Security Experts:

The Smartphone "Kill Switch" Law - What Does It Mean For You?

I recently spoke to a reporter preparing a story on California’s new smartphone “Kill Switch” law. This law requires mobile devices sold in California starting July 1, 2015 to include an opt-in feature allowing consumers to remotely render a device useless in case of theft. While I support this, some don’t.

Some industry experts believe this feature will allow oppressive governments to shut down cellular service or open up new channels for hackers to attack phones thus posing a consumer safety issue. However, I believe the opposite is true–this law will result in more positive outcomes than negative. If nothing else, it’s a great start.

Mobile Kill SwitchThe smartphone kill switch actually has the potential to protect consumers from harm, both financial and physical. Yes, this will make people PHYSICALLY safer. In the security industry, we talk about ominous hackers in ski masks working in a dark room with only the glow of their screens, breaking into a system somewhere in the world and causing harm or even death to someone. Airplanes, manufacturing systems and cars are all perfect examples. We ask industries and developers to implement proper security to protect people from physical harm. For instance, a group of students from Zhejiang University were able to hack a Tesla Model S, while the car was being driven. The students were able to open the doors, honk the horn and turn on the headlights, ultimately putting them in control of the vehicle and the driver in danger. We in the “biz” live for the chance to show that our work can harm someone thus making it literally life or death to patch a system or application. We are now, finally, getting what we have asked for: a way to truly protect people physical harm through digital controls.  At its inception, the Kill Switch will make people physically safer by reducing the number of muggings and physical attacks motivated by mobile phone theft.

Mass adoption of the kill switch law will reduce the financial benefit of device theft, as most smartphones will not be resalable. As we’ve seen a rise in adoption of smartphones, there was also a 24 percent increase in cell phone theft in 2013 in San Francisco alone. With implementation of the kill switch law, we can expect this number to decrease, saving consumers money.

We have long asked for a solution to this issue, and with the kill switch we have finally been given one. Is it perfect? Will it put an end to the smartphone theft? Probably not but it will greatly reduce the number of thefts and physical violence. However, one could also ask if the seat belt, the implementation of the Federal Reserve, or PCI DSS were perfect solutions and the answer would also be no. However, all helped move us in the right direction even if they required various iterations and in some cases additional features, such as the airbag. In the end, this is a net win for consumers.

There is an argument that the kill switch would give governments too much power, which they could use to oppress their citizens. As we’ve seen before, governments already have the ability to shut down cell phone service and target individual devices (or groups of devices). The kill switch would not change this. In reality, targeting a group of people by disrupting their individual phones via the Kill Switch makes no sense. The government would have no plausible deniability where as an “overloaded cellular tower” or “network outage” can’t always be proven to be malicious.  Remember, legal systems are based on proof, not on what “we all know.”

The technology already exists to intercept communication, jam communication,  block devices from mobile networks for individual users or smaller groups.

At the end of the day, the kill switch will not only decrease the amount of people mugged for their phones because there is little net value in the device itself, but it will also provide individuals with the means to wipe the device of personal information, which in a pre-kill switch world, hasn’t always been possible. Once again, we have to realize that it’s really about encrypting and protecting the data on the potentially stolen device. With the kill switch law in place, your personal data on your mobile device can’t be accessed. As a BYOD employee, if your device were stolen, you wouldn’t want your confidential corporate data or personal information accessed. The kill switch law allows you to keep that information safe.

view counter
Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties. Adam is a CISSP, CISA, NSA IAM, MCSE and holds an MBA from Florida State University.