At last Friday’s Security Group meeting, we talked about security protocols that are intended to deter or reduce the consquences of theft, and how they go wrong.
Examples include:
- GSM mobile phones have an identifier for the phone (separate from the identifier for the user) that can be blacklisted when the phone is stolen.
- Some car radios will stop working when the battery is disconnected, and only start working again when a numeric code is entered. This is intended to deter theft of the radio.
- In Windows Vista, Bitlocker can be used to encrypt files. One of the intended applications for this is that if someone steals your laptop, it will be difficult for them to gain access to your encrypted files.
Ross told a story of what happened when he needed to disconnect the battery on his car: the radio stopped working, and the code he had been given to reactivate it didn’t work – it was the wrong code.
Ross argues that these reactivation codes are unecessary, because other measures taken by the car manufacturers – such as making radios non-standard sizes, and hence not refittable in other car models – have made them redundant.
I described how the motherboard on a laptop had needed to be replaced recently. The motherboard contains the TPM chip, which contains the encryption keys needed to decrypt files protected with Bitlocker. If you replace the motherboard, the files on your hard disk will become unreadable, even if the disk is physically OK. Domain-joined Vista machines can be configured so that a sysadmin somewhere within your organization is able to recover the keys when this happens.
Both of these situations suffer from classic usability problems: the recovery procedures are invoked rarely (so users may not know what they’re supposed to do), and, if your system is configured incorrectly, you only find out when it is too late: you key in the code to your radio and it remains a doorstop; the admin you hoped was escrowing your keys turns out not to have the private key corresponding to the public key you were encrypting under (or, more subtly: the person with the authority to ask for your laptop’s key to be recovered is not you, because the appropriate admin has the wrong name for the laptop’s owner in their database).
I also described what happens when an XBox 360 is stolen. When you buy XBox downloadable content, you buy two licenses: one that’s valid on any XBox, as long as you’re logged in to XBox live; and one that’s valid on just your XBox, regardless of who’s logged in. If a burglar steals your Xbox, and you buy a new one, you need to get another license of the second type (for all the other people in your household who make use of it). The software makes this awkward, because it knows that you already have a license of the first type, and assumes that you couldn’t possibly want to buy it again. The work-around is to get a new email address, a new Microsoft Live Account, and a new Gamer Tag, and use these to repurchase the license. You can’t just change the gamertag, because XBox live doesn’t let the same Microsoft Live account have two gamertags. And yes, I know, your buddies in the MMORPG you were playing know you by your gamertag, so you don’t want to change it.
MS have now more or less fixed the latter problem; there is a process on xbox.com that lets you invalidate all console-locked licences for everything you have bought and move them to a specific single console. You still have to redownload each piece of content, but the licences then work. When the previously licensed Xbox next connects to Live it notices its licences have been revoked and forgets them all 🙂
This works for replacement boxes, or to merge licences from several consoles onto one. The only restriction is that you can only do this once a year. http://www.xbox.com/en-US/support/systemuse/xbox360/licensemigration/faq.htm
They’ve taken their sweet time over it, but it does appear to have solved the problem at last, and with the requirement to repurchase removed too. So.. maybe someone is thinking about this 🙂
@Torne: Thanks! (I was looking at out of date documentation, from before the problem was fixed).
So where’s the problem with the GSM anti-theft system? It seems fine to me: the userid (phone number) is associated with the SIM card, which also has its own unique ID, so even if that is stolen with the phone, it can be disabled and my phone number associated with a new SIM, that I put in a new phone.
If the phones really were blacklisted worldwide when they were stolen, it seems to me that fact alone would discourage cell phone theft.
To my mind, the problem is not with the technical aspects of the GSM anti-theft system, it’s with the commercial decision by operators not to implement it! The first GSM network went live in 1992, but it’s only very recently that some operators have begun to exchange blacklists among themselves, years after a culture of phone theft and trafficking became well established.
Sorry, I could have worded the post a bit better. I meant to say that GSM is an example of an anti-theft system, not that it’s an example of the problems.
(Though there’s an economic problem with GSM, rather than a technical one. If your phone is stolen and you have to buy a new one, the phone manufacturer makes a profit. So the manufacturer’s incentive is the wrong way round, unless – for example – the government applies some pressure).
@ Michael Roe,
“there’s an economic problem with GSM, rather than a technical one”
The same problem exists under one of two basic models for all the systems you mention. The models revolve around two basic ideas the laws of “supply and demand” and the cost of manufacture against duplication.
