Why doesn't password-locking your phone apply to turning the power off?

[Rakehellion]

When people steal your phone the first thing they do is turn it off so you can't track it.

As far as I know, no consumer-targeted computer system has ever required a password to turn it off. That isn't really a security feature.

 

[Rakehellion]

Read the thread, please. It's not that easy to remove the battery from an iPhone.

That isn't intended as a security feature. And every phone on the market can be hard reset without removing the battery.

Most thieves are stupid. It's why they become thieves.

That's a stupid thing to say. If they stole from right under your nose and didn't get caught, they're obviously smarter than you.

 

[corkyg]

... It wasn't put in an open zippered pouch. It was closed inside a zippered pouch. The pouch was openED by the thief and then left open. Also, when getting on a plane where you can't use your phone anyway it loses the utility it normally provides and, therefore, much of the reason to be carried on your person.

By "open" zippered pouch, I mean one that is not secured, i.e., by a padlock oir a nylon zip tie. I keep all external pouches in luggage empty and secured by nylon zip ties. I don't want some yo-yo slipping something into my bag either.

I always carry my smart phone in a padded belt pouch secured to my body. BTW, they can now be used until take off and as soon as the plane lands.

Yeah - thieves are opportunistic - they watch and wait for people to do things like put small, valuable items in unsecured zipper pouches.

Travel "street smarts" comes with experience. You have now achieved some of that.

 

[CZroe]

That isn't intended as a security feature. And every phone on the market can be hard reset without removing the battery.

That's exactly why I suggested a fake shut-down that puts it into "RAPE!" mode (secretly phoning home by periodically screaming over cellular data and every unsecured WiFi access point it can find/connect to). To complete the illusion, it would also have a fake boot-up process when the thief tries to turn it on again (presumably after removing the SIM) and a fake wipe process when they try to wipe it (hides all of your stuff). Of course, those would be options for those less concerned with their data/info and more concerned with recovering the device (can still have a passcode). It would be nice if it also made the phone appear to be less desirable with fake scratches and water damage that the thief thinks he/she may not have noticed before unknowingly activating "RAPE!" mode. Even better: a lock-screen wallpaper that looks like a cracked screen and then a simulates a cracked screen everywhere after activating "RAPE!" mode. When it is being used by the thief it hides the WiFi connection indicators or returns to normal WiFi operation (allows the dumb thieves to connect to a network deliberately). Being able to selectively wipe remotely without clearing WiFi passwords and network setting to increase the chances that it will get online is a huge plus. You could also leave all the unimportant apps like games and crap on there and load it with fake contacts and call history so that it will not appear to have been wiped. I think this would be great for tablets too.

By "open" zippered pouch, I mean one that is not secured, i.e., by a padlock oir a nylon zip tie. I keep all external pouches in luggage empty and secured by nylon zip ties. I don't want some yo-yo slipping something into my bag either.

I always carry my smart phone in a padded belt pouch secured to my body. BTW, they can now be used until take off and as soon as the plane lands.

Yeah - thieves are opportunistic - they watch and wait for people to do things like put small, valuable items in unsecured zipper pouches.

Travel "street smarts" comes with experience. You have now achieved some of that.

Then what you meant to say was in the open. *thumbup*

Also, I'm not sure I want to be digging under my clothing just before take off or just after landing. Great place for valuables I don't trust with checked or stowed carry-on luggage, though.

 

[MrX8503]

Read the thread, please. It's not that easy to remove the battery from an iPhone.

I know. The point I'm making is that anything you can do the thief can do the same. Removing the battery on an iPhone isn't really an option for both parties.

 

[Ichinisan]

That isn't intended as a security feature. And every phone on the market can be hard reset without removing the battery.

The lock+home reset only resets your phone. It does not turn it off. That is quite possibly by design.

[edit]
Forcing it off is just a bit trickier.

