4

You can look at this question in two ways: Prior to purchasing a used phone, I want to ensure that the IMEI is not locked and I'm able to use it fully.

Or you can be a purchaser who wants to devalue their mobile phone from theft because they are useless when transferred to another party without the original owners consent.

Example

Windows Mobile phones have a feature called "reset protection" that essentially makes stolen phones worthless as far as I can tell.

iPhones have something similar while I was testing iOS 9's "lock phone feature" that requires the original owner to type in their iCloud password in the event a phone is remotely locked, or even remotely wiped.

Is there a summary of the depth, scope, and strength of these features by OS, and hopefully a website that allows consumers to validate a phone isn't in a locked-stolen state?

I'm interested in:

  • iOS
  • Android
  • Windows Mobile (or whatever it's called these days)
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • I can't say for others, but can say of Android, the main issue with this kind of software solutions to theft can be easily bypassed with anyone with access to google, especially due the nature of Android, is very easy to me to replace the bootloader, kernel, flash a new OS image that will make this theft solutions nearly useless for the purpose you want, because the attacker have physical access to the devices...You need a "hardware brick" and not "software brick" to truly stop an theft to use your device ( i.e you must "kill" the device at hardware level ) – Freedo Oct 23 '15 at 03:32
  • 1
    Not all Android bootloaders can be replaced. – Neil Smithline Oct 23 '15 at 03:34
  • 1
    @NeilSmithline Show me one please, because so far i haven't seen any android phone where i can't unlock the bootloader – Freedo Oct 23 '15 at 03:39
  • Motorola Droid Turbo – Neil Smithline Oct 23 '15 at 03:42
  • If you're worried that your Android device might be lost or stolen, one option is to follow the following algorithm. ❧ 1. Disable the screen-lock feature. 2. Install the free versions of Prey and Lookout. 3. If the device is stolen: Log into the Prey website. Don't click the "Lock" or "Wipe" buttons. Instead, capture photographs of the new owner, and retrieve GPS location data. Ask the police to retrieve the device, and hope that they will do so. ❧ Unfortunately, if the device is stolen, the new owner can also view and modify all your data, and may be able to also make expensive phone calls. – unforgettableidSupportsMonica Aug 22 '16 at 22:50
  • I wouldn't recommend this. Why disable the screen lock feature? That means the thief can get all your data which is far worse than the lost phone – user4951 Oct 26 '18 at 21:24

3 Answers3

1

Besides bricking, you could at least prevent further use of mobile networks by blacklisting the phone (via the IMEI) with your carrier. Your carrier can then further blacklist your phone by instructing the GSM Alliance, via their IMEI Database, to do so, so that the mobile can't connect to any networks.

This, however, as sebastian nielsen already said, does not prevent the use of the phone as a "WiFi-only" device.

techraf
  • 9,141
  • 11
  • 44
  • 62
nulldev
  • 154
  • 9
0

"Bricking" is a Little bit wrong Word, because this refers to old theft locks on older phones, that really did make the phone unuseable, permanently. There was no recourse of activating it, not even for the manufacturer. Then they made so such locks could be reenabled by the manufacturer, but only after being the original owner and showing a sales receipt, or a new owner and showing a sales receipt and a handwritten receipt. Still with lots of misuse, they made so locking requires a valid police report, and further from this, this was what became IMEI locks today.

However, on newer phones, IMEI locks are ineffective today, since the phones can be used without GSM coverage or SIM card, by using wifi in a closed enviroment. Thus the phone could be sold by the criminal as a "wifi-only phone" and still earn a lot of Money on the stolen Equipment.

There is a legilisation passed in the US that mandates such a feature making it possible to disable a phone, but the law also says the feature MUST be reversible for whoever did set the lock. The reason the feature must be reversible, is that the feature (activation lock) should also be possible to be used by the police, to disable all phones in a specific area, or temporarly disable a suspect's phone during investigation.

The feature must also survive a bootloader replacement, so normally, the activation lock feature would also disable firmware updating, eg, you have to disable the feature to be able to update firmware. iOS does this automatically in the background (while "verifying firmware", and then reenables it on next boot if it was enabled). For Android activation lock, I don't know exactly how the features handles firmware updates, but there is surely something similiar there. Thats why you must put in your Samsung account password to update the phone if you have activation lock enabled on a Samsung phone. On nexus this is handled automatically like the iOS. On Windows phone, the firmware update process only accepts signed firmware, which will require entering the username/password of the activation lock if you reset the phone, you cannot insert firmware that skips this check.

And now to your questions. The activation lock on iOS, Windows Phone and Android, is designed to be cumbersome to misuse. This because the feature is linked to the account used to set up the phone, same account that is used to download apps. This means that the phone will be unuseable to a new owner unless he immediately switch accounts, which ensure the old owner CANNOT disable the phone after it has rightfully transferred owner.

This means theres no need to write a handwritten receipt of purchase of phone. (Old kill-switches required this to unlock the phone, the original sales receipt was not enough because that beared the name of the original owner, thats why Carriers made the rules stricter and said a valid police report must be presented to disable a phone, to prevent people who sold the phone from misusing the kill-switch)

This means that if you buy the phone in-person, you run the setup wizard while still on Place. If the activation lock is enabled, it will then ask for the old username/password, and you will have to have the old owner to enter them. Then the kill switch will be transferred into your position instead.

If you are purchasing the phone via the internet on Ebay, you can instead use this service to check the status: https://www.icloud.com/activationlock/ (iOS) or https://account.microsoft.com/resetprotection (WP) It will allow you to check the activation lock status Before purchasing the phone. If the website show a clear status (no activation lock present), save this as evidence, because if the seller does activate the lock just prior to shipping the phone, you can do a not-as-described claim on the Product, presenting evidence that the phone was not in a stolen state. A clear activation lock will allow you to factory reset the phone if the owner's account is entered in the phone. A set activation lock will require the old account details when running the setup wizard from a freshly reset phone.

For android and samsung, theres no way to remotely check the activation lock, so don't buy these phones over the internet. Removing a android activation lock on the Nexus variant, delete all google accounts in the account manager. Then do a hardware reset on the phone. Removing a samsung activation lock is easy as going into the security menu and disabling the activation lock, you will be asked for samsung password. After that, the phone can be hardware reset to allow the phone to be freshly set up again. Both these must be done in-person with the old owner present.

So really, those kill switches will work two-fold:

1: It locks the current software. This requires a remote command to unlock on most models, knowing a password or PIN is not enough.

2: It prevents reactivation of NEW software on the phone, if you don't have the username/password for the account that the activation lock was set up with.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
0

One example is Apple iOS with iCloud Lock. You have to setup your iPhone with iCloud and FindMyiPhone ahead of time but if it is lost and beyond recovery you are able to lock and erase the device. Afterwards it will prompt the thief for your iCloud Credentials (it will not show the full email address making the attack harder).

The iPhone will stay bricked until they somehow guess your iCloud Email and Password. Using a strong iCloud Password will reduce the effectiveness of such an attack. Apple is strict on privacy and security and iCloud Lock is one of the major features on Apple's flagship products such as the iPhone.

Other smartphones such an Androids and Windows Phones have similar services that replicate iCloud Lock.

In addition if you have a stolen phone you should contact your carrier so your carrier is able to add your phone's IMEI to the blacklist. This will tell various cell phone carriers to not provide service to the stolen device.

Using these services will make the phone a less attractive item for theft (since it will be useless as a phone).