How do you stop the growing epidemic of stolen smartphones? Lawmakers in California seem to think it's by mandating providers to sell devices with built-in "kill switch" capabilities that would make stolen phones inoperable. This month, when the California Senate approved a bill that would require smartphone providers to build a "kill switch" feature into their devices, a key question was left unanswered: Is this the solution to smartphone theft?
智能手机日新月异的同时,随之而来的是被偷走的手机越来越多。如何能既防贼偷、又防贼惦记?美国加州的立法者们似乎认为,只要强制手机厂商给手机安一个“自杀开关”,就能一劳永逸地解决这个问题。本月,加州参议院通过了一项强制手机提供商在设备上加装“自杀开关”的法案。但是一个关键的问题目前仍然没有答案:“自杀开关”是否是手机防盗的终极方案?
You'd be hard-pressed to find a consensus among industry experts on the matter. What's clear is that cell phone theft is a growing problem. In 2013, more than three million devices were stolen in the U.S., up from 1.6 million in 2012, according to Consumer Reports. And in San Francisco alone, 2,400 cellphones were stolen in 2013, up by 23 percent from the year before, according to the San Francisco Police Department. "Police departments across the U.S. are starting to drown in smart phone thefts,"says Tom Kemp, CEO of Centrify, a software and cloud security provider.
行业专家们针对这个问题还没有形成共识。但是手机被盗无疑已经是一个越来越严重的问题。根据《消费者报告》(Consumer Reports)的数据,2013年美国有超过300万部智能手机被盗,远超2012年的160万部。另据旧金山警局表示,光是在旧金山,去年就有2400部手机被偷,比前年上涨了23个百分点。软件与云安全服务提供商Centrify公司的CEO汤姆?坎姆指出:“全美各地的警察局几乎都被智能手机被盗的案子给淹没了。”
The bill, SB 962, introduced by State Senator Mark Leno and sponsored by San Francisco's district attorney, George Gascón, is an attempt to curb these alarming figures. If approved by the California State Assembly and Governor Jerry Brown as early as August, it would require all smartphones sold after July 1, 2015 in California to include a kill switch function that would effectively "brick" stolen phones. Those sellers who don't comply would face fines of up to $2,500 per device.
这个编号“SB 962”的法案是由加州参议员马克?雷诺提出的,并且获得了旧金山地区地方检察官乔治?加斯肯的支持。如果这份提案最早在八月初能获得加州众议院以及州长杰瑞?布朗的批准,它将意味着从2015年7月1日起,所有在加州销售的智能手机都要安装一个能让手机变成板砖一块的“自杀开关”。如果手机销售商违反这项法案,则将面临最高每部手机2500美元的罚款。
The bill, which was originally rejected by the California Senate in April and opposed by major providers including Apple (AAPL) and Microsoft (MSFT), passed this month with a vote of 26 to 8. While it targets the state of California, its effects would be national, as added features mandated by the state would likely make it into phones sold across the country.
这项法案最初在今年四月被加州参议员驳回,而且还遭到了包括苹果(Apple)和微软(Microsoft)在内的几大主流厂商的抵制,但它最终还是在本月以26对8的比率投票通过。虽然这项法案主要着眼于加州,但是由于加州强制推动的手机附加功能很可能逐渐普及到在全美各地销售的手机上,因此它的影响将是全国性的。
Opponents of the bill including CTIA, the wireless association that represents providers, believe forcing providers to put a solution in place state-by-state will only hurt consumers in the end. The group believes that the industry itself should drive innovation in the field. "State-by-state technology mandates stifle innovation to the ultimate detriment to the consumer," according to a statement released by Jamie Hastings, CTIA's vice president of external and state affairs. In an attempt to take matters into its own hands, last month, CTIA released a "Smartphone Anti-Theft Voluntary Commitment," an agreement signed by major industry players like Apple, Samsung, AT&T (T) and Verizon (VZN) who pledge that smartphones they manufacture after July 2015 will include free built-in antitheft tools.