 

[Ichinisan]

That's a stupid thing to say. If they stole from right under your nose and didn't get caught, they're obviously smarter than you.

Yeah. Because "Intelligence" is the same thing as "light fingers + lack of ethics."

 

[CZroe]

The lock+home reset only resets your phone. It does not turn it off. That is quite possibly by design.

But holding power for 30 seconds does.

 

[CZroe]

Anyway, all of you "you can use tools to remove the battery!" people need to realize that it's not just the same as removing a battery when you have to do all that. The point iof removing the battery is to QUICKLY make it silent and untraceable until you leave the victim's vicinity and obtain privacy. Setting up a bench and using two different screwdrivers and securing very tiny screws and parts (the same screw that holds down the battery connector also hold down a tiny grounding contact spring/finger/pogo-pin) is not a feasible alternative. Don't forget that the battery is also glued in and often can't be quickly lifted out and the backplate will not slide back on without reconnecting the battery. Some phones/devices have soldered in batteries and take quite a bit more to get into (suction cups and pry tools).

 

[Ichinisan]

But holding power for 30 seconds does.

No.

Holding lock+home and continuing to hold it for a few seconds after it starts to reboot will shut it off. It's actually pretty tricky to make it do that and I don't expect the criminal to be familiar enough to pull it off.

 

[Rakehellion]

The lock+home reset only resets your phone. It does not turn it off. That is quite possibly by design.

So if you couldn't turn of the machine, you could endlessly reset it to prevent it from running any code. You don't think this through, do you?

I don't expect the criminal to be familiar enough to pull it off.

You go from saying criminals shouldn't be able to turn off the machine to saying they wouldn't know how. Holy fuck, you're getting desperate.

Yeah. Because "Intelligence" is the same thing as "light fingers + lack of ethics."

They're obviously better versed in security than you. Particularly considering your ridiculous suggestions on how to lock down a phone.

And some of the least ethical people in the world are also considered to be the most intelligent, e.g., politicians/the wealthy.

 

[CZroe]

So if you couldn't turn off the machine, you could endlessly reset it to prevent it from running any code. You don't think this through, do you?

This isn't OT. Watch your language. Now, YOU aren't the one thinking this through. Try it one more time: Why does a thief immediately turn off a phone? This time, think of ALL the reasons.

The main one is discretion. Preventing code execution and calls only provides one layer of discretion. Do you really think the thief is going to keep the phone out resetting it while leaving the vicinity? They don't want to be seen walking away with your phone to be caught red-handed.

When Ichinisan's Samsung N400 was stolen from the table over his head inside a shop, the thief was still in the store. OBVIOUSLY, the thief wasn't walking around holding it. Ichinisan went straight to the front and called it. Sure enough, the thief who was still in the store had already turned it off. He called me at work and we both started furiously calling it so that we would get through as soon as it was turned on. If it were endlessly rebooting like an iPhone then the thief would have been caught red-handed either by being seen manipulating the phone to keep it from booting or by the call going through.

In the days of instinctive custom ringtones and GPS tracking, you can now do far more incriminating things than make a phone ring at an incriminating time. No matter what: Without the ability to immediately turn it off and keep it off, you are taking a bigger risk. Got it?

You go from saying criminals shouldn't be able to turn off the machine to saying they wouldn't know how. Holy fuck, you're getting desperate.

Why do you think ALL criminals have the same level of knowledge? Some know, some don't.

In 2010 I had an iPhone 4 brought to me for repair by my new boss. He said he bought it from a family member who "always has" these things, but his contact is clearly a thief. The phone was obviously originally lost or stolen (cracked back glass; probably found after it fell off a vehicle or balcony).

Working in security, we manage lost and found property often and are supposed to be trustworthy people, so I refused to work on it even though it was not from our site. I did identify the original owner and gave him the name (PIN locked but it did report [owner's name]'s iPhone" when connected to the PC). Sure enough, he turned around and paid $80 at some shady Chula Vista place to get it wiped and fixed. Sure enough, a man like that doesn't last long in a position of trust (fired in less than two weeks).

