Restricted - Confidential Information

© GSMA 2011

All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy

Matias Fernandez Diaz, Regulatory Manager, GSMA LAJames Moran, Security Director GSMA

Handset Theft - A Case Study

Restricted - Confidential Information

© GSMA 2011

All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy

© GSMA 2011 3

CITEL Recommendations

“measures have proven insufficient to combat this i llicit industry”

� Introduce blacklisting of stolen devices in individual countries� Exchange blacklist data regionally using solutions such as IMEI Database� Raise public awareness of handset theft and the need to buy from reputable sources� States to criminalise IMEI changing or other circumvention of blacklisting� States to better control important and movement of mobile handsets� Sellers of handsets to only buy and provide for sale those with a secure IMEI� Operators to report instances of IMEI security weakness for investigation

“criminal organizations profiting from this busines s take advantage of the absence of information exchange and of block age at the

international level”

© GSMA 2011 4

Why does the Industry need to share IMEI information of stolen devices on a regional basis?

� Crime related to handset theft is growing at high pacein the region.

� These issues have high impact due to crime and murder derived in government involvement.

� Latin American countries committed to act against handset theft in their country but with a regional approach (CITEL- PCC.I/RES. 189).

� Some countries have signed bilateral agreements to share stolen IMEI information.

� The region needs to avoid fragmentation , and commitment from all parties, public and private.

� 13 Groups of mobile operators signed the Latin American Mobile Operators commit to combat mobile device theft. All operations to be connected by Mar 13

Many regulators and governments have

requested GSMA LA support to share stolen IMEI information on a

regional basis.

© GSMA 2011 5

Handset Theft in United Kingdom A Case Study

© GSMA 2011 6

� Handset theft considered to be a major social issue with claims that it constituted 52% of street crime

� Handset theft had increased 500% and emergence of smart phones raised second hand value

� Every stolen phone causes misery, possible violence and psychological and life changing consequences

� Onus on industry and governments to work together to introduce effective countermeasures

� Problem not of industry’s making but it was willing to play its part to help combat theft

� Need to work together to combat the problem

Handset Theft - The UK Problem

© GSMA 2011 7

Collaborative Approach to Combat Theft

� Handset theft is a challenge but presented industry and government with an opportunity to show leadership

� Local legislation needed to specifically outlaw the changing of IMEIs, importation of spurious devices, etc.

� Improved levels of handset security needed to provide a more robust IMEI that is less vulnerable to change

� Deployment of EIRs by network operators to blacklist stolen handsets on local networks

� Agreement between operators to share data and blacklist stolen handsets across networks via IMEI Database

© GSMA 2011 8

The GSMA IMEI Database

What is the GSMA IMEI DB?Centrally located database of valid and stolen handset IMEIs to which operators may connect to upload and download data to control mobile device access on their networks

Why Share Data Nationally /Regionally?� Isolated EIRs on individual networks

are of little use as a deterrent � Lack of data sharing across networks

allows stolen handsets to migrate from one network to another

� Sharing of IMEI data can result in a substantial reduction in handset theft

� Sharing of IMEI data on a national/regional level is most effective way to combat handset theft

Benefits of Sharing Data?� National/regional databases allow operators agree their

own blacklisting code of practice to preserve data integrity.� Volume of data to be uploaded, downloaded and

maintained is more manageable� Data uploaded to a regional database is also placed in a

‘global’ database thereby preserving master database� The sharing of data on a national/regional level ought to

be sufficient to satisfy the requirements of law enforcement agencies, governments, etc.

Why use GSMA IMEI Database?� Scale – maximize value by sharing with more operators� Non competitive - operators agree blocking rules� Free - hosted by GSMA for benefit of all stakeholders� Flexible - facilitates national and regional data sharing� Easy - File formats, procedures, tests etc. available� Stable - in existence since 1996 supported by all EIRs� Suitable - meets needs of all stakeholders

© GSMA 2011 9

Global Black List Ecosystem

Effective management requires one global black list

� Black list information reported by operators� Global black list distributed back to operators by GSMA� IMEI database is Central Equipment Identity Register (CEIR)

GSMAIMEI DB

(CEIR)

Black List Info

© GSMA 2011 10

IMEI Integrity

� Need to preserve integrity of IMEI is critical to support the various uses of the identifier

