Cops want Apple, Google to kill stolen phones remotely – so why won't they? UK legislators are questioning why Apple and Google have yet to implement measures to allow smartphones to be locked, reset, and prevented from accessing cloud services after they've been stolen, as requested by police. Apple phones make up about 80 percent of those stolen In a one-off evidence session in the House of …
Gary Davis, global senior director for privacy and law enforcement requests at Apple,....said.... 'It is necessary for me to refute the suggestion that we somehow benefit....'"
My iphone gets nicked, so I buy a new iphone. The stolen iphone gets sold on and the new iphone owner buys apps and accessories from Apple. In many cases the owner of the new iPhone will end up lockedi in the Apple ecosystem and buy more Apple stuff. Apple makes extra money three ways from my phone getting nicked, so it's clearly not neccesary for Davis to refute the fact that Apple benefits from thefts. The committee should have done more than laugh at him, they should have called him out for the liar that he is.
> My iphone gets nicked, so I buy a new iphone. The stolen iphone gets sold on and the new iphone owner buys apps and accessories from Apple.
But what about those phones that get stripped for spares? Think of the money Apple *loses* when repairs are done cheaply by 3rd parties.
(Warning: post may contain irony.)
Activation lock (which is by defaulted enabled on every iPhone) prevents the thief or anyone they sell it to from being able to associate it with an Apple ID until the previous owner disassociates it from their Apple ID, so a new owner can't buy/install any apps on it. That makes it useless other than being able to use it for calls and SMS/RCS (but not iMessage) and use the built in apps like calculator or Safari. I wonder if that's what this is about - stolen phones would be good to use as "burner phones" and maybe the cops are starting to see that happen more often in places where laws make it harder to buy a "burner phone" without showing any ID.
Because stolen iPhones are mostly useless as smartphones, they are generally stolen to be parted out. That's why Apple started tying parts to phones, to make stolen phones useless for parts as well.
It sounds like the cops want to be able to ban IMEI of the phone so they are useless for EVERYTHING but the important question to ask them is "who does the banning?" If I can click a button on icloud.com to do it that's great - so long as I can do it ONLY if my phone is stolen. If the cops can do it then I think it is obvious to any Reg reader why that opens up a huge window for abuse of that power. It sounds like the cops are saying "Apple should do it" but that still gets you back to: who tells them to do it, the phone's former owner or the cops?
The only way I think this all works without being open to abuse is if I have to take action to ban the IMEI but it ALSO requires the cops to take action (i.e. that they've taken a police report where I've attested my phone was stolen) before the ban goes into effect. You'd want the phone to say something on the lock screen to let whoever has it know that happened, so they don't go to their carrier and complain "my bill is paid but my phone stopped working!"
Activation lock is more severe than that. You can't set it up, meaning no access to the internal apps either. Theoretically you can make an emergency call from it without going through the setup process, and I'm not even sure that works. An activation-locked iPhone is restricted enough that you can't use it as a burner phone either. The same goes for Android; a locked phone will require an internet connection and an account check before you can use any of the built in features.
I expect that several implementations of this can be bypassed, but that is true of almost anything you can do. It can't be bypassed easily.
Because, as hinted at elsewhere, activation lock isn't what they want, as that requires the owner to take action.
They want the ability to issue an IMEI and have that banned globally.
Useful for stolen phones, also useful for annoying people governments don't like. (Not that they'd ever do that).
"Activation lock (which is by defaulted enabled on every iPhone) prevents the thief or anyone they sell it to from being able to associate it with an Apple ID until the previous owner disassociates it from their Apple ID, so a new owner can't buy/install any apps on it. "
If somebody passes away, their activation locked devices can wind up as landfill since Apple won't release the device unless a notarized death certificate is sent in and accepted. That can take ages and will likely be low on the list of things to do when somebody is dealing with grief and needing to take care of more important things regarding the person's estate. Maybe there's something important on the device, but probably not. I have several pieces like that I am selling for an estate company. I can wipe all of the data from the device, but it's thousands of dollar in resale value had the person not opted for an activation lock. His estranged mother has no interest in anything that might be on the iCloud accounts and can't be bothered to supply the estate disposal company with a notarized death certificate.
