SF DA initially pleased in antitheft testing of Apple's iOS 7 Activation Lock, Samsung's LoJack

Posted:
in iPhone edited April 2014
San Francisco's District Attorney George Gasc?n described the smartphone theft deterrent systems demonstrated by Apple and Samsung as "clear improvements" in the City's efforts to thwart crime.

activation


Last week, Gasc?n and New York's Attorney General Eric Schneiderman announced efforts to test the two company's new security technologies to "see if they stand up to the tactics commonly employed by thieves" in an program that partnered with experts from the Northern California Regional Intelligence Center.

In a followup report by the San Francisco Examiner, Gasc?n said he was "very optimistic that they came and were willing to share their technology with us."

He also noted that neither Microsoft's Windows Phone nor Google's Android had similar technology to demonstrate for their own mobile platforms.

Stealing smartphones is a big business, with the US Federal Communications Commission stating that one third of robberies nationally involve a cellphone. In tech savvy San Francisco, the figure is closer to half of all robberies.

Gasc?n declined to detail how the technologies used by Apple and Samsung work, stating that they are not yet finalized. Apple's "Activation Lock" feature remains under NDA as part of iOS 7, while Samsung has contracted with a third party for a security subscription service.

Apple the first OS vendor to announce platform theft security

Apple's new Activation Lock was however demonstrated this summer at the company's Worldwide Developer Conference.

The new feature involves embedding the users' iCloud account into the device's low level firmware, so that even if thieves attempt to wipe the device, it will refuse to subsequently "activate" until the account and password are entered.

iOS "activation" involves the device contacting Apple's servers, an additional step that the company can tie to a specific iCloud account and device's UUID. Apple can therefore refuse to activate a device that has been reported as stolen until both authentication factors (the device and the account) are supplied.

Apple has recently added new layers of security to iTunes and iCloud to support two factor authentication (Apple calls it "two step verification").

two factor authentication


This means that a user can configure their account require access to both a verified hardware device and their account credentials password, preventing a remote third party from simply guessing at their credentials or using an illicitly acquired username and password by itself.

Apple is also using this same heightened security to support secure, encrypted sync of users' passwords and credit card numbers via iCloud Keychain in iOS 7 and OS X Mavericks, and will use this security apparatus to secure iOS 7 Activation via iCloud.


Source: Apple


Apple's existing "Find My iPhone" feature already allows users to track stolen devices or remotely wipe a device after it is stolen, but it is currently easy for a thief to take a stolen device off the network and erase it to "factory new" condition, allowing for easy resale because iOS 6 doesn't yet tie activation into the users' iCloud account.

Stitching "Find My iPhone" into the low level firmware in iOS 7 means that a thief would at least need to crack the device's security via a jailbreak, a practice Apple actively seeks to make impossible (even as hobbyist crackers work to find security exploits to defeat this, enabling root access and making it possible to pirate stolen third party apps).

It appears that Apple's additional activation steps would also require phone thieves to spoof the device's hardware UUID and install new, modified firmware omitting support the Activation Lock feature, both non-trivial tasks.

Until the feature is released and tested by security experts, it's hard to say how difficult it will be for determined thieves to defeat it. It will, however, provide significant new hurdles for criminals to jump.

iOS 7 users can remove Activation Lock and resell their device; the new buyers will be able to use Activation Lock to tie the device to their own iCloud accounts. However, if a user locked and then forgot their account password, they may be unable to reactivate the device until their account credentials are reset.

Samsung selling an app with firmware ties

Without anything similar provided by Google for Android, Samsung has partnered with third party developer Absolute Software to deliver a "LoJack" branded solution, at least for one model of its smartphone lineup: the Galaxy S4.

Samsung's security app solution is conceptually similar to its use of third party Knox software to shore up Android's missing enterprise security features on certain new Galaxy phones.

Tied into the phone's firmware by Samsung, the LoJack app says it can allow users to remotely lock, wipe and locate a missing device similar to iCloud's Find My Phone, but also says it will "work with law enforcement globally to get the device back."

The service is supplied with a $29.99 annual fee, whereas Apple's iCloud and Find My Phone are free to iOS users.