Unfortunatly it is peoples expectations under one model that do not sit well with the other model. And it is further worsened by supliers trying to cherry pick from the established and known basic models to make hybrides that advantage them and disadvantage the user.
The problem you are raising “Anti-theft protocols” is one of a number of specific instances of this more general economic problem that manifests itself as an issue of “liability after transaction”.
The specific example you raise comes to light when a person is forced due to the actions of one or more third parties, to re-gain the utility they previously had.
The vendor for obvious reasons wants the person to repurchase another item. The person on the otherhand believing they are not at fault wishes to regain the utility without having to repurchase the item and belives that the vendor should assist not hinder.
This occures because the person does not understand the implications of the model the vendor used and therefore has expectations of the vendor that the vendor did not specificaly offer at the time of the transaction (only appeared to).
The solution to the problem lies with the vendor and the model it is sold under. Change the model and the problem would not exist.
The two basic models of “purchase” and “license” occur due to the nature of goods, services and intangables and their costs of bringing to market balenced against post transaction liability.
It had untill the advent of shrink wrap software and it’s accompanying anti theft or DRM systems always been the way that, when the use of an item was lost, a person had to purchase a new item, and nobody questioned it, they just grumbeld (usualy about the price such is the nature of the human condition 😉 The only question of real iterest was who was to fund the transaction.
This was due to the items allways being physical in a meaningfull way and the cost of duplication to an individual usually prohibitive. And that the loss of use was by one of three ways,
1) The persons fault.
2) A Third parties fault.
3) A defect with the item.
In the first case it was entirly the persons fault (they lost their wallet / droped their vase) then the cost of replacment was entirly down to them.
In the second case it was usually the theft or accidental destruction of an item and it was paid for by the third party or by insurance.
In the third case if it could be reasonably assumed to have been a manufacturer’s defect either in design or the item then the warrenty covered a replacment and the cost was effectivly paid by the manufacturer.
With the exception of security tokens (door keys etc) there was an implicit assumption that as the item was physical, that it had an attendent duplication cost comparable to the purchase price of a new item. Therefore it was as easy if not easier to buy a new item as it was to duplicate an item (ie who photocopies a paperback book). Therefor items where seldom “backed up” by duplicates prior to the loss of use.
Essentialy this “physical” model and remedy 1 has been around since man could “make things by hand” (the correct meaning of manufacture). As time went on insurance came into being and remedy 2 became established. And when manufacturing changed it’s meaning in the early 1900’s with the advent of mass production remedy 3 followed.
As importantly the relationship between the cost of manufacture and the cost of duplication changed as well. With hand made items almost the entire cost of manufacture is the cost of the materials and labour little is spent directly on design therefore the cost of making the second item is almost the same as the first. Whilst with mass production the cost of the first item involves the design, tooling and setup as well as materials and labour, however the cost of the second item is just materials and labour which is negligable by comparison. But due to the fact that the costs have to be recovered the producer usually amortizes them across the first production run.
Importantly, in general the person purchasing a mass produced physical item sees a price considerably above the real cost of just duplicating an item and is blisfull in their ignorance.
Around the 1850’s the service industries stoped being just for finance and transportation and started for the likes of ideas and other non physical items and with it the concept of a “fee for use” and eventually a “licence to use” process. Essentialy items such as scripts for plays and sheet music could be purchased at a nominal cost to cover copying and distrubution however royalties had to be paid if a performance based on the scripts or sheetmusic was to be made before others. Essentialy the idea of IP as a revenue source became established.
The obvious advantage of a licence to the IP holder was of continuing control as well as a continuing income stream. Later methods of production became licencable as well which gave rise to the notion of regular payment for continued not just per use.
Therefor the two basic models “purchase” and “licence” became established but fairly clearly segrigated not just by use but in the way people thought about them.
With the advent of comercial computers in the early 1960’s it became clear that a compleat intangable was a new high value product. And due to the fact it was so intangable the obvious model to use was that of a “licence” which was paid for at regular periods (quaterly / anually)
Twenty years later and the Home Computer had become established and it’s software although as intangable as that of the big iron systems was sold under the “purchase” model as that is what consumers and retailers understood.
Unfortunatly it became quickly clear to the purchasors that the cost of duplication was virtualy nill, and considerably less than the purchase price. Retailers quickly saw sales fall as hobbyists duplicated and passed on the IP at no benifit to the IP holder.