美国无线通信与互联网协会(CTIA)也是这项法案的反对者之一。这个协会代表了无线服务商的利益,它认为如果强制手机提供商一个州一个州地加装防盗装置,最终只会损害消费者的利益。同时CTIA也认为,行业本身最终会加强在手机防盗领域的创新。CTIA的对外与对公事务副理事长杰米?哈斯廷斯说:“逐个州出台技术要求只会僵化创新,最终受害的是消费者。”为了在这个问题上掌握主动权,CTIA上个月发布了一份由苹果、三星(Samsung)、美国电话电报公司(AT&T)、威瑞森(Verizon)等电信巨头联名签署的《智能手机防盗自愿承诺》,宣誓从2015年7月起生产的智能手机将加装免费的内置防盗工具。
But supporters of the bill aren't convinced this is enough and see legislation as a way to speed up the process. "What that California legislation does is a positive step in encouraging the industry to actually develop a solution faster," says DmitriAlperovitch, cofounder and CTO of CrowdStrike Inc., a provider of security technology and services.
但是这项法案的支持者并不认为光是这样就足够了,他们认为立法途径是促进各大厂商加强手机防盗的一种有效方式。安全技术与服务提供商CrowdStrike公司共同创始人兼技术总监德米特里?阿帕罗维奇认为:“加州立法机构这次迈出了积极的一步,促使行业真正加快了开发防盗解决方案的步伐。”
Others see it as a sign of meddling in the industry. "Proponents of a kill switch know nothing about how technology works," says Robert Siciliano, a McAfee Online Security expert. "Whatever kill switch is implemented, will be hack-able and rendered useless by anyone with ill intent."
也有人认为这项法案显示出干预行业正常发展的迹象。迈克菲在线安全专家罗伯特?西西里亚诺指出:“支持‘自杀开关’的人根本不知道科技是怎样运作的。只要犯罪分子怀有恶意,不管你用什么样的自杀开关,都是可以破解的,最终只会形同虚设。”
Software-only based approaches have the potential to backfire. For one, they can be worked around by clever thieves. "If someone steals a phone, there are ways to block it from receiving communications that would kill a device," says Greg Kazmierczak, CTO of Wave Systems, a provider of hardware-based encryption technology. For instance, a thief could place the stolen phone in a signal-blocking phone case that would prevent all electromagnetic communications from reaching the device. According to Kazmierczak, it could be possible to put it into one of those cases and perform whatever you need to in order to stop the kill signal from coming in.
纯粹依靠软件的技术手段必然有可以动手脚的空间,因而也必然会被聪明的小偷利用。基于硬件的加密技术提供商Wave Systems技术总监格雷格?卡兹米耶尔扎克说:“如果有人偷了一部手机,那就有办法阻止它从外部接收自毁指令。”比如小偷只要把偷来的手机放在一个能阻绝无线信号的手机壳里,就能阻断这部手机的所有电磁通讯。据卡兹米耶尔扎克表示,将被盗手机放在这种手机壳里,然后再进行各种阻断接受自杀信号的操作,的确具有可能性。
Another alternative solution is to use hardware, rather than software to make stolen phones inoperable -- an approach that's becoming more widely recognized in the industry. This would involve embedding actual hardware into the phone that would prevent thieves from circumventing software technology to get access to data encrypted on the phone.
另一种手机防盗方案是用硬件、而不是使用软件,让手机变“板砖”,而且这种方法已经受到业界越来越多的认可。这种方案要求在手机内部植入一个硬件设备,它可以防止小偷绕过软件程序窃取手机内部的加密数据。
Hardware technology offers a much more secure solution, says Kazmierczak. But the question of which technology to use is not arbitrary. It hinges on what drives thieves to steal phones in the first place. "We need to understand what the motivation is in the theft before instilling a solution," Kazmierczak says. "What's the most valuable component -- the hardware or the data you are storing in your device?"
卡兹米耶尔扎克表示,硬件技术提供了一种更加安全的解决方案。但是现在就断言应该使用哪种技术仍然是武断的,它应该取决于小偷盗窃手机的动机。卡兹米耶尔扎克认为:“加装解决方案之前,我们需要了解一下小偷盗窃手机的动机。你的手机里最有价值的究竟是硬件,还是储存在手机里的数据?”
A software-based approach could protect a phone from getting wiped and reset to factory default, but it would not be as effective in protecting the user's data encrypted on hardware in the device. A hardware-based approach, on the other hand, might make it possible for thieves to reactivate the phone for resale, but would protect encrypted personal data about the original owner from getting stolen. "As we put more and more into these devices, the data is more valuable than the device itself," Kazmierczak says.