They can be reset, and therefore erased, but you still won't be able to use them because they won't finish setup without being connected to the internet, authenticated to the old account, and disassociated from that account. You can erase an iPhone too by using the firmware reset option that exists for cases where the phone is otherwise bricked, but again, that just lets you erase the original user's content, not take over the device.
"Unless you are too stupid to set up a password on your phone, thieves can’t unlock it."
I don't have a password on my phone. I also don't use it for anything I worry about handing to somebody.
... if you are too stupid to place confidential information on an easily stolen device.............
no, it's still written in a ROM at the factory and can't be modified easilly.
Chagig the IMEI means that you eed to locate the right chip, unsolder it, transfer all it's content, except the IMEI, on a new chip, put in that new chip the IMEI you want, solder the new chip...
So not something that can be done in a hurry.
IIRC 30+ years ago, when GSM (2G) was brand new IMEI blocking was sold as the way to make sure your phone couldn't be used by a thief... and all the operators told you to keep that number around and give it to the police so that they could send it to the operators for blocking.
In France it's in the hand of the cops... If you give them the IMEI of the stolen phone they make sure it's added to the stolen phone list... at least for all the French operators, since they have a single common list. ( and maybe the international list too )
I worked for One2One in 1999 (2nd line support) and IMEI number blocking was definitely a thing, I can't recall if it was network or country specific though... I'm leaning towards network as most phones were network locked back then and jailbreaking wasn't as common or as easy to do.
Try reporting a stolen car or bike to UK police.
They jot down the details and then ignore it.
So we are expected to believe that the police are wanting to put resources into deterring phone theft?
What the UK gov wants (ok, what MI5 and the Met want) is a mechanism in place to remotely disable people's phones. Going to a Greenpeace demo? The ISMI catchers will capture all the IMEIs within a radius and those phones will be suddenly disabled as the kettle is being put in place. End of text-based demo management, end of camera functionality.
There is already a remote lock procedure on both IOS and Android. The difference is that it's initiated by the user, logging into the account they set up, and locking the device. They both have locks on phones which mean that you can't just reset them and use your own account because, if a device has previously been attached to one account, it won't attach to a new account until released by the old account. This means that the level of bricking they recommend is already available, and that method has several advantages because, unlike the IMEI locking option, it's easily reversible if you find that you actually lost the thing and found it again, it doesn't take a police report to start the process, and it comes with several options of how severe you want to get (just lock it versus erase the whole thing).
"the plod do sweet FA about thefts in the UK."
This video suggests different, quite a few resources including a helicopter to chase down and catch a single phone thief.
Maybe too much. It would be better if a technological solution to make phone theft less appealing could be found. Then the police wouldn't have to divert a helicopter and several officers for ages, just for theft of a few hundred quids worth of almost-disposable electronics. which is what this story is all about.
I get that argument.
But once a manufacturer implements OTA bricking, there is a small but non-zero probability, this will become the next vector for cyberattacks.
Especially if a standard requires devices to transmit their IMEI into the cloud to enable this scheme.
Think diverted routings, spoofed DNS entries, transparent proxies, etc.
If for example Apple makes money from you buying a replacement for your stolen iPhone, how would apple not make money if that iPhone was blocked? Which it is anyway unless you were too stupid to enter a passcode.
Do you think car manufacturers should be able to block your car? (In case it is stolen). Or TV manufacturers?
I don't think Apple or Google (except in relation to the Pixel) should be responsible for this. At least some mobile handset manufacturers already implement remote locking technology like Samsung's Knox. I imagine Apple have something similar and Google Pixel has something similar too. Cheapo brands might not but they could do and if the government wanted to make it mandatory they could.
I imagine Apple have something similar
They offer "Lost Mode", which means that (if Find My Phone is turned on), when the phone contacts Apple, it is put into Lost Mode.
IME blocking is something done by network providers, and would require Apple to work with network providers. They don't do that. Apart from people who want to have Apple phone tracking turned off, I don't know if it would have any advantage.
There are several problems with it, but none of them are the ones mentioned by Apple and Google.
The main one is that - outside of Europe and North America - not many operators are signed up to use it. This is slowly being addressed.
