Investigators Replicate Nokia 1100 Banking Hack 181
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
It may be illegal.. (Score:4, Interesting)
Interesting (Score:2, Interesting)
The fun little loopholes people find are always interesting to see. I'm guessing it won't take long for these phones to be outlawed in the EU though.
Hardware hack? (Score:5, Interesting)
"The modified firmware is then uploaded to the Nokia 1100. Certain models of the 1100 used erasable ROM, which allows data to be read and written to the chip, Becker said."
If that's the case, how hard would it be to desolder a non-flashable ROM and replace it with one that is? It would certainly be more hassle than buying a phone already built that way, but with the right tools and enough effort, why wouldn't any phone be susceptible to this type of attack?
Correct use of the term (Score:2, Interesting)
Re:It may be illegal.. (Score:3, Interesting)
Even now clearly the over-the-air gsm protocol allows for this hack. Perhaps 1100 phones will be in short supply, but clearly the protocol itself is vulnerable.
If they found the 1100 flaw, how hard could it be to duplicate the flaw in a something like a 800 Mhz tuner + fpga ?
i doubt it (Score:3, Interesting)
They're just reprogramming the IMEI and IMSI... (Score:5, Interesting)
Uh... this ability is hardly unique to this device, I have a feeling there's something else they're not telling us.
Get them for 5.50 from ebay (Score:2, Interesting)
Bidding has started ...
http://catalog.ebay.co.uk/Nokia-1100-Mobile-Phone_W0QQ_fclsZ1QQ_pidZ56002720QQ_tabZ3 [ebay.co.uk]
Re:Hardware hack? (Score:1, Interesting)
you're assuming that each ic is independant, most times custom ic's are ordered for production runs to prevent exactly the kind of hack that you propose.
that and all the chips are Ball Grid Array contacts,ever tried to replace one? without a good workstation its damn near impossible.
Re:They're just reprogramming the IMEI and IMSI... (Score:3, Interesting)
They are probably eavesdropping only, if complete SIM cloning without physical access was possible with just a modified phone that would be much bigger news than this.
Re:It may be illegal.. (Score:5, Interesting)
This is not possible (Score:1, Interesting)
I asked myself a few questions after reading this, as I am kinda familiar with baseband (phone modem) firmwares and mobile network security.
Why are 1100 sold that expessive? You can do the same with the iPhone baseband pretty easy, same goes for blackberry and nearly any available HTC, there are even tools for that any moron can use.
Why change IMSI? IMSI is taken from the simcard usally.
Also cloning simcards is not that trival, this works only for old sims, so the criminal needs to obtain the sim from the victim to clone it and the process of brute forcing old simcards to clone them usally breaks the original ( I done that myself ).
So where is the trick and why should this be interesting for a criminal? I donâ(TM)t get the whole story reported. Stuff needed to do this trick, including the victims simcard is that hard to get, itâ(TM)s easier for a criminal to steal a TAN block from the victims desk.
Re:They're just reprogramming the IMEI and IMSI... (Score:5, Interesting)
Agreed - the explanation seems weird. I'm not sure about Nokia patching scene, but most of the Siemens *45, *55, *65 phones could be completely reprogrammed and were well understood. SL45 was one of the best examples - it's annotated assembler firmware was so nice to work with that people simply wrote binary patches in assembler, or used C compiler + binary patched some jump addresses. There were complete design notes circulating on P2P networks. I'm not sure what can be so specific to Nokia 1100 that they don't want to reprogram any other device.
Even better - if they're good enough to reprogram Nokia to interact directly with SIM and GSM module, why won't they just buy GSM modules themselves and clone some random SIM cards? It's not like GSM transmitters are some controlled goods available only to Nokia et al. If you can afford 100 of them, they should be quite easy to obtain.
So yeah - it seems there's something more going on here. Or they're just some script kiddies who bought a "hacking technique" from someone more advanced and now they can only replicate the issue on that one device.
what is needed for this to work...??? (Score:5, Interesting)
1. physical access to SIM-card to get the IMSI
2. info on bank account / phone number
3. hacking in PC/internet connection to determine if/when the code is used.
4. raise no suspicion when a code is sent and not received by the original recipient, and recipient is not able to call/being called or send/receive text because the original phone will be blocked until it is paired again with the GSM-system (power cycled)
5. you need to have a bank that does have this system. (mine does not)
so not as viable as it looks.
the article says cloning a SIM is trivial (Score:3, Interesting)
But isn't that actually the tough part? That's the whole key to GSM.