This was actually not new to Bill Gates who had writen his infamous letter accusing copiers of theft some years previously. But even for Microsoft which used the licence model the problem of near zero cost duplication continued “joe public” had expectations based on the purchase model and did not understand or want to understand the licence model and importantly had no financial incentive to do so infact the very oposit.
Which gave rise to all the anti-copying and DRM technology we currently see today. Interestingly the ideas have migrated back into tangible goods disgused as Anti-theft procedures but as evidenced by the mobile phone industry amongst others it is more clearly as a palative that has a side effect of increasing revenue.
However in the intervening twenty years some of the concepts of intangables have got through to consumers especialy the concept of “backing up” and near zero cost duplication they are nolonger “blisfully ignorant”. Therefore they tend to become incensed by the notion of having to pay twice to regain utility of an intangible they have paid good money for and feel quite rightly that they are being unfairly treated by the software producers.
It is this ground swell of bad feeling made acute by their own design flaws in the X-Box that has caused Microsoft to change their licence policy. In the main to stop gamers dumping the console in favour of those from other producers.
Clive, the major issue you sidestep completely is the one of benefit-denial anti-theft systems. In this case, if the physical item is stolen it must still be replaced, as before financed either by the consumer or insurance. However, the stolen item is also rendered unuseable to the thief. This notion of benefit denial seeks not to prevent theft but to deter it; it does not directly help the consumer whose product is stolen, but reduces the overall losses of the entire class of consumers.
The problem is that when benefit denial requires the assistance of the initial vendor, the vendor has an economic incentive not to provide it – benefit denial, through deterring thefts, actually acts against the vendor as much as the thieves. That is, replacements for stolen items represents a real income stream to the vendors, which is placed at risk by effective anti-theft mechanisms.
Of course, vendors who do actively provide and support benefit-denial anti-theft mechanisms for their products ought to be preferred by consumers, which in a competitive marketplace should be an advantage for those vendors. In some markets this does work (for example, “microdots” and similar in the car industry), but it some it does not (mobile telephone handsets).
@ kme,
“the major issue you sidestep completely is the one of benefit-denial anti-theft systems.”
Actualy no I did not side step the issue I mentioned it a couple of times. Importantly I drew a distinction between who the “anti-theft procedures benifited with,
“Which gave rise to all the anti-copying and DRM technology we currently see today. Interestingly the ideas have migrated back into tangible goods disgused as Anti-theft procedures but as evidenced by the mobile phone industry amongst others it is more clearly as a palative that has a side effect of increasing revenue.”
That is if it protects the producer or IP holder not the consumer considerable effort and resources are devoted to it.
However if it is of advantage to the consumer but not particularly the producer it has little effort expended on it and is either a palitive or hinderance to the consumer.
Hence “anti-theft protocols” tend to be difficult to bypass in intangables like software and IP based products and relativly easy in physical items such as mobile phones and car radios.
Which therefore appears to make the “anti-theft protocols” linked to the cost of duplication not the initial effort, which like the cost of design tends to be a one off that can be balanced against the profit of illicit duplication by more organised gangs.
Which brings me onto your second point,
“…the stolen item is also rendered unuseable to the thief.”
This does not appear to be the case with physical items that are stolen by those with a modicum of knowledge, or contact with those who do.
Often the security can be bypassed by a default code or bridging a solder link on the control board (and there are stories of putting early EEPROM devices in deep freezers). Often these days the information ends up on the Internet within a few days of new products becoming available by those who’s rewards appear not to be directly financial.
Which is why in the case of car radios an easier deterent which is actually more cost effective is to make the case (not the internal electronics) bespoke to a particular make or model of car. However there is still a residual market for “hot radios” in that some thevies will steal either to sell on to less reputable dealers or repair shops.
Which brings me onto your third point,
“it does not directly help the consumer whose product is stolen, but reduces the overall losses of the entire class of consumers”
As has been noted by others above my post which is why I did not mention it in detail, this appears not to be the case with the likes of mobile phones. Also high end cars and other valuables for which there is an “out of region market” such as Africa and the Middle East.
This actualy benifits the producer as they effectivly get two sales in a premium market as oposed to one premium price sale and possibly one considerably reduced profit sale into a non premium market.
You partialy acknowladge this with,
“The problem is that when benefit denial requires the assistance of the initial vendor, the vendor has an economic incentive not to provide it – benefit denial, through deterring thefts, actually acts against the vendor as much as the thieves. That is, replacements for stolen items represents a real income stream to the vendors, which is placed at risk by effective anti-theft mechanisms.”
