Is a mandatory kill switch the solution to smartphone theft? by Jane Porter @FortuneMagazine May 27, 2014, 7:53 PM EST E-mail Tweet Facebook Google Plus Linkedin Share icons FORTUNE — How do you stop the growing epidemic of stolen smartphones? Lawmakers in California seem to think it’s by mandating providers to sell devices with built-in “kill switch” capabilities that would make stolen phones inoperable. This month, when the California Senate approved a bill that would require smartphone providers to build a “kill switch” feature into their devices, a key question was left unanswered: Is this the solution to smartphone theft? You’d be hard-pressed to find a consensus among industry experts on the matter. What’s clear is that cell phone theft is a growing problem. In 2013, more than three million devices were stolen in the U.S., up from 1.6 million in 2012, according to Consumer Reports. And in San Francisco alone, 2,400 cellphones were stolen in 2013, up by 23 percent from the year before, according to the San Francisco Police Department. “Police departments across the U.S. are starting to drown in smart phone thefts,”says Tom Kemp, CEO of Centrify, a software and cloud security provider. The bill, SB 962, introduced by State Senator Mark Leno and sponsored by San Francisco’s district attorney, George Gascón, is an attempt to curb these alarming figures. If approved by the California State Assembly and Governor Jerry Brown as early as August, it would require all smartphones sold after July 1, 2015 in California to include a kill switch function that would effectively “brick” stolen phones. Those sellers who don’t comply would face fines of up to $2,500 per device. The bill, which was originally rejected by the California Senate in April and opposed by major providers including Apple AAPL and Microsoft MSFT , passed this month with a vote of 26 to 8. While it targets the state of California, its effects would be national, as added features mandated by the state would likely make it into phones sold across the country. MORE: EBay tells its users to change their passwords after hack attack Opponents of the bill including CTIA, the wireless association that represents providers, believe forcing providers to put a solution in place state-by-state will only hurt consumers in the end. The group believes that the industry itself should drive innovation in the field. “State-by-state technology mandates stifle innovation to the ultimate detriment to the consumer,” according to a statement released by Jamie Hastings, CTIA’s vice president of external and state affairs. In an attempt to take matters into its own hands, last month, CTIA released a “Smartphone Anti-Theft Voluntary Commitment,” an agreement signed by major industry players like Apple, Samsung, AT&T T and Verizon VZ who pledge that smartphones they manufacture after July 2015 will include free built-in anti-theft tools. But supporters of the bill aren’t convinced this is enough and see legislation as a way to speed up the process. “What that California legislation does is a positive step in encouraging the industry to actually develop a solution faster,” says Dmitri Alperovitch, cofounder and CTO of CrowdStrike Inc., a provider of security technology and services. Others see it as a sign of meddling in the industry. “Proponents of a kill switch know nothing about how technology works,” says Robert Siciliano, a McAfee Online Security expert. “Whatever kill switch is implemented, will be hack-able and rendered useless by anyone with ill intent.” Software-only based approaches have the potential to backfire. For one, they can be worked around by clever thieves. “If someone steals a phone, there are ways to block it from receiving communications that would kill a device,” says Greg Kazmierczak, CTO of Wave Systems, a provider of hardware-based encryption technology. For instance, a thief could place the stolen phone in a signal-blocking phone case that would prevent all electromagnetic communications from reaching the device. According to Kazmierczak, it could be possible to put it into one of those cases and perform whatever you need to in order to stop the kill signal from coming in. MORE: Breaking down the White House big data and privacy report Another alternative solution is to use hardware, rather than software to make stolen phones inoperable — an approach that’s becoming more widely recognized in the industry. This would involve embedding actual hardware into the phone that would prevent thieves from circumventing software technology to get access to data encrypted on the phone. Hardware technology offers a much more secure solution, says Kazmierczak. But the question of which technology to use is not arbitrary. It hinges on what drives thieves to steal phones in the first place. “We need to understand what the motivation is in the theft before instilling a solution,” Kazmierczak says. “What’s the most valuable component — the hardware or the data you are storing in your device?” A software-based approach could protect a phone from getting wiped and reset to factory default, but it would not be as effective in protecting the user’s data encrypted on hardware in the device. A hardware-based approach, on the other hand, might make it possible for thieves to reactivate the phone for resale, but would protect encrypted personal data about the original owner from getting stolen. “As we put more and more into these devices, the data is more valuable than the device itself,” Kazmierczak says. Attempts to offer a solution to the problem are already in place by some providers. Anti-theft software like Apple’s Activation Lock rolled out in 2013 as part of iOS 7 and last month Samsung released a “Reactivation Lock,” both of which would allow consumers whose phones were stolen to lock them remotely and prevent thieves from wiping and reactivating their devices to be resold. MORE: No, anti-virus software isn’t dead (yet) And a few phone manufacturers are putting a hybrid of hardware and software technologies in place in their newest models. Samsung phones with Knox technology in them do this, as do newer iPhones that include proprietary hardware to protect encrypted data. The downside of such a hardware solution, of course, is that it can’t be introduced remotely to older modeled phones in the same way a software update can be. Regardless of whether smartphone makers take a software, hardware, or combined approach to theft prevention, one of the biggest challenges they have yet to figure out is where the manpower to monitor and regulate a kill switch function will come from. When someone wants to resell a used phone legally, for example, how can they transfer kill switch capabilities to the new owner safely and securely? “How do you validate that it’s the right person trying to kill the device? Someone could kill your phone if they know your password,” Kemp says. “So far no one has figured that out yet.” Other solutions beyond the kill switch have been attempted, including a database of blacklisted IMEIs or identification numbers for stolen phones, better policing and a proposed bill by New York senator Jeffrey D. Klein, that would require those people selling more than one used phone to provide receipts of purchase to prevent black-market business. But CTIA’s blacklist, which was proposed in 2012 hasn’t helped reduce crime numbers and Klein’s bill has been stuck in a Senate Committee since it was proposed last October. “With robberies of smartphones reaching an all-time high, California cannot continue to stand by when a solution to the problem is readily available,” said Senator Leno in a statement. But while solutions to the problem are available, how effective they’ll be at actually curbing smartphone theft still remains to be seen.