Can you please explain how a kill switch works for smartphones/tablets? Do you see this functionality as an effective enterprise mobile security control for lost or stolen devices? Is it something we should be looking for in either enterprise-provisioned devices or employee-owned devices connecting to our network?
In 2013, over three million Americans had their smartphone stolen -- often at knife- or gunpoint. Additionally, around 40% of total reported robberies in every major metropolitan area involved the theft of a smartphone.
In response to this growing crime, politicians and law enforcement officials are pressing for a kill switch to be added to smartphones to render them useless when stolen. The rationale behind the call for a smartphone kill switch is that if a device cannot be reset and reused once it has been killed, then it will have no resale value and be far less attractive to thieves. Take the theft of car stereos, for example: It is half of what it was in the early 1990s in large part due to factory-installed car stereos requiring an activation code to be entered if they're disconnected from the car battery.
Remote lock and wipe tools are already are built into all Apple, Android and Windows Phone 8 devices (called Find My iPhone, Android Device Manager and Find My Phone respectively). Samsung phones with Knox technology and newer iPhones include a hybrid of hardware and software to protect encrypted data. While these technologies protect corporate data, they do not reduce the value of a stolen phone, so theft and possible physical danger are still potential problems. Google and Microsoft announced that they intend to add a kill-switch feature to their Android and Windows Phone operating systems, but it will be some time before we see a kill switch that works on every type of phone and has safeguards against hackers.
How a kill switch should or would work in practice is far from clear. There are two different proposed kill switches: a hardware kill switch that renders a device permanently unusable, or a software alternative that makes a phone unusable to all but the legitimate owner. The technical implementation of transmitting and authenticating the validity of a kill command is some way off, as is the safe and secure transfer of kill switch capabilities to a genuine new owner of a secondhand phone. Also, the top four wireless carriers in the U.S. earned an estimated $7.8 billion in phone protection plan premiums in 2013, so there is unlikely to be a big in a rush to research kill switch products and provide the manpower needed to monitor and regulate a kill switch function.
Various states are in the process of making a preloaded kill switch a legal requirement, and Congress is also considering national legislation. If state laws are passed, it could speed up the development of software and hardware kill switch technology by carriers and phone makers to prevent phone calls, Internet access and the ability to run apps on a stolen phone.
Until it is a more mature technology, enterprises should continue to rely on encryption, remote lock and wipe, and tracking apps to safeguard enterprise data. Also, enterprises should ensure employees always take the physical security of their mobile devices -- whether they are employee-owned or corporate-owned -- seriously. Asset registers should record the serial and IMEI numbers of all devices, as these will be required along with any locations identified by the device's tracking app when reporting a stolen device.
Read an overview of mobile device security
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.