基于软件的技术可以防止手机被格式化或者重设为出厂设置,但它不能有效保护储存在手机硬件里的加密数据。而基于硬件的技术虽然令小偷有可能重新激活手机用来转卖,但是却能保护原机主储存在手机里的加密个人信息。对此,卡兹米耶尔扎克说:“随着我们放进智能手机的东西越来越多,手机里储存的数据往往比机器本身更有价值。”
Attempts to offer a solution to the problem are already in place by some providers. Anti-theft software like Apple's Activation Lock rolled out in 2013 as part of iOS 7 and last month Samsung released a "Reactivation Lock," both of which would allow consumers whose phones were stolen to lock them remotely and prevent thieves from wiping and reactivating their devices to be resold.
有些厂商已经针对这个问题推出了自己的防盗工具。比如苹果就在2013年与iOS7一道推出了一款防盗软件“激活锁定”,上个月三星也推出了“重新激活锁定”功能。这两项功能都能让消费者远程锁定被盗的手机,防止小偷抹除手机中的数据,重新激活设备,再转卖给其他人。
And a few phone manufacturers are putting a hybrid of hardware and software technologies in place in their newest models. Samsung phones with Knox technology in them do this, as do newer iPhones that include proprietary hardware to protect encrypted data. The downside of such a hardware solution, of course, is that it can't be introduced remotely to older modeled phones in the same way a software update can be.
有些手机厂商还在最新款的手机中采取了硬件与软件技术相结合的模式。比如三星在最新款的手机中整合了Knox技术,新款iPhone也内置了用来保护加密数据的专有硬件。不过硬件解决方案的缺点是没办法远程“种”到老款手机里,不像软件方案只需一次软件升级就能解决这个问题。
Regardless of whether smartphone makers take a software, hardware, or combined approach to theft prevention, one of the biggest challenges they have yet to figure out is where the manpower to monitor and regulate a kill switch function will come from. When someone wants to resell a used phone legally, for example, how can they transfer kill switch capabilities to the new owner safely and securely? "How do you validate that it's the right person trying to kill the device? Someone could kill your phone if they know your password," Kemp says. "So far no one has figured that out yet."
不管手机厂商使用的是软件方案、硬件方案还是软硬件相结合的防盗方案,目前他们仍有一个最大的挑战没有解决,那就是由谁来监管手机的“自杀”功能。比如说,如果有人想要合法地转卖自己的手机,那么他应该如何把“自杀”功能安全地转让给新用户?坎普说:“你怎样证明这个让手机‘自杀’的人不是小偷?因为只要有人知道你的密码,他就可以让你的手机‘自杀’。目前还没有人搞清楚这个问题。”
Other solutions beyond the kill switch have been attempted, including a database of blacklisted IMEIs or identification numbers for stolen phones, better policing and a proposed bill by New York senator Jeffrey D. Klein, that would require those people selling more than one used phone to provide receipts of purchase to prevent black-market business. But CTIA's blacklist, which was proposed in 2012 hasn't helped reduce crime numbers and Klein's bill has been stuck in a Senate Committee since it was proposed last October.
除了“自杀开关”之外,也有人尝试了一些其它防盗方案,比如给被盗手机IMEI串号或验证码建立一个“黑名单”数据库,再比如纽约参议员杰弗里?克雷恩的提案建议,出售一台以上二手手机的人必须提供购买发票以避免黑市交易。但是CTIA在2012年提出的“黑名单”方案并没有起到降低犯罪率的效果,而克莱恩的议案自从去年十月提出之后,至今仍卡在参议院委员会未能通过。
"With robberies of smartphones reaching an all-time high, California cannot continue to stand by when a solution to the problem is readily available," said Senator Leno in a statement. But while solutions to the problem are available, how effective they'll be at actually curbing smartphone theft still remains to be seen.
参议员雷诺在一份声明中称:“随着抢劫智能手机的案件达到有史以来的最高峰,既然就这个问题已有解决方案可用,那么加州就不能继续坐视不理。”但是尽管已有备选的防盗方案可用,但它们是否能有效降低手机盗窃案,目前仍然有待观察。