FCC move to disable stolen smartphones won't stop government data thieves

Thinkstock

A new nationwide system for shutting off stolen smartphones announced Tuesday might stop scammers from reselling government devices, but it won't necessarily protect the sensitive data inside, some information security experts say.

The wireless industry has agreed to, within six months, block service on portable electronics when users report them to police as stolen, Federal Communications Commission Chairman Julius Genachowski and law enforcement officials said Tuesday. The companies also are working to create, within 18 months, a single database containing the identification numbers of stolen devices worldwide so that thieves cannot swap carriers to avoid detection.

In Washington -- home of the federal government -- cellphones are stolen in 38 percent of all robberies, according to authorities. But while the national switch-off board might prevent fraud, confidential data stored in phones that are unencrypted still could be compromised, some information security experts say.

Several major agencies handling sensitive information have neglected to encrypt their employees' mobile devices, according to the White House's annual report on data security compliance.

The Veterans Affairs Department, the largest federal agency, reported that only 55 percent of its portable electronics inventory -- including smartphones, tablets and laptops -- is protected with a standard encryption format called Federal Information Processing Standards 140-2; NASA ranked at the bottom with a 41 percent protection rate; and the government's cybersecurity overseer, the Homeland Security Department, reported 75 percent of its devices were encrypted.

Most agencies reported encrypting at least 80 percent of their mobile devices, including 100 percent fully encrypted inventories at the State and Treasury departments and the General Services Administration and Social Security Administration.

AT&T, T-Mobile, Verizon and Sprint, the carriers that cover 90 percent of U.S. subscribers, have committed to participate in the phone-disabling database, FCC officials said.

The move comes after the Major Cities Chiefs Association, which represents New York, Philadelphia, Miami and other large U.S. cities, endorsed in February a resolution calling on FCC to require that communications firms disable stolen mobile devices to discourage future thefts.

The idea is that if the phones don't work, criminal rings won't have an incentive to lift them.

"This database will enable carriers to disable stolen smartphones and tablets, dramatically reducing their value on the black market," Genachowski said Tuesday, during a briefing on the initiative.

District of Columbia Metropolitan Police Chief Cathy Lanier said vigilance has not been enough of a deterrent for criminals.

But some security specialists said a larger problem for government is the lack of industry agreement on how to protect the sensitive information stored inside phones.

"The information in a cellphone is far more valuable than the ability to use it to make calls," said Tom McAndrew, an executive vice president at information technology compliance firm Coalfire. "The IT security industry has been struggling for years trying to figure out how to protect data at rest using encryption."

One of the major weaknesses with encryption on mobile devices is the inconsistency among industry standards, he said.

"It was not too long ago that anything in the federal government was made especially for the government, but now we rely on encryption solutions from the private industry," McAndrew said. "We have tried to standardize those encryption solutions using standards such as FIPS 140-2, but the vast majority of encryption solutions used in mobile devices are not certified to federal standards."

Federal phones also could fall prey to data thieves along the supply chain.

"Many mobile devices are manufactured with components from countries that are trying to get sensitive information from our federal agencies," said McAndrew, who also serves as president of the Seattle chapter of the global IT professional organization Information Systems Audit and Control Association.

The hardware, software and settings within communications devices must be validated as secure throughout the path of production, he added.

FCC's program "is a step in the right direction and will help provide some level of protection to consumers, but falls short of what federal agencies need," he said.

Officials at GSA, the purchasing arm of the federal government, said because the wireless industry database is still in development, it is too early to know whether the system will help its customers at agencies. Certain umbrella contract vehicles, including the large Networx telecommunications program, already require mobile device vendors to offer data security features, GSA officials said.

FCC officials did not immediately respond to a request for comment.