While Absolute says its LoJack app "cannot be removed by a factory reset once the app is installed by the user and activated," thieves are likely to be savvy enough to go beyond a "factory reset" and perform a ROM flash of the firmware itself after rooting the device, as noted by Android Police

The "openness" of the Android platform in general makes it harder to secure such a firmware-level solution, because Google itself does not oppose rooting and reinstalling an Android system's firmware with new code missing the necessary security app support.

Samsung and other Android licensees often do take efforts to make it more difficult to root some of their devices, just as Apple does, both to secure their software and their business model.

However, removing security elements from Android's core firmware is also much easier than with iOS because the underlying Android software is open source and can be compared against the core Android firmware that lacks such security.
«13

Comments

  • Reply 1 of 55
    gazoobeegazoobee Posts: 3,754member
    I'll believe it when I see this in action. At the moment I've had two different iPhones from the "Genius (refurbished) stock" that have caused me problems because despite being pulled out of the box "new" (refurbished new), they actually still had details of the previous owner stuck inside in some fashion, causing me no end of problems.

    If a supposedly clean phone out of the box has those problems now, I have little faith in their ability to clear out the firmware when the users information will be even more deeply integrated with the device. We shall see.
  • Reply 2 of 55
    So pay $29.99 subscription each year secure in the knowledge that LoJack can be defeated by rooting it your stolen S4?
  • Reply 3 of 55
    rob53rob53 Posts: 3,241member
    The problem with Samsung's implementation is it relies on a third-party app with subscription while Apple's solution is built into iOS, is available for free and runs by default. Of course, iPhone parts are still worth money so this might not deter that many thieves. In fact, it might only deter the ones who actually understand what they are stealing. Thieves will always steal no matter how difficult the manufacturer makes it to use again. All this is doing is keeping honest people honest.
  • Reply 4 of 55
    tokyojimutokyojimu Posts: 528member
    But will a simple "hacktivation" as currently implemented be able to bypass this?
  • Reply 5 of 55
    Dan_DilgerDan_Dilger Posts: 1,583member

    Quote:

    Originally Posted by Gazoobee View Post



    I'll believe it when I see this in action. At the moment I've had two different iPhones from the "Genius (refurbished) stock" that have caused me problems because despite being pulled out of the box "new" (refurbished new), they actually still had details of the previous owner stuck inside in some fashion, causing me no end of problems.



    If a supposedly clean phone out of the box has those problems now, I have little faith in their ability to clear out the firmware when the users information will be even more deeply integrated with the device. We shall see.


     


     


    You do understand that turning on Activation Lock isn't really any more complicated to change or remove than your other iCloud account information?


     


    What sort of "details of the previous owner stuck inside in some fashion, causing me no end of problems" have you experienced?


     


    If a phone is wiped, there shouldn't be any data on it. If a refurb is not wiped, wiping it should solve any problems. 

  • Reply 6 of 55
    sflocalsflocal Posts: 6,092member

    Quote:

    Originally Posted by AppleInsider View Post



    The service is supplied with a $29.99 annual fee, whereas Apple's iCloud and Find My Phone are free to iOS users.

     




    Had it been reversed and Apple was the one charging the fee, all the iHaters, fandroids, and general all-around-basement-dwellers would be screaming at the top of their lungs as to how Apple should be ashamed to try extracting more money from the consumer.



    But no... sh!tty Android users have zero or low expectations of their OS so not a peep of complaints in the Android community.

  • Reply 7 of 55
    Dan_DilgerDan_Dilger Posts: 1,583member

    Quote:

    Originally Posted by TokyoJimu View Post



    But will a simple "hacktivation" as currently implemented be able to bypass this?


     


    Well the point is that activation is changing. One would think that if Apple were advertising this as a feature, they'd make it basically functional. But without more available information, it's hard to say too much about how it works.

  • Reply 8 of 55
    teejay2012teejay2012 Posts: 356member

    Quote:

    Originally Posted by Suddenly Newton View Post



    So pay $29.99 subscription each year secure in the knowledge that LoJack can be defeated by rooting it your stolen S4?


     


    Well when you put it THAT way....


    Agree. But how long before the phone is not worth the subscription cost?

