Presentation is loading. Please wait.

Presentation is loading. Please wait.

Restricted - Confidential Information © GSM Association 2009 All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy.

Similar presentations

Presentation on theme: "Restricted - Confidential Information © GSM Association 2009 All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy."— Presentation transcript:

1 Restricted - Confidential Information © GSM Association 2009 All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy Sep 2009 JEM Meeting Device Security Update James Moran, GSMA Document Number Meeting Date29 Sep 2009 Meeting VenueLondon, UK For Approval For InformationX Version1.0 Security RestrictionsConfidential

2 © GSM Association 2009 1 Handset theft considered to be a major social issue with claims that it constitutes 52% of street crime Handset theft has increased 500% in recent years and handsets of the future will be more attractive Significant global media coverage since 2003 - most of it negative against the industry Onus placed on the operator community to demonstrate social responsibility and implement counter measures Problem not of industry’s making but there is an obligation to help combat it Handset theft - the issue

3 © GSM Association 2009 2 Consumer need to replace stolen handsets a significant churn factor Thefts of subsidised handsets for use on networks in other markets Handset theft insurance underwriting costs Manipulated handsets impact network quality of service Handset theft – commercial issue

4 © GSM Association 2009 3 TCAM Involvement Dec 2002 - Request from Industry to consider regulation submitted in Dec 2002 Sep 2003 – industry agreed objectives and commitments to increase blacklisting and enhance handset security levels Feb 2004 – technical security principles agreed and reporting and correction process submitted to TCAM Oct 2004 – industry progress reports to TCAM initiated – 9 submitted to date Mar 2007 – industry formally rescinded request for regulation based on progress made with industry initiatives Mar 2008 – France agreed that regulation is unnecessary and has now shifted focus to m-commerce Matter is still not closed

5 © GSM Association 2009 4 Industry Cooperation Co-operative spirit between GSMA and EICTA Mutual recognition of the need to combat handset theft Significant progress made in short period of time – Agreed technical solutions for first time – Formal reporting process put in placed for first time – Improved communications to educate industry Initiatives designed to tackle handset theft on a number of fronts Regular progress reports provided to TCAM

6 © GSM Association 2009 5 Voluntary Efforts Undertaken by Industry Blacklisting of Stolen Handsets New IMEI Database developed and deployed to replace CEIR Concerted drive to extend EIR use and extensive communications undertaken for operators to connect Significant increase in IMEI Database connectivity across Europe Access to stolen handset data opened up to third party stakeholders

7 © GSM Association 2009 6 Voluntary Efforts Undertaken by Industry Tackling Black Market Identification of black market hotspots around the world Taxation initiative undertaken to reduce tax levels and associated black market opportunities in identified markets Additional technical countermeasures to prevent the re- use of stolen handsets

8 © GSM Association 2009 7 Voluntary Efforts Undertaken by Industry Enhanced IMEI Security Technical security design principles agreed with manufacturers Formal IMEI security weakness reporting and correction process developed to deal with compromised products during production life Proactive identification of IMEI security weaknesses ensured with launch of outsourced detection service

9 © GSM Association 2009 8 Participating Manufacturers

10 © GSM Association 2009 9 “[Mobile theft] is the dark underbelly of our great success," Craig Ehrlich, chairman of the GSM Association, a mobile industry group, said at the 3GSM World Congress here last week. " Wireless: Thieves take note Monday, March 1, 2004 Cell phone Makers Ally To Combat Handset Theft 27 February 2004 CANNES, France -- Seven of the world's biggest mobile-phone makers have agreed to make changes to handset designs to combat soaring rates of wireless-related crime… the GSM Association said Tuesday. Crackdown on mobile phone theft 9 February 2004 Mobile operators and handset makers are to announce a crackdown on mobile theft in a move that will render handsets stolen in one country useless in another…. Under the latest initiative led by the GSM Association, a global industry body for mobile operators, IMEI numbers will be stored on an international register that can be accessed by all global operators running networks on GSM. International Recognition of Initiatives

11 © GSM Association 2009 10 Need for IMEI integrity Operators Identifies terminals to support value added services Facilitates market research on user base Determines which terminals may be responsible for technical faults Identifies misuse in fraud detection systems Used in criminal trials Critical to the success of EIR Manufacturers Identifies grey market terminals. Identifies and targets terminals that may need software updates over the network Allows operators to recall terminals on behalf of manufacturers Helps introduce special functions to support terminals that may not work correctly. Discourages theft in their production and delivery processes Regulators Allows exclusion of non-approved terminals which is a license obligation in some markets Identifies handsets for lawful interception and criminal prosecution Consumers Allows consumers stolen handset checks and upholds integrity of used handset market Facilitates proof of purchase for warranty purposes

