Investigators Replicate Nokia 1100 Banking Hack 181
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
Re:It may be illegal.. (Score:4, Informative)
Re:They're just reprogramming the IMEI and IMSI... (Score:4, Informative)
Re:Nokia: 1 - Apple: 0 (Score:3, Informative)
Actually, this particular model outselled iPod. All models.
Re:A certain factory (Score:3, Informative)
Is this one particular factory in China, by some chance?
No, if you happened to read the article you'd find out it was the Bochum, Germany factory.
Re:Hardware hack? (Score:5, Informative)
It probably isn't so much just the ROM, but also the code on the phone itself, and the amount of available room in the memory to work with. The hackers probably developed their code specifically for that phone, and are counting on memory addresses being in a particular place, and all sorts of other variables that have to be considered when writing assembly code for a specific piece of hardware.
Back in the day, everyone wanted an Oki 900 because it could store between 5 and 99 ESN/MIN pairs AND swap them on the fly. In theory, you could just use G2 and reprogram a Motorola flip phone, but that required a laptop and a loader phone. So sure, you could do the same with with a Motorola, but it was a lot easier to use an Oki. In the end though, the result was the same. You were able to make calls and not pay for them.
In the case of the Nokia phone, whoever developed the hack developed it for the Nokia 1100. They probably spent a lot of time reverse engineering/disassembling the original EEPROM and a lot of time hacking the code together to make it work.
Re:Nokia: 1 - Apple: 0 (Score:5, Informative)
Trying to outsell?
Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
(http://www.engadget.com/2005/09/21/nokia-crosses-one-billion-mark/)
Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.
Re:It may be illegal.. (Score:4, Informative)
Were I a criminal with a technical inclination, I'd be more interested in something like GNU radio, as suggested in this comment [slashdot.org]
Re:They're just reprogramming the IMEI and IMSI... (Score:3, Informative)
Knowing the general gist of how cellular protocols work, I don't think there is anything they're not telling us. It's just that most phones don't have reprogrammable IMEIs, for very obvious reasons.
Although, I didn't think GSM phones even authenticated via the IMEI normally, just via the info on the SIM, so cloning the SIM would be enough. Guess I was wrong.
CDMA phones do authenticate via the MEID or ESN (or pESN, an encoded form of the MEID, for backwards compatibility with equipment that can't handle MEIDs,) meaning such an attack would be VERY effective on CDMA. And, a lot of older CDMA equipment has the ESN such that it's not too hard to reprogram with the right software.
Nokia DCT4 security (Score:5, Informative)
Re:It may be illegal.. (Score:5, Informative)
Bullshit. Not on any properly run network. Apart from the IMEI (which is written on the back of the phone) and the IMSI (which you can get with a special code from some phones) there's also the Ki. This is a secret which is buried in the SIM card and _never_ sent out to the phone. Without the physical SIM card in your phone you do not have the number.
Now, there have been flaws in this; it has been possible to clone the SIM card because of implementation flaws, but properly made new SIMS should not have most of these. The authentication algorithms used originally were weak and could leak the key, but modern SIMs should be using stronger ones (e.g. AES). However none of these were magically to do with one particular model of a phone.
Something different is going on here. E.g. a security company marketing scam or that the mobile can work as a short range base station and do interception or something else. Definitely not the way that it seems to be explained in the article. And definitely not that the just "changed the IMEI and the IMSI and became the other subscriber"; apart from anything else, you have no need to change the IMEI to do that.
Re:It may be illegal.. (Score:4, Informative)
" CALYPSO ASIC digital baseband Unfortunately we cannot provide many details on the GSM chipset due to very tight NDAs. However, this is not neccessarily required, since it interfaces using a standard UART serial line with the S3C2442. On that interface, GSM 07.05, GSM 07.10 and other standardized protocols are used. "
Re:Nokia DCT4 security (Score:3, Informative)
Re:It may be illegal.. (Score:2, Informative)
"The NDAd documentation for the calypso, register definition [cryptome.org] (sic) and hardware definition [cryptome.org], was leaked [...]"
Maybe not so un-hackable after all...
Re:It may be illegal.. (Score:4, Informative)
In a hash function as a challenge response.
The tower sends a chunk of data, its sent to the SIM, its then transformed by Ki and then sent back to the tower.
The tower knows what Ki is and does the same transformation and verifies that the reply is the same.