Anyway, my point is that this phone came from a thief and it was fully charged and turned on every time I saw it for several days before it was "fixed." The thief did not even wipe it before selling it. Stop pretending that every thief is a professional at out smarting people and understand that these are measure to make it as difficult as possible so that a thief must be that kind of thief to get away with it.

They're obviously better versed in security than you. Particularly considering your ridiculous suggestions on how to lock down a phone.

And some of the least ethical people in the world are also considered to be the most intelligent, e.g., politicians/the wealthy.

EVERY thief is a master thief in your eyes and so there is no point in doing anything to thwart lesser thieves? You're right. They don't exist. Why bother?

As for his "ridiculous suggestion," I searched the page for his posts and I think you are confusing him with me. Even then, all I'm talking about is a cool jailbreak tweak that obviously wouldn't fool anyone if it were the default behavior.

 

[Ichinisan]

[wtf?]

I think you have me confused with someone else.

So if you couldn't turn of the machine, you could endlessly reset it to prevent it from running any code. You don't think this through, do you?

You think it would be easy-as-pie for a criminal to get away with a stolen phone while continuously rebooting it with an awkward two-handed button combination? No more difficult than a phone with a removable battery?

You go from saying criminals shouldn't be able to turn off the machine to saying they wouldn't know how. Holy fuck, you're getting desperate.

Huh? When did I say that criminals "shouldn't be able to turn off the machine?" I only wished that there was a native way to restrict unauthorized users from turning it off. The native/normal turn-off procedure is intuitive and easy. Any idiot can figure it out. Most dumb / opportunistic criminals probably would not know how to enable Recovery Mode while discretely shuffling away from the scene of the crime.

They're obviously better versed in security than you. Particularly considering your ridiculous suggestions on how to lock down a phone.

Please list the "ridiculous suggestions" I endorsed.

And some of the least ethical people in the world are also considered to be the most intelligent, e.g., politicians/the wealthy.

If a thief is intelligent, he/she can earn a living in a way that doesn't risk his/her freedom and well-being. Most thieves are not intelligent, or they are addicts that desperately take stupid risks.

 

[Ichinisan]

Rakehellion seems particularly offended by my suggestion that most opportunistic thieves lack intelligence. :hmm:

 

[Rakehellion]

When Ichinisan's Samsung N400 was stolen from the table over his head inside a shop, the thief was still in the store. OBVIOUSLY, the thief wasn't walking around holding it. Ichinisan went straight to the front and called it. Sure enough, the thief who was still in the store had already turned it off. He called me at work and we both started furiously calling it so that we would get through as soon as it was turned on. If it were endlessly rebooting like an iPhone then the thief would have been caught red-handed either by being seen manipulating the phone to keep it from booting or by the call going through.

You can shut off any computer through hardware reset buttons.

1. This allows you to turn off the machine in the event of a software crash.
2. This allows you to turn off the machine in case the OS cannot boot.

This prevents the user from needlessly draining the battery and/or running malicious code.
Those are more important security features than GPS tracking. And chances are, you've needed to hard reset your phone more than you've had one stolen. The best solution against theft is prevention, not crippling the device.

Why do you think ALL criminals have the same level of knowledge? Some know, some don't.

I don't think they all have the same level of knowledge, but this person does:

Most thieves are stupid. It's why they become thieves.

If a thief is intelligent, he/she can earn a living in a way that doesn't risk his/her freedom and well-being.

We're getting into evolutionary biology here, but no, the fact is everyone lies and cheats at some point in their lives. And as far as intelligence, we have Bernie Madoff, Enron, Rod Blagojevich, etc. But those aren't the intelligent ones, they're the ones who've made a successful living without getting caught.