What you have missed is that actually “anti-theft protocols” that benifit the consumer actually cost the producer directly.
That is they have to add the feature and support it.
Adding a feature can often be a one off cost during design but sometimes not. If a unique unalterable identifier has to be included in the product it is something that has to be done on the production line and requires additional tags and identifiers to be placed on the packaging for auditing and tracability.
The auditing and tracability require additional systems that often have significant costs.
Further is “re-work” costs when a product is returned for warranty repair it raises all sorts of issues as Microsoft has found. I won’t list them as there are quite a few especialy in Fast Moving Consumer Electronics (FMCE), the important thing is that they all increase the producers costs significantly.
A clasic example of this is mobile phones, due to having to have a unique serial number as part of the basic functionality you would think that “anti-theft” would be for free.
Well as can be seen it is not as mobile phone theft is still as strong as ever.
The reasons are “regionality” and cost. The cost of barring a phone falls not on the producer but on the network operator. Although possibly in their interests for political reasons to bar phones stolen in their region there is little or no value from barring out of region phones, infact there is a very significant cost which is compleatly disproportianate to any benifit.
This is due to the cost of having accurate and reliable databases, and not just the systems to support them.
And importantly if the ID in a physical device is alterable as so many are then organised crime or enthusiasts are going to find out how to bypass it which further renders it a worthless cost to the producer.
You appear to have missed the differance between local and regional crime. Although you are aware of some of it’s effects from your comment,
‘In some markets this does work (for example, “microdots” and similar in the car industry), but it some it does not (mobile telephone handsets).’
We live in a global economy these days and criminals are more than aware of this and will quickly supply a demand in another region often befor the producer has organised a supply chain there. Even when not specificaly criminal the “grey market” represents a substantial movment of goods often against the producers wishes.
All in all “anti-theft protocols” for protecting consumers physical items for them are a bit of a joke. The producer does not want to do anything other than play lip service to them due to significant increase in cost either in production or “after transaction” support, (which their competitors have no reason to incure).
The primary requirment for consumer anti-theft protocols to be reliable is the use of a unique and unalterable ID in each physical item. The secondary requirments are acurate logging, detection and recognition of the ID of stolen items.
Most physical consumer items are “off line” so effective ID detection becomes the main success criteria of reliable “anti-theft protocols”. There are various ways that the detection threshold can be raised (RFiD’s for instance) but they all have privacy and social issues which we are only just starting to think about.
Further to this is the back end systems which have privacy and social issues we know more about. Do you realy want a database of all you own being available? Ignoring the possible benifits to theives, marketing people and other naredowells, think how governments can use it to assess if you should be taxed more or not entitled to some benifit such as health care, or worse use it for various types of profiling to bring you under the scrutiny of various authorities.
Then there is the attendent ROI of the systems, and who is to benifit and who is to pay. In a cost sensitive market such as that for consumer items (FMCE etc), the customer is not going to pay for them, the insurance companies don’t realy want to know except for high value items, and polititions are not going to want to fund such systems as taxation is reserved for “purchasing votes” not some possible “social good” at a time in a distant political future.
I would suggest that the only “anti-theft protocols” that have a potential future are those that have benifit to the producer not the consumer and then only for intangable “online” items, such as software and other IP based products. Efectivly they are going to be DRM systems and calling them “anti-theft” is just more spin.
P.S. I wonder how long it will be before we see a paper based on these comments. And will they be attributed 😉
If Ross still hasn’t got his radio working, tell him to remove it from the car and put it in the freezer for a few days. This kills the battery that keeps the PIN code storage working.
A rather interesting example of an anti-theft system consists of trunked radios. Many systems of this type can receive an over the air “kill” command as soon as theft is reported to the controller, or if it detects the presence of an unauthorised station by polling.
Roger,
Not sure which “trunked radios” you are refering to.
However I know that for some I have worked with the “kill” requirment is not quite what it appears. It merely removes the security codes etc for the CDMA (frequency hopping / spread spectrum) and any keys for voice ciphers in use. Thus removing it securely from the “net”.
It does not however realy disable the device and anybody with an apropriate “fill gun” can reprogram it.
I would be interested in which ones have a real “kill” function (ie permanantly disabled) or one that atleast requires a return to manufacturer to be re-enabled.