Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Cellphones The Almighty Buck

Investigators Replicate Nokia 1100 Banking Hack 181

Posted by timothy from the could-be-an-ebay-scam-rumor dept.
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
This discussion has been archived. No new comments can be posted.

Investigators Replicate Nokia 1100 Banking Hack More

Investigators Replicate Nokia 1100 Banking Hack

Comments Filter:

  • Re:It may be illegal.. (Score:4, Informative)

    by cbrocious ( 764766 ) on Thursday May 21, 2009 @03:54PM (#28044853) Homepage
    You don't even need to go the FPGA route. The baseband firmware on the iPhone has been patched for an unlocking, there's nothing stopping someone from patching it to change the IMEI built into the phone or the IMSI it "reads" from the SIM. Change these and the phone can become any other.

  • Re:They're just reprogramming the IMEI and IMSI... (Score:4, Informative)

    by internerdj ( 1319281 ) on Thursday May 21, 2009 @03:58PM (#28044919)
    It was probably just set up so that it was easy to do compared to other phones. When I worked for LG's Cell division there was a hidden password protected menu on some models for changing any of the firmware settings, finding the menu would have been next to impossible but the default password was something similar to 8 0's. While this sounds a bit more complex my guess would be they did something stupid with the flash updater like not put any protections on the firmware downloads.

  • Re:Nokia: 1 - Apple: 0 (Score:3, Informative)

    by kovari ( 34550 ) on Thursday May 21, 2009 @04:02PM (#28044971)

    Actually, this particular model outselled iPod. All models.

  • Re:A certain factory (Score:3, Informative)

    by Acer500 ( 846698 ) on Thursday May 21, 2009 @04:03PM (#28045003) Journal

    Is this one particular factory in China, by some chance?

    No, if you happened to read the article you'd find out it was the Bochum, Germany factory.

  • Re:Hardware hack? (Score:5, Informative)

    by dave562 ( 969951 ) on Thursday May 21, 2009 @04:04PM (#28045007) Journal

    It probably isn't so much just the ROM, but also the code on the phone itself, and the amount of available room in the memory to work with. The hackers probably developed their code specifically for that phone, and are counting on memory addresses being in a particular place, and all sorts of other variables that have to be considered when writing assembly code for a specific piece of hardware.

    Back in the day, everyone wanted an Oki 900 because it could store between 5 and 99 ESN/MIN pairs AND swap them on the fly. In theory, you could just use G2 and reprogram a Motorola flip phone, but that required a laptop and a loader phone. So sure, you could do the same with with a Motorola, but it was a lot easier to use an Oki. In the end though, the result was the same. You were able to make calls and not pay for them.

    In the case of the Nokia phone, whoever developed the hack developed it for the Nokia 1100. They probably spent a lot of time reverse engineering/disassembling the original EEPROM and a lot of time hacking the code together to make it work.

  • Re:Nokia: 1 - Apple: 0 (Score:5, Informative)

    by Keruo ( 771880 ) on Thursday May 21, 2009 @04:09PM (#28045085)

    Trying to outsell?

    Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
    (http://www.engadget.com/2005/09/21/nokia-crosses-one-billion-mark/)

    Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.

  • Re:It may be illegal.. (Score:4, Informative)

    by fuzzyfuzzyfungus ( 1223518 ) on Thursday May 21, 2009 @04:12PM (#28045123) Journal
    I'm fairly sure that the OpenMoko only achieves that level of firmware openness by integrating a separate GSM module, with which it communicates via standard AT commands. Just as, back in the bad old days of dialup, modems were closed source; and you could either get a winmodem, or a modem with a proper processor of its own.

    Were I a criminal with a technical inclination, I'd be more interested in something like GNU radio, as suggested in this comment [slashdot.org]

  • Knowing the general gist of how cellular protocols work, I don't think there is anything they're not telling us. It's just that most phones don't have reprogrammable IMEIs, for very obvious reasons.

    Although, I didn't think GSM phones even authenticated via the IMEI normally, just via the info on the SIM, so cloning the SIM would be enough. Guess I was wrong.

