California has passed a new law this week requiring all smartphones sold in the state to have a built-in “kill switch” capable of deactivating the phone in the event that it is lost or stolen.
The new law (SB 962) will take effect starting July 2015, affecting phones manufactured thereafter. However, although the kill switch is only mandated in California, it is probable that other states and countries will follow suit.
In efforts to minimize theft, the feature would “render inoperable the essential features [of the smartphone] to an unauthorized user,” according to the senate bill. Additionally, the tool could also prove helpful for law enforcement, giving police authorization to shut down the phone’s service under emergency situations.
Although authorized users will be given the option to disable or opt-out of the feature at any time, the new regulation has already raised eyebrows for the security and privacy concerns that it may entail.
Tripwire security researcher Craig Young said, “The most obvious use case would be that an attacker might gain access to disable the phone of an adversary but depending on how vendors implement the kill switch, it may introduce other unforeseen consequences.”
“The presence of a kill switch means that there is potentially a newly exposed communications channel to the device, which in turn means that the device has an increased attack surface,” added Young. “Vulnerabilities in this command channel could have dire consequences, since any system capable of rendering the device inoperable will inherently have administrative access to the device.”
Both Microsoft and Google are reportedly planning to introduce a feature similar in Windows Phone and Android similar to Apple’s Activation Lock in its iOS 7 operating system. Apple’s feature already meets all the requirements for California’s new law, but is yet to be enabled in new phones.
The bill also stated “the knowing retail sale” of a smartphone without the feature may be subject to a penalty ranging from $500-$2,500 per smartphone sold in California.
Earlier this year, Minnesota passed a similar law requiring a smartphone kill switch but the feature is not required to be activated as the default setting.
Read More Here…