Okay fine, rage at the person who stole your shit and call them names, but that doesn't make you more of a security expert than the people who made the devices.

Rakehellion seems particularly offended by my suggestion that most opportunistic thieves lack intelligence. :hmm:

The stock market is a game of opportunity. That also doesn't negate intelligence.

As for his "ridiculous suggestion," I searched the page for his posts and I think you are confusing him with me. Even then, all I'm talking about is a cool jailbreak tweak that obviously wouldn't fool anyone if it were the default behavior.

Before you even posted in this thread, he was suggesting that a non-removable battery was a security feature.

 

[CZroe]

Before you even posted in this thread, he was suggesting that a non-removable battery was a security feature.

No. He was arguing that removing the battery with a screwdriver is not equivalent to having a user-removable battery. That argument exists outside of phone security discussions and has been related to everything from inability to gang-charge and carry a second battery to decreased useful lifespan of the device.

 

[Rakehellion]

That argument exists outside of phone security discussions

This is a phone security discussion and has been from page one.

 

[Ichinisan]

You can shut off any computer through hardware reset buttons.

1. This allows you to turn off the machine in the event of a software crash.
2. This allows you to turn off the machine in case the OS cannot boot.

Yeah. This one is a bit trickier. You have to hold two of the hardware buttons in an awkward way that usually requires both hands. Then you have to keep holding them for several seconds after the device resets. It requires more specific knowledge than the more-general "find cover, remove battery" procedure that works for almost every non-iPhone.

This prevents the user from needlessly draining the battery and/or running malicious code.

Absolutely. The problem is, most people will see the phone reboot instead of turn-off. They'll probably let go of the buttons when they see the Apple logo appear. The force-off method isn't intuitive...and that *might* be by-design. I really don't claim to know why Apple made it tricky to forcibly turn the device off.

Those are more important security features than GPS tracking. And chances are, you've needed to hard reset your phone more than you've had one stolen. The best solution against theft is prevention, not crippling the device.

I don't think an optional shut-down PIN would "cripple the device." There are probably good reasons why it doesn't have such a restriction (for example: airlines asking you to turn-off devices and you might be stuck with someone else's phone).

Okay fine, rage at the person who stole your shit and call them names, but that doesn't make you more of a security expert than the people who made the devices.

Did I claim to be a "security expert?" I think you're confusing me with someone else.

Before you even posted in this thread, he was suggesting that a non-removable battery was a security feature.

Nope.

You can remove anything if you have the right tools. I've never repaired an iPhone 5, but the 4/4s takes three screws to remove the battery...

With a screwdriver made specifically for iPhone 4+.

Rakehellion, do you claim that iPhone 4, 4S, and 5 do not require a proprietary "pentalobe" screwdriver to quickly remove the battery? Even with this tool, it would take longer than a typical non-Apple phone that has a user-replaceable battery. Do you disagree? A theif is unlikely to disassemble the phone at the scene of the crime. Do you agree?

If I was a theif and I was heading out to steal iPhones, I'd probably carry a pentalobe screwdriver with me.

You know that nearly all phone thefts are opportunistic.

Do you disagree with this, Rakehellion? A thief often wouldn't know what he has grabbed until he goes somewhere else and pulls it back out of his pocket.

Use find my iPhone.

Like it was said before, what would you do if the software freezes?

Take out the battery? The thief could do that too.

Read the thread, please. It's not that easy to remove the battery from an iPhone.

Repeating myself here.

If software freezes, you could always still hold down the power button and then hold down the home button to force close. Or you could do power+home for a force reboot.

But a smart thief would simply put it in to recovery mode or always carry around a paper clip and remove the SIM card as soon as they could.

Having a passcode lock for power off sounds like a great idea, but there's so many other ways around it that it wouldn't deter a great deal of thefts.

Most thieves are stupid. It's why they become thieves.

Not all iPhones have SIM cards.