Cloning a SIM is supposed to be non-trivial and should be nigh-impossible if you cannot get physical access to the person's SIM. I know there was an issue where the secret keys in the SIMs weren't random enough, but that's a long time ago now, newer SIMs are not subject to that problem.
As to the thing about erasable ROM, I thought something like the iPhone 1G had been completely pwned and should be as subject to an IMEI cloning hack as any of these phones.
Re:what is needed for this to work...??? (Score:3, Interesting)
Not necessarily - phones transmit the IMSI to the network, and there's known flaws in the encryption scheme GSM uses (and some carriers don't use encryption, though it's not very common, AFAIK). It's plausible that those two would get you the IMSI.
Re:Interesting (Score:4, Interesting)
According to the other posts earlier in this thread, the critical thing about this phone is that the firmware is a flashable ROM that can be easily reprogrammed. So the critical thing is that you can easily get this phone to lie, about the phone account used, and about anything else that would be transmitted over the standard GSM protocols. So the GP is correct: locking out the phone type - assuming it was possible, wouldn't do any good because the phone could be reprogrammed to impersonate something else.
It is extremely unlikely that the existing cell tower/receiver infrastructure could be used to determine that a phone is an 1100 impersonating some other model (or even upgraded to do so). It would be better to spend the development costs on revamping GSM to use a secure handshake protocol with large asymmetric key sizes and non-removable private keys, and securing OOB control channels with AES. Good luck getting police forces and spook agencies to roll over for that one though.
ING Bank, The Netherlands, for one (optionally!) (Score:3, Interesting)
The ING Bank, formerly Postbank, in The Netherlands does a TAN over phone, for one, but only optionally*; you have to sign up for it.
It's actually reasonably secure. You need to log in with username/password first, then you have to set up the transaction, then you have to wait for the TAN by phone, and then enter that. It's quite nice when, say, abroad and you do need to do some banking while abroad. If you're away for a month or more, you might have rent to pay, for example; not everybody accepts 2 months' rent, or allow you to pay upon your return.
Odds are that you'll have your phone with you - so why lug around another (USB) device, a card, etc. Worse yet, who says you can actually plug a USB device into the internet cafe you happen to be at?
Combine that convenience with the odds that somebody 1. has your username/password and 2. has a copy of your phone in terms of what would be needed to pull this off, are so tiny that - as per other replies - I think there's something more going on here than just duping the network and getting the TANs intended for another person, somehow; it would be far -more- likely a burglar took your actual phone and found your username/password written down on it or something.
The networks don't just authenticate the phones here, they will simply -not- allow a second copy of an IMEI on the networks. If that happens, they -will- investigate, triangulate, and send in the forces to find out wtf happened that they got a duplicate IMEI. Obviously that may be different outside of the nl-be region (i.e. I'm not even sure how they handle it in germany; but it was my understanding that practically all networks only allow a single ID and red flags get raised when a duplicate pops up)
* That said, I don't use it. My phone could die, and I would be f'n stuck until I got a new phone to drop the SIM in. Worse yet, I could lose my phone - which is always a possibility for any goods you take with you everywhere, all the time.
I just work with the long list of TAN numbers printed out on a sheet of paper** The bank asks me for the TAN number corresponding to a given index, I type it in, transaction completed. The only way for that to be intercepted is for it to be done so somewhere along the snailmail line, and any tampering with the envelope/etc. would be glaringly obvious.
Yes, that paper can be stolen (which would be noticeable) or even copied, and -if- they then have my login information as well, I'm still screwed. But at least there's no possibility of some manner of 'eavesdropping', short of a high powered telescope aimed at my window from an undisclosed location, and I can't easily 'lose' it as I might a phone, as I'm not carrying that list with me all the time. Slight sacrifice of convenience, but I'll live.
** Ideally they would send two pages, one with the indices randomized, one with the TAN numbers, that could then be kept in separate locations and simply overlaid to find the TAN corresponding to an index, but this can be done manually if one were just shy of a tinfoil hat.
=====
I have yet to be convinced by anybody that one of those 'calculators' / USB devices + a card + lord knows what else is actually more secure without being glaringly less convenient, than what I'm working with now. But maybe I haven't heard the right arguments yet.