A secondary issue is that most of the operators who are signed up only use blocklists for device stolen in their own country - so if you export the stolen device, it works again.
A third is that while the IMEI is usually stored in write-once memory on the device, it has to pass through layers of rather less secure software before it reaches the network. Intercepting and changing the IMEI is illegal in the UK. But so is stealing the phone.
And so on....
That said, it is a relatively simple way of making life more complicated for purveyors of stolen phones. It's far from watertight though.
you can't really change the IMEI, even with software... Since it has to be part (in one form or another, nowadays in 5G only something encrypted derived from IMEI and the IMSI is sent [I won't go in more details, you can read the 3GPP specs] ) of the first messages exchanged by the phone to connect to a PLMN.
> .. governments should actually do their job and have rigorous enough policing to prevent theft and catch those that do it, and adequate punishment and rehabilitation for those caught.
In other news, I'm looking forward to receiving a refund for the costs of locks on my doors and windows...
You may want to live in a police state of the level that would be required to deter all petty crime but most of us do not. What you can do is make the phone worthless to the thieves, and that's already been done. Apple has Activation Lock (and Google an equivalent) but once stolen phones were useless to a thief as a phone they were still worth plenty for parts, and when Apple tried to solve that problem by tying parts together a lot of people complained. Because the downside was that it made broken phones useless for parts as well. While Apple has made using parts from legitimately acquired "used" phones easier people still complain about it, despite its success in making iPhone theft pretty rare.
Now yes people who were stealing iPhones are probably stealing something else, but if you want to live in a country where that's heavily deterred I suggested moving to one where a thief's hand is amputated. Though I'm sure you'd hate it there because they won't let you walk around with a gun all the time which you probably feel you need to feel safe.
It's not "living in a police state" when the device owner has the capability to tell the pigs exactly where the phone is. They could easily use that information to get a search warrant and go get it. Instead all they do is make a report, and whine for stupid shit like this.
A TINY bit of actual police work, and they could retrieve 90% of stolen iPhones. They're too lazy to even try.
If you know location of stolen phone UK police usually do nothing about it.
Most "small" thefts (garage / shed thefts, some house burglaries) do not get a police visit, nor does bike theft (& bikes can have high monetary value).
So theft is essentially a low risk of getting caught crime in the UK.
Great so in the US it becomes another way to SWAT someone.
The device owner alone certainly shouldn't be able to do this, even in countries where the police aren't so homicidal. Even with Apple/Google's help it is trivial to come up with some examples of abuse: Let's say you are bitter about your wife leaving you and you know her new boyfriend uses drugs. You or a friend slip a phone into her purse or duct tape it inside her car's wheel well and wait for it to show up at her boyfriend's house. Then you call the cops and say "my stolen phone is at this address". If it needs to be confirmed in some way by Apple/Google they could confirm that yes this phone was marked stolen and is at this address. So the cops go over there and her boyfriend ends up being busted for the drugs they found while searching the place. Now maybe they find the phone and you get in some trouble too for filing a false report but that's less trouble than a drug charge so it might be worth it if you're bitter enough about the breakup.
Onwurah asked: "Why can't you do what the Met Police is asking for, which is to block it on the basis of the IMEI?"
Wingrove explained that the IMEI is connected to the cellular modem of the device and is a construct from the telecom industry. "The IMEI is actually the identifier for the business relationship that the carrier has with the victim of theft. The IMEI represents that relationship. Our relationship with the user is through the Google account," he said
Yeah, Google accounts in no way have any relationship to the device on which they're used. My device's operating system has no relationship to Google, and Google clearly have no way of knowing the IMEI number of the device I'm using the account on. How could they possibly lock it out of their cloud services at a platform level when reported stolen?
MPs pass dumb laws like the Online Safety Act that try to turn behavioural problems into technology ones, and yet here we have a clear-cut case where the technology exists and could be applied with relatively little effort - just legislate for it!
The network itself checks that when you try to connect to a telecom network. It's part of the built in stuff that's been there sinnce 2G.
To be allowed on a mobile network the terminal equipment ( parse that as phone ) has to send the IMEI and the IMSI in one form or another depending if it's 2G/3G/4G or 5G.