– IMEI differentiates between genuine and black/grey market devices– Legitimate IMEI ranges ensures spurious IMEIs can be identified– IMEI integrity necessary to provide confidence in stolen handset barring

� Much progress made by industry to enhance integrity of IMEI implementations:

– Industry agreed technical security design principles– IMEI security weakness reporting and correction process established– Contract in place with third party to proactively report security weaknesses

© GSMA 2011 11

IMEI Security Initiatives

� Technical security design principles agreed with manufacturers

� Formal IMEI security weakness reporting and correction process developed to deal with compromised products during production life

� Proactive identification of IMEI security weaknesses ensured with launch of outsourced detection service

© GSMA 2011 12

IMEI Security Technical Design Principles

1. Uploading, downloading and storage of executable code and sensitive data

2. Protection of components’ executable code and sensitive data3. Protection against exchange of data/ software between

devices 4. Protection of executable code and sensitive data from external

attacks 5. Prevention of download of a previous software version 6. Detection of, and response to, unauthorised tampering 7. Software quality measures 8. Hidden menus 9. Prevention of hardware substitution

© GSMA 2011 13

IMEI Security Reporting

� Recognises dual processes of reporting and resolution of product weaknesses

� Process allows operators to notify GSMA of identified weaknesses

� Process engages with manufacturers and operators centrally rather than locally

� Accelerates cooperation with manufacturers on security levels

© GSMA 2011 14

Supporting Manufacturers

© GSMA 2011 15

IMEI Integrity – Significant Progress Made

� 2010 - 11 number of allegations was 120 – down from 286 in the previousyear - 58% decrease following a 17% decrease the previous year

� Hacking tools impact just 6 manufacturers – down from 11 in the previousyear - 45% decrease

� Number of hacking tools is just 11 - down from 39 in the previous year - 72%decrease

� Only 6 of the hacking tools are new - other 5 were included in the 39 toolsthat emerged the previous year - new tools is down by 85%

� 83% of compromised device models pertain to just two manufacturers withwhom GSMA is working

� 120 compromised models relates to just 0.01% of allocated TACs in the lastyear!

Significant progress has been made

© GSMA 2011 16

Outcomes

� IMEI blocking capabilities in place across all networks� Connection established to the IMEI Database to share

data locally and internationally� Manufacturer commitment recruited for improved

security of IMEI implementations� Legislation introduced to combat IMEI reprogramming� Significant public awareness campaigns undertaken to

heighten awareness of blocking capabilities� Dedicated police unit (National Mobile Phone Crime

Unit) established to focus on mobile phone theft� 42% reduction in theft levels in first year and steady

decline since

© GSMA 2011 17

Success Factors

� Co-operative spirit between all stakeholders� Mutual recognition of the need to combat handset theft� Voluntary undertakings avoided need for regulation� Need to focus and target devices - not users � Measures must be consumer friendly� Focus on effective solutions only

– Improved IMEI security– Supportive legislation– Blacklisting and not whitelisting

� Theft levels and solution effectiveness need to be measured

© GSMA 2011 18

Lessons Learned

� Theft is a global problem and requires an international solution to combat cross border trafficking of devices

� National databases result in fragmentation & an incomplete solution� Industry and government must work together and align with

international initiatives and best practice� Focus must be on devices and not negatively impact legitimate users,

circulation of devices and competition� Resources must be focussed on workable and effective measures � Self regulatory initiatives can go beyond what regulation can achieve� Absolute elimination of theft is unachievable but holistic measures

can significantly reduce theft levels� Sufficient technical capabilities exist in global standards and via

GSMA

© GSMA 2011 19

Available GSMA Support

� Regarded as a trusted knowledge source on handset theft matters having worked with operators and governments in over 80 countries

� Provide IMEI Database functionality free of charge for whitelisting and blacklisting purposes

� Assist network operators with their data sharing initiatives by facilitating discussions on agreeing the rules and processes in a memorandum of understanding

� Provide IMEI number range data to national authorities that may require it

� Continued work on IMEI security levels

© GSMA 2011 20

Collective efforts can be effective … they just need to be aligned!

© GSMA 2011 21

Thank you for your attention

Any Questions?James Moran

Security DirectorGSM Association

http://www.gsma.com/technicalprojects/fraud-security/

http://www.gsma.com/latinamerica/gsma-latin-america/handset-theft-in-latin-america-the-gsma-imei-database/