I already know that you disagree about the intelligence of most phone thieves. Do you agree that CDMA iPhones do not always have a SIM? Newer CDMA iPhones *do* have an optional GSM SIM for traveling (CDMA+GSM "world phone"); but I doubt the CDMA data connection would be interrupted when you remove the optional GSM SIM. Correct me if I am wrong.

 

[CZroe]

This is a phone security discussion and has been from page one.

So? And HAL is a known Apple apologist who needed to be checked when he incorrectly asserted the relevance how easy it was for a USER to remove the battery from an iPhone with the proper tools (not relevant to a thief in the vicinity of the victim). I pointed out that it STILL doesn't serve the purpose of immediately disabling the phone and keeping it discrete while the thief leaves the vicinity of the victim. The WHOLE POINT was that it wasn't particularly relevant to the security discussion, which is why is moved on to discussion of shut down and reboot behavior. Follow?

 

[Rakehellion]

I don't think an optional shut-down PIN would "cripple the device."

It would be useless as security if you can hard power off the machine with a few key presses or by removing the battery.

Or if the battery is soldered in and there's no hard reset, you'd be screwed in the event of a crash, forgotten password, or hardware failure.

Phone's aren't built around the assumption that they're stolen left and right, nor should they be. In fact there's no security feature on any consumer product that removes essential core functionality.

So? And HAL is a known Apple apologist who needed to be checked when he incorrectly asserted the relevance how easy it was for a USER to remove the battery from an iPhone with the proper tools

Well, I don't care about someone's history as a fanboy. Take that to PM.

This thread is about ways a thief can force your phone to power off and the first mention of an iPhone battery was in that context.

Rakehellion, do you claim that iPhone 4, 4S, and 5 do not require a proprietary "pentalobe" screwdriver to quickly remove the battery?

As I said twice before, that isn't a security feature. The phone can be powered off by key presses.

Do you disagree with this, Rakehellion? A thief often wouldn't know what he has grabbed until he goes somewhere else and pulls it back out of his pocket.

Chances are, it'll be an iPhone or an Android, both of which they'll know how to operate at the basic level. Furthermore, any phone thief will have more knowledge of phone security than the average layman.

I already know that you disagree about the intelligence of most phone thieves. Do you agree that CDMA iPhones do not always have a SIM? Newer CDMA iPhones *do* have an optional GSM SIM for traveling (CDMA+GSM "world phone"); but I doubt the CDMA data connection would be interrupted when you remove the optional GSM SIM. Correct me if I am wrong.

I never commented on SIMs in this thread and no, that isn't effective security either. Worst case, they could just wrap the phone in aluminum foil.

 

[Rakehellion]

And I think you're overrepresenting opportunistic thieves versus professional thieves who are probably lifting 10 of these a day and are intimately familiar with the software.

And really, I mean really, instead of having a "rape mode" on your phone isn't it easier just to keep the damned thing in your pocket where people can't happen upon it?

 

[CZroe]

And I think you're overrepresenting opportunistic thieves versus professional thieves who are probably lifting 10 of these a day and are intimately familiar with the software.

And really, I mean really, instead of having a "rape mode" on your phone isn't it easier just to keep the damned thing in your pocket where people can't happen upon it?

Why is it that you think the place you retrieve it from and return it to is the only place it can be stolen from?

Or are you saying that people who keep their phone in their pockets like you say can never take it out for any reason? Never charge on their desk, never read and respond to texts, never tether over USB, never browse the web, never use apps, and never take calls outside of their own home? Most thefts happen in the presence of the victim, so I'm not talking about stupidly leaving it unattended while doing those things. Phones get snatched right off victims' faces. That's the only way your "keep it in your pocket" method substitutes for any other additional security measures. Not only that, but there are pickpockets in this world of ours.

Forgot to mention: I've had my phone fall out of my pocket on a motorcycle. If someone found it before me, fat lot of good our method was over a "RAPE!" mode.