That's how $TELCOs SIM-Locked phones when SIM-Locking was a thing. They were checking the IMEI and the IMSI and if the phone IMSI was not matching with the Phone IMEI in the database they didn't authorize the phone on the network.
> That's how $TELCOs SIM-Locked phones when SIM-Locking was a thing. They were checking the IMEI and the IMSI and if the phone IMSI was not matching with the Phone IMEI in the database they didn't authorize the phone on the network.
That's not how SIM locking works, which is done solely in the phone. SIMs are checked in the phone and without any network access, and if it's not one that's whitelisted then the phone will block it and show the unlocking interface where one could enter an unlock code.
It is also a false statement. The IMSI identifies the subscriber, the International Mobile Equipment Identifier or IMEI identifies the specific device independently of SIM card, IMSI or anything else tying the subscriber to the carrier.
I thought it was a crime to lie to Parliament.
They definitely could do this, but I think it is worth asking why they should. They already have the locking mechanisms. They work. Users can activate them. Why do they need a new way to activate it when they already have existing ones, and the IMEI version will be more fragile and problematic than the your account version?
Our relationship with the user is through the Google account," he said
I think that was already after Google had basically said they wouldn't brick a phone based on its IMEI being reported as stolen, so the MPs then asked if Google would at least prevent a stolen IMEI from accessing it's cloud services, to at least render the phone partly unusable. At that point the Google droid said nah, handset's nothing to do with us.
The same potential issue exists with CompuTrace and other BIOS/IP-style remote laptop erase/disable services: Freddy/Fanny Fatfingers at CompuTrace (or whomever) can wipe or brick the wrong device when they're typing the reported-as-stolen device's MAC address into their control computer.
People and businesses have to weigh whether that risk is less or more than risk of data on their stolen laptops being potentially accessed/copied/sold, and that's why it is an option, not a requirement.
"I don't understand, speaking as a telephone engineer myself, why you can't do that."
Greed, they profit from the crimes. They can do it, but it will hurt their income.
BUT - I can guarantee you if a goog or apple executive's phone gets stolen, it will be blocked and tracked down using the IMEI. But you and me,, nooooo, we are the cattle, not the farmers.
Milk us, butcher us, that's all we are to them, something to squeeze for profit.
We are less than cattle. We are livestock feed.
The livestock are small companies and start-ups that are bought after reaching harvest size, er, a certain market status. We are the suckers, er, punters, that feed their growth until slaughter, er, damn, I mean market buy-out or IPO size.
I don't think 999 would want to be dealing with admin mistakes. But you could allocate another number.
Of course, then you have to staff it (across all languages and timezones, as these phones are shipped abroad), and then deal with all the crims calling and claiming they've accidentally disabled their own phone.
Had to look it up as I specifically remember reading articles saying police said drops in apple theft following them making some change like the one requested in the article.
Apparently that change was activation lock. Can't tell when it was put in the news article I just saw was dated 2021 but references 2013 which sounds more reasonable.
Perhaps it assumes the user has to do something special to enable it. I did read an article on how to disable it seems in some cases you can use specific DNS to bypass it (seems simple for apple to block that workaround if they want). Then you can file a claim with apple to justify that you are the proper owner. They can deny the request(they could just flat out not allow appeals if they want). I'm sure it causes headaches for some legitimate sales of incorrectly prepared devices that are sold.
Doing something more extreme seems likely to cause more headaches. Maybe the police or someone can explain why activation lock isn't good enough. At the time it was expected that the feature would render such devices as useful as spare components only.
Activation lock, and you don't have to do anything special. As long as you have signed into iCloud, it's on by default and will prevent anyone else from activating that iOS/macOS device, even if they wipe it. if you to the DNS bypass thing, you can activate it can't ever sign into iCloud with your own account or it will lock down again.
This does not prevent stolen devices from being chop shopped, nor does IEMI lock.
It occurs to me that a phone that was verifiably inside the UK, when reported stolen, and which is now located outside the UK - is almost certainly stolen. That's a "tell".
Another characteristic sign is that the phone will be factory reset and a new account installed.