12 © GSM Association 2009 11 Technical principles to secure IMEI’s Necessary to educate operators and manufacturers on technical ways to protect IMEI Nine technical principles agreed to ensure and strengthen handset integrity Technical principles have been published for the guidance of operators and manufacturers Principles provide operators with technical criteria to assess IMEI security levels when purchasing handsets Handsets compliant with the technical requirements will emerge by end 2005

13 © GSM Association 2009 12 Technical principles 1. Uploading, downloading and storage of executable code and sensitive data 2. Protection of components’ executable code and sensitive data 3. Protection against exchange of data/ software between devices 4. Protection of executable code and sensitive data from external attacks 5. Prevention of download of a previous software version 6. Detection of, and response to, unauthorised tampering 7. Software quality measures 8. Hidden menus 9. Prevention of hardware substitution

14 © GSM Association 2009 13 IMEI weakness reporting Process designed to facilitate reporting and correction of identified IMEI security weaknesses Process notifies operators and manufacturers of identified weaknesses and engages with manufacturers centrally Further example of accelerated cooperation with manufacturers on security levels Manufacturers invited to participate by signing participation agreement and non-disclosure agreements Supported by World’s leading manufacturers Scheme launched in June 2004 and operators could submit reports

15 © GSM Association 2009 14 Reporting Process Report of IMEI compromise submitted to GSMA by operator Report logged and initial assessment carried out by GSMA Report passed to manufacturer for acknowledgement & response within 42 days Manufacturer reports on findings & indicates when secure product will be shipped Subsequent resolution will result in withdrawal of notification Failure to respond/rectify results in notification to GSMA members 1 2 3 4 5 6 Operators informed via InfoCentre

16 © GSM Association 2009 15 Motivation for Development of Outsourced Service Problem IMEI is fundamental enabler for value-add services IMEI security is indicative of overall level of handset security Security levels provided to date are insufficient Security breaches and weakness are not reported and are unresolved Operators are ill equipped to identify and report problems Proposed Solution Establish an outsourced service where GSMA will be provided with IMEI security reports for distribution to GSMA members and manufacturers Overall Objective Improve handset security levels by having faults corrected Ensure lessons learned from hacks feeds into future design

17 © GSM Association 2009 16 Timeline Nov 07 – EMC approved TG1 Dec 07 – Funding requirements submitted in GSMA 2008-09 Business Plan Jan 08 – Contractual arrangements and commercial terms agreed Feb 08 – Funding availability confirmed following budget approval Mar 08 – Contracts signed with Phonesec and launch announced Apr 08 – Service launched

18 © GSM Association 2009 17 Service Components Detection of security compromise claims – Proactive identification of claims from public and non-public sources – List of devices submitted to GSMA on monthly basis – IMEI security and SIM lock Validation of security compromise claims – Selected handsets notified to Phonesec and the hacking tool is obtained – Tests conducted on the device to change the IMEI – Detailed report submitted to GSMA for provision to device manufacturer Evaluation of corrective measures – Manufacturers propose solutions within 42 days and details are provided to GSMA – GSMA requests a corrected handset and Phonesec check effectiveness of countermeasures

19 © GSM Association 2009 18 Handset Security Steering Group Ensure IMEI Security are provided in accordance with contract and budget Maintain documentation and identify and deliver ongoing improvements Review list of handsets submitted on a monthly basis and select models for validation Review and analyse IMEI security statistics supplied by the service provider Promote and communicate the importance of enhanced IMEI security levels to all stakeholders

20 © GSM Association 2009 19 Observations to date Service provided by Phonesec – 17 monthly reports received to date – 338 compromised devices reported – 78% attributable to 2 manufacturers – 6 new manufacturers signed up to reporting process this year – Only HTC and Research in Motion have refused to participate 32 validations requested to date – 22 resolved – 21 countermeasures proposed – 10 in progress – No countermeasures evaluated due to budget restrictions Security levels increasing 2008/09 saw 17% fewer comprised devices than previous year Most recent quarter shows 51% decrease on the same period 1 year earlier

21 © GSM Association 2009 20 Thank you for your attention Any questions ??? James Moran GSMA Association

Download ppt "Restricted - Confidential Information © GSM Association 2009 All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy."

Similar presentations

Ads by Google