    CDMA phones do authenticate via the MEID or ESN (or pESN, an encoded form of the MEID, for backwards compatibility with equipment that can't handle MEIDs,) meaning such an attack would be VERY effective on CDMA. And, a lot of older CDMA equipment has the ESN such that it's not too hard to reprogram with the right software.

  • Nokia DCT4 security (Score:5, Informative)

    by Mulder3 ( 867389 ) on Thursday May 21, 2009 @04:52PM (#28045585)
    This article is plain stupid, Nokia 1110 has nothing than other phones in the same Nokia DCT4 family don't have, while DCT4 firmwares can be decrypted, Nokia DCT3 phones(Nokia 3310, etc) are much more well suited for this job, given the fact that already exists an open source(GPL) firmware in C for this devices... And about SIM cloning, YOU CANÂT clone a GSM SIM card in seconds!!!! The most advanced software for clone SIM cards(SimScan - http://users.net.yu/~dejan/ [users.net.yu]) still has to do some brute-force to extract the Ki key, witch is designed to never leave the card, while we can extract IMSI with no problems , to clone a SIM card, you need two values: IMSI and Ki, and without Ki, IMSI is worthless...

  • Re:It may be illegal.. (Score:5, Informative)

    by rtfa-troll ( 1340807 ) on Thursday May 21, 2009 @05:18PM (#28045893)

    Bullshit. Not on any properly run network. Apart from the IMEI (which is written on the back of the phone) and the IMSI (which you can get with a special code from some phones) there's also the Ki. This is a secret which is buried in the SIM card and _never_ sent out to the phone. Without the physical SIM card in your phone you do not have the number.

    Now, there have been flaws in this; it has been possible to clone the SIM card because of implementation flaws, but properly made new SIMS should not have most of these. The authentication algorithms used originally were weak and could leak the key, but modern SIMs should be using stronger ones (e.g. AES). However none of these were magically to do with one particular model of a phone.

    Something different is going on here. E.g. a security company marketing scam or that the mobile can work as a short range base station and do interception or something else. Definitely not the way that it seems to be explained in the article. And definitely not that the just "changed the IMEI and the IMSI and became the other subscriber"; apart from anything else, you have no need to change the IMEI to do that.

  • Re:It may be illegal.. (Score:4, Informative)

    by fuzzyfuzzyfungus ( 1223518 ) on Thursday May 21, 2009 @05:21PM (#28045953) Journal
    Evidence for above claim:

    " CALYPSO ASIC digital baseband Unfortunately we cannot provide many details on the GSM chipset due to very tight NDAs. However, this is not neccessarily required, since it interfaces using a standard UART serial line with the S3C2442. On that interface, GSM 07.05, GSM 07.10 and other standardized protocols are used. "

  • Re:Nokia DCT4 security (Score:3, Informative)

    by citizenr ( 871508 ) on Thursday May 21, 2009 @05:41PM (#28046215) Homepage
    plus you cant extract Ki from new cards, and when I write new I mean last >5 years. No one is using Comp128v1 anymore.

  • Re:It may be illegal.. (Score:2, Informative)

    by olden ( 772043 ) on Thursday May 21, 2009 @08:43PM (#28048093)
    Why hide the source of the above quote [openmoko.org]? Oh yes, because the next paragraph reads:

    "The NDAd documentation for the calypso, register definition [cryptome.org] (sic) and hardware definition [cryptome.org], was leaked [...]"

    Maybe not so un-hackable after all...

  • Re:It may be illegal.. (Score:4, Informative)

    by cheater512 ( 783349 ) <nick@nickstallman.net> on Thursday May 21, 2009 @11:06PM (#28049059) Homepage

    In a hash function as a challenge response.

    The tower sends a chunk of data, its sent to the SIM, its then transformed by Ki and then sent back to the tower.
    The tower knows what Ki is and does the same transformation and verifies that the reply is the same.

Slashdot Top Deals

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Close