Combine both of these, and it should be safe to shut down. Once a phone with a mark against it is moved outside the UK and has had a factory reset, then any attempt to associate it with any cloud account, except the one it was previously associated with, should be made to fail.
That's the thing.
The legitimate owner can already lock and block the phone via their Apple or Google account, so it cannot be used, factory reset or moved to another account. Samsung Knox and other endpoint protection can do it too, esp. for corporate.
If I'm away from home and it gets nicked, then I can in theory log into my Apple or Google account from my laptop and lock the phone almost immediately.
But like most people, I don't have my phone's IMEI number easily to hand. I would have to check the original box - and I suspect most people don't keep that either.
So an IMEI block is going to take a few days or even weeks to look up.
Of course, the real problem is that my OTP app is in my phone...
“ If I'm away from home and it gets nicked, then I can in theory log into my Apple or Google account from my laptop and lock the phone almost immediately.”
You can actually borrow anyone’s device with a browser to do that on an iPhone (don’t know about Google, but it works for them probably as well). So if your phone gets stolen on a train, you just need to find a kind soul letting you use their phone.
“ So if your phone gets stolen on a train, you just need to find a kind soul letting you use their phone. ...... and nick their phone?”
Excellent idea on a train full of people. Where railway police will wait for me at the next station. I think I live in different circles than you do.
...my sim card on my 4G phone was cancelled by the telco. It still worked until the cash on it ran out or it timed out, but I couldn't add any cash to it. So telcos can cheerfully screw with your stuff if they want to. Without giving any reason or offering any recourse.
The MET police murdered Charles Menendez because he was about to turn states evidence that the MET is the largest drug gang in the UK, reselling 'confiscated' drugs from evidence lockers.
hence why over 80 TONS of heroin has "vanished" from their custody.
The MET tried to have ALL phones that could have had footage of the shooting taken off their owners and destroyed. They demanded EE, VM, O2 etc turn over their location data immediately, so they could find who was in the station at the time. To cover themselves from prosecution.
NOW they want the ability to just "turn off" phones en-masse whenever they want to, to stop people filming and posting stuff online. or live streaming police criminal actions.
I'm not sure I want any manufacturer to have the ability to shut down my phone because that means the government, its enemies and Israel will probably also have that ability. It'll also be the excuse why phone crimes will be ignored by the police. Bit like car theft; "Why are you fussing sir, you were insured weren't you? Here's the crime number the insurance company will want it. Enjoy next years premiums".
Just legislate it and force the carriers + the phone manufacturers to go along with it.
You just need to make the reactivation difficult enough, like getting a GPS reading from it or knowing other local device MAC addresses or showing up at a DMV or other government facility with sufficient ID.
Of course, they could do that. Pointing out that we already have that, the replacement would be less convenient all round*, and that there's no need to legislate, would perhaps indicate that you could skip that part. Unless you disagree with that, in which case you could explain why that legislation makes any sense.
* Current way to disable the lock: you authenticate with the account you used to lock it. Your proposed methods:
"getting a GPS reading from it": Spoofable.
"knowing other local device MAC addresses": You could try to harvest those, but the bigger problem is that most users wouldn't know them and they change, so the phone's accepted set would be small and possibly out of date by the time you got it back.
"showing up at a DMV or other government facility with sufficient ID": And this is all you're left with. So instead of authenticating normally, we're going to waste the time of multiple people to do a less reliable version of the same thing.
Trust the police, they are your friends...
It's annoying enough having companies that can refuse to let your phone work because the serial numbers don't match. Giving [Police Department] access to do the same? No thanks. Leave it to the people whose phones have been stolen to make the request, not Detective Random Schmoe at Headquarters. Most Apple device users can easily work out how to access "Find My" Device and have Apple secure the device.
Police have more than enough power over the public, and always want more power to surveil the public for what are (always) claimed to be very good reasons. See the FBI in almost every era in US history.
But if you steal a phone from Apple they'll kill it and make it blare an alarm. https://economictimes.indiatimes.com/news/international/global-trends/return-the-phones-apple-sends-warning-to-thieves-who-looted-iphones-during-los-angeles-riots/articleshow/121796553.cms?from=mdr
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