  • Reply 9 of 55
    nagrommenagromme Posts: 2,834member
    "subscription service"?? I don't see how law enforcement could praise that.
  • Reply 10 of 55
    matrix07matrix07 Posts: 1,993member

    Quote:

    Originally Posted by sflocal View Post




    Had it been reversed and Apple was the one charging the fee, all the iHaters, fandroids, and general all-around-basement-dwellers would be screaming at the top of their lungs as to how Apple should be ashamed to try extracting more money from the consumer.



    But no... sh!tty Android users have zero or low expectations of their OS so not a peep of complaints in the Android community.



    This is exactly why I never listen to all fandroids posting here. if they can't be objective, why give them a credit. 


  • Reply 11 of 55
    matrix07matrix07 Posts: 1,993member

    Quote:

    Originally Posted by nagromme View Post



    "subscription service"?? I don't see how law enforcement could praise that.


    Indeed. had it been Apple it will be met with harsh criticism. 


  • Reply 12 of 55
    dasanman69dasanman69 Posts: 13,002member
    So pay $29.99 subscription each year secure in the knowledge that LoJack can be defeated by rooting it your stolen S4?

    It's not just rooting. A ROM has to be flashed and I'm sure that the devs will soon incorporate it into their ROM.
  • Reply 13 of 55
    arlorarlor Posts: 532member


    Note to self: kill or kidnap smartphone users rather than simply taking their phones. 

  • Reply 14 of 55

    Quote:

    Originally Posted by Suddenly Newton View Post



    So pay $29.99 subscription each year secure in the knowledge that LoJack can be defeated by rooting it your stolen S4?


     


    This will be like KNOX. You won't be able to root a device with this enabled otherwise what's the point of having it installed? The clue is in their mentioning firmware upgrades.


     


    Now wait until the Android geeks find out you have to choose between having this security software installed OR being able to flash a custom ROM. But not both.


     


    The Android and Windows situation is really quite pathetic in this regard. This should be an OS level feature, not a third party feature (I've been called stupid for saying this in the past, wonder what the apologists have to say now).

  • Reply 15 of 55
    teejay2012 wrote: »
    Well when you put it THAT way....
    Agree. But how long before the phone is not worth the subscription cost?

    The day after you buy it?
  • Reply 16 of 55
    droidftwdroidftw Posts: 1,009member

    Quote:

    Originally Posted by sflocal View Post




    Had it been reversed and Apple was the one charging the fee, all the iHaters, fandroids, and general all-around-basement-dwellers would be screaming at the top of their lungs as to how Apple should be ashamed to try extracting more money from the consumer.



    But no... sh!tty Android users have zero or low expectations of their OS so not a peep of complaints in the Android community.



     


    The $30 subscription fee is totally asinine.  The reason you won't hear massive complaints from the Android community is that Android already has less expensive alternatives (some are even free) to 'remotely lock, wipe and locate a missing device' and those alternatives can do much more then that.  Samsung could come out with a YouTube app tomorrow that costs $200 a year and the Android community wouldn't be up in arms.  They'll just laugh at them and continue using other sources.  If Samsung were to take actions to block their customers from being able to use alternatives, then you'd hear complaints.

  • Reply 17 of 55

    Quote:

    Originally Posted by DroidFTW View Post


     


    The $30 subscription fee is totally asinine.  The reason you won't hear massive complaints from the Android community is that Android already has less expensive alternatives (some are even free) to 'remotely lock, wipe and locate a missing device' and those alternatives can do much more then that.



     


    Biggest crock ever. Those Apps are useless as they can be easily bypassed/deleted. Only with a device that's locked and can't be rooted would you ever have any chance of getting it back after it's stolen.

  • Reply 18 of 55
    drblankdrblank Posts: 3,385member
    $30 annual fee for the Low-jack feature? Ouch.

  • Reply 19 of 55
    arlorarlor Posts: 532member

    Quote:

    Originally Posted by EricTheHalfBee View Post


     


    Biggest crock ever. Those Apps are useless as they can be easily bypassed/deleted. Only with a device that's locked and can't be rooted would you ever have any chance of getting it back after it's stolen.



     


    There's no such thing as a device that can't be rooted. There are even people putting Android on iPhones. 

  • Reply 20 of 55
    dasanman69dasanman69 Posts: 13,002member
    drblank wrote: »
    $30 annual fee for the Low-jack feature? Ouch.

    Beats the alternative by quite a bit.
Sign In or Register to comment.