GPS won’t be able to be disabled and the phone wiped – common methods used by thieves to prevent tracking of phones and one which also encouraged snatches of ‘active’ devices.

In the Daily Telegraph, Boris Johnson apparently said “Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products”.

This is badly off the mark – the problem is not the hardware security (this was addressed years ago and the work was acknowledged by the Home Secretary in 2008). The real problem is the export of devices – they are not blocked outside the UK so can continue to be used. This has nothing at all to do with hardware security, but it has everything to do with the ability to disable devices globally.

Other countries such as the US have only recently joined the party, claiming massive new street theft problems. The truth is this – phone theft will have always been a problem but it has only been recently that high profile violent robberies have forced them into action. What have the authorities been doing for the last ten or so years?

Apple’s authentication lock is not a kill switch

The terminology being used by politicians and the media is incorrect – preventing access to services is actually the opposite of reaching out and telling a device to ‘die’. Creating a real kill switch like that could in itself become a security problem. Imagine being able to turn off every phone in the world?

The reality is that the functionality for an “authentication lock” has only been technically possible in the past 5 years, because previously the manufacturer would have virtually no relationship with the customer. These days all the major OS providers ask users to sign up for an account with them to access services – and that’s the key. A relationship with the end user means that they can take action because they know when that phone gets used post-theft.

In the past, this simply wasn’t possible for the network operators. No operator (as far as I know) has presence in every country in the world, so it wouldn’t usually see a phone if it had been exported. Yes, the IMEI (identity of the device) could technically be shared with a global database called the Central Equipment Identity Register, but that one piece of data is not reliable for many reasons including a rash of counterfeit devices in some countries. However if a phone has to connect home over the web, it allows a lot of information to be checked and even shared with the rightful owner. Although it is not fool-proof, it is the right thing to do as it makes the phone less attractive to a thief. It does raise a question for the Android manufacturers particularly. Will they now ask Google to provide this functionality for them, or somehow try and build it into their own anti-theft find-and-locate apps (which will not be as robust as putting this in at the OS level)?

Next steps

Assuming the industry gets this right (and I hope they do), the ball will be back in government and Police hands. With rising theft figures, it is very easy to blame the manufacturers and operators. In reality this is a complex and largely social problem – people are still going to snatch expensive mobiles and try to use them to pay for things / use their functions etc and sell them. There’ll be a new, lucrative challenge for the cracking community to disable things like authentication lock. Up until 2011, the UK was the only country that had really done lots of things to help address theft in a proper manner including:

  • education for young people (youth-on-youth crime is very high)
  • posters in high crime areas like London
  • legal measures (making it illegal to change the IMEI number and possess the equipment to do so)
  • working with industry to harden devices (OMTP TR1)
  • encouraging industry to share information on theft (stolen IMEI numbers)
  • setting up a dedicated Police unit to target thieves

Mobile phone theft affects ordinary people – for that reason alone, politicians like Boris Johnson are going to continue to jump on what has been for years a populist bandwagon.

"Apple does not have a process to track or flag lost or stolen product"

“Apple does not have a process to track or flag lost or stolen product”. That’s exactly what the Apple support pages say.

Having worked on the problem for years and seen the human consequences of violent theft, it appears a fairly arrogant statement to make. It’s not a safe, fluffy world out there (unless you live your life permanently in a gated development).


As Intel’s Robert Siciliano told Reuters in January‘Apple seems to have not considered stolen devices and instead is relying on the honor system’….’The honor system is devised with the mindset that we are all sheep and there are no wolves.’


There are certainly lots of wolves out there. Mobile phone theft appears to be starting to grow again.

Apple’s Q3 figures released in July 2012 showed a net profit of $8.8B. So is it too much to ask Apple to spend a bit of that profit on a process that helps consumers and reduces the desirability and ease of theft? They certainly have the global reach to do it (and currently, much more than the mobile network operators). It seems to me a little unfair for them to put everything on the mobile network operator just because they have the contract with the end user.

The Police (particularly in the UK) are doing their best against street crime and it is surely incumbent upon Apple as a good corporate citizen to try and help minimise theft of hot products such as the iPhone. 


Channel 4 did a great report on the situation in London last month:

Criminals are getting savvy – they’re also turning off the find and locate features of modern smartphones and wiping the devices so you’ll never get them back. They can even continue using the phones in the country they were stolen in, even if the IMEI number is blocked. They just don’t use the core “phone” functionality. WhatsApp and everything else will work just fine.

Phone theft is a tough nut to crack, as I pointed out in this talk. However, if certain companies are just putting their head in the sand and responding to the media with ‘no comment’, we’re in a bad place.