California's cell-phone kill switch is a solution that's worse than the problem

Originally published at:

Not to be a spoil sport… but. The functionality has existed in the GSM baseband for close to a decade. And hackers have figured out to access it. Hell shmoocon like 5 years ago they demo’d a lockout being enacted on a phone from a rogue GSM base station.

This isn’t hard. Anyone can do it if they have a couple grand worth of hardware. Hell you could attach the base station to a drone and whipe out cell phones across a swathe of the city if you were so inclined.

Sure it’s fiercly illegal. But it can be done no problem.

So… the concerns are moot. The horses left the barn a decade ago and complaining about it now just makes you look stupid.

At least let people deactivate their phones when stolen if you are going to let hackers deactivate them at will.


Iphones do this, have from day one, via the find my phone app - you can wipe the phone, shut it down, etc.

1 Like

Quick! Re-check the title before the grammar Nazis show up.

1 Like

Doesn’t this also destroy the market for used cell phones? Unless there’s a mechanism that allows a private buyer and seller to transparently transfer ownership of the phone, the buyer always has to worry about the seller declaring the phone stolen.

1 Like

So now phones of protesters can be decommissioned remotely. Use an IMSI-catcher (one type is known as Stingray, see here). Get the IMEI numbers of the phones in the area. Disable them one by one. A more permanent alternative to jamming that costs money to the affected.

I assume we’re talking about GSM now.

The IMEI number identifies the handset, the physical phone. The IMSI number identifies the SIM card in the phone and the associated phone number. Together they form a pair that the network knows. So beware when changing SIMs in a phone, the network records will know the association of the SIMs with the phone.

A possible countermeasure lies in patching the phone firmware, so it is able to take a custom IMEI. These can be faked pretty much with impunity (technical, not sure legal), as the network identifies the user only by its IMSI. Kind of like generating a random MAC address. (Such a “burner phone” would ideally derive the IMEI from the IMSI using some crypto algorithm, possibly a hash of the IMSI with some handset-specific fixed key, as then you can swap the SIM, the phone automatically assumes another IMEI that matches the SIM, and there is only one IMEI per IMSI pair instead of many IMEI for a single IMSI as it would happen in case of “dumb” randomizing.)

Long long time ago, some decade and half and something, GSM phones used to store IMEI and other handset-specific data in a 24Cxx-type EEPROM. Back then it was pretty easy to tamper with it. Sadly I lost connection with the tech development at this level of details. But the number must still be stored somewhere and changing it in storage or in RAM should still be possible somewhat.

you show me a phone with an unlocked baseband and open source firmware and drivers and i’ll show you a fist full of dollars.

…as soon as the device that knows all your secrets and watches and listens to your most private moments is designed to do things that the person holding it can’t override, the results won’t be pretty.

You 20th Century types clearly haven’t got the memo. If you’re not doing anything wrong, you don’t need privacy, citizen.

What I am aware of is the OsmocomBB thing. More things may lie somewhere in that direction.

so only about 500k and 3 years away from a prototype. got it.


I saw it in person running on an ancient Motorola phone. So in my parallel universe it is already deployed and running. List of compatible phones in this universe here.

A similar thing, from the other side of the network, running on the same stack, is OpenBTS. Successfully deployed in several scenarios. Hope this alleviates your concerns a tad bit.

And let’s not forget the software-defined radio implementations.

As always, this coin has more than one side – “iPhone theft in New York City, San Francisco, and London is down by 19, 38, and 24 percent respectively compared to the same period in 2013. New York Attorney General Eric Schneiderman says that iPhone theft ‘plummeted’ following the release of iOS 7 in September.”

The linked EFF blog post seems long on hand-wringing and short on analysis. (Doesn’t help that EFF’s “deeplink” to the bill is 404 ; -) But the core of EFF’s objection to the bill seems to be this: “SB 962 is not explicit about who can activate such a switch. And more critically, the solution will be available for others to exploit as well, including malicious actors or law enforcement,” which is a reference to SB 962’s language establishing that, “Any request by a government agency to interrupt communications service utilizing a technological solution required by this section is subject to Section 7908 of the Public Utilities Code.”

But after reading the text of SB 962 and Section 7908 of the PUC, it’s hard for me to credit EFF’s fears. In particular, SB 692 mandates that the kill switch mechanism be “provided by the manufacturer or operating system provider” for any phone sold in the state; note that the onus falls on phone manufacturers, not carriers. Further, the switch can only be invoked by “an authorized user” (which term is undefined in SB 962, but p’bly doesn’t mean cops.) OTOH, PUC Sec. 7908, which places conditions and restrictions on government entities seeking to interrupt service to individuals or within a geographic area, targets “Communications services,” defined as “any communications service that interconnects with the public switched telephone network and is required by the Federal Communications Commission to provide customers with 911 access to emergency services” (in short, carriers, not manufacturers).

So, for example, since Verizon doesn’t have your AppleID credentials, it does the cops/courts no good to ask/demand/order Verizon to flip the kill switch on your iPhone. And PUC Sec. 7908 limits the route for seeking individual service interruptions to carriers, so the EFF conclusion that, “In essence, SB 962 mandates the technical ability to disable every phone sold in California, and PUC Sec. 7908 provides the necessary legal roadmap to do the same” doesn’t seem to pass the smell test.

(Aside: why does EFF get upset about this, but no objections that I could find to Minnesota’s passage of a similar bill in May…is the Minnesota bill inherently less evil, or is it just because Flyover Country? ; -)


This topic was automatically closed after 5 days. New replies are no longer allowed.