Investigators Replicate Nokia 1100 Banking Hack 181
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
It may be illegal.. (Score:4, Interesting)
Re: (Score:3, Interesting)
Even now clearly the over-the-air gsm protocol allows for this hack. Perhaps 1100 phones will be in short supply, but clearly the protocol itself is vulnerable.
If they found the 1100 flaw, how hard could it be to duplicate the flaw in a something like a 800 Mhz tuner + fpga ?
Re:It may be illegal.. (Score:4, Informative)
Re:It may be illegal.. (Score:5, Informative)
Bullshit. Not on any properly run network. Apart from the IMEI (which is written on the back of the phone) and the IMSI (which you can get with a special code from some phones) there's also the Ki. This is a secret which is buried in the SIM card and _never_ sent out to the phone. Without the physical SIM card in your phone you do not have the number.
Now, there have been flaws in this; it has been possible to clone the SIM card because of implementation flaws, but properly made new SIMS should not have most of these. The authentication algorithms used originally were weak and could leak the key, but modern SIMs should be using stronger ones (e.g. AES). However none of these were magically to do with one particular model of a phone.
Something different is going on here. E.g. a security company marketing scam or that the mobile can work as a short range base station and do interception or something else. Definitely not the way that it seems to be explained in the article. And definitely not that the just "changed the IMEI and the IMSI and became the other subscriber"; apart from anything else, you have no need to change the IMEI to do that.
Re: (Score:2)
If it is never sent to the phone, then how is it used?
Re:It may be illegal.. (Score:4, Informative)
In a hash function as a challenge response.
The tower sends a chunk of data, its sent to the SIM, its then transformed by Ki and then sent back to the tower.
The tower knows what Ki is and does the same transformation and verifies that the reply is the same.
Re:It may be illegal.. (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
Oh jeebus. Go to sparkfun and buy a GSM module and have full access. A couple of the popular GSM modules have been cracked and are wide open.
you dont need a phone to hack this stuff. Plus SMS is sent in the open you can easily start grabbing the SMS stream if you have the right equipment. All of which can be bought readily on ebay.
Re:It may be illegal.. (Score:4, Informative)
Were I a criminal with a technical inclination, I'd be more interested in something like GNU radio, as suggested in this comment [slashdot.org]
Re:It may be illegal.. (Score:4, Informative)
" CALYPSO ASIC digital baseband Unfortunately we cannot provide many details on the GSM chipset due to very tight NDAs. However, this is not neccessarily required, since it interfaces using a standard UART serial line with the S3C2442. On that interface, GSM 07.05, GSM 07.10 and other standardized protocols are used. "
Re: (Score:2, Informative)
"The NDAd documentation for the calypso, register definition [cryptome.org] (sic) and hardware definition [cryptome.org], was leaked [...]"
Maybe not so un-hackable after all...
Re:It may be illegal.. (Score:5, Funny)
Re:It may be illegal.. (Score:5, Funny)
That's debit, silly.
Re: (Score:3)
That's debit, silly.
Not from the victim's point of view...
Re: (Score:2)
And if this flaw exists in those phones it also means that there may be other phones with a similar flaw.
And don't forget that the smartphones that are around can be subject to hacks that does the same thing.
Don't ever think that the operating system on the smartphones are safer than the operating system you run on your PC.
Re:It may be illegal.. (Score:4, Insightful)
It's not the phone.
A phone is nothing but a transceiver.
It's the system we have for identifying phones, and the practice of letting people bank over it (or sending authentication pins for pc banking to phones).
Using a phone number as a method of authentication is inherently flawed. The practice will continue, however, because the plebes want easy more than they want secure. After all, it'll never happen to them.
Re:It may be illegal.. (Score:4, Funny)
Re: (Score:3, Insightful)
Cell phones don't use the phone number as a method of authentication. Cell phone users use the phone number as a method of identification (when they place a call or send a message to the number).
The network "looks for" the identified phone so it can deliver the message. Rather, the network looks for a phone that has authenticated as a match for the phone number.
The process by which the phone authenticates may well be flawed, but this has nothing to do with the end-user simplicity of "phone numbers"; the p
The other side of the coin (Score:2)
Wow, what you describe is exactly the 'other side of the coin' from the security theater that is... well... security nowadays.
In most other fields, people are forced to (or even choosing to) inconvenience the hell out of themselves in the name of some extremely minor (or only just perceived) increase in their security.
I applaud the fact that after hearing this, companies didn't immediately slam the door shut on banking over the phone. Personally, I'd FAR rather be able to check my bank account by phone whe
Re: (Score:2)
You get captchas when logged in?
Re: (Score:2)
Those security questions are a pretty stupid idea, i always enter random information but then i tend to forget what i put in...
I had a friend who was getting very annoyed that her brother kept breaking into her hotmail account... It turns out that the security question was the old "mothers maiden name" one, to which she had answered honestly, and to which her brother obviously knew the answer.
Re: (Score:2)
I hate when I'm forced to use those.
So stupid.
I usually just pq3985y4qp49tgw[4tefih2g them.
Also: http://www.penny-arcade.com/comic/2006/7/12/a-wider-perspective-on-flavor/ [penny-arcade.com]
Re: (Score:2)
Aparrently they've been selling for a lot of money, far more than they should be worth... You're in luck and might be able to make a decent profit.
Interesting (Score:2, Interesting)
The fun little loopholes people find are always interesting to see. I'm guessing it won't take long for these phones to be outlawed in the EU though.
i doubt it (Score:3, Interesting)
Re: (Score:3, Insightful)
Re: (Score:2)
I'm fairly sure that 'hackers wanting a phone for its ability to easily be hacked for online banking' are not actually giving you 25,000 of their own euro.
That may or may not be the case. You're assuming that they have already committed a crime, but unless you can point out exactly *which* crime they committed (eg, time, victim, place) the money could just as well be legitimate as not, and there's this thing about "innocent until proven guilty" that would make the money more legitimate than not.
After all, if they already had a phone to do this, why would they need to buy one from you?
Re:i doubt it (Score:4, Insightful)
A reasonable person, in the eyes of the law, would not believe if I came up to them at an outdoor cafe and said "Want a 55" LED TV for $300? Meet me in the parking lot in 5 minutes" that they were buying anything other than illegally obtained or acquired property.
A reasonable person selling his Nokia 1100 (currently settling in the market for around $70) would assume that if they got, say an offer of $150, that the buyer might be an aficionado of old school cellular technology.
A reasonable person selling his Nokia 1100 would not "ask no questions" about a bidding war on their phone which saw it run into the five digit territory. A reasonable person would also have doubts about such money, and the motivations of a buyer. Whilst under no obligation to investigate either, a reasonable person, in the eyes of the law, would have "concerns" about whether the payment they were about to receive was the proceeds of a crime, or similar.
Re:Interesting (Score:5, Insightful)
I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.
Re: (Score:2)
It works so fantastically well for drugs, guns and pirated music/movies.
Hasn't stopped people from trying though, has it?
Re: (Score:2)
That's kind of my point. It'll be illegal for normal users to have them, but the criminals will keep doing what they always do, ignore the law. People who have one because it's old and they can't afford a new one, or like a limited feature-set or whatever would be screwed by the law, but the criminals who are already breaking the law would continue to do so.
Re: (Score:2)
A little bit different here though. The device in question requires a service in order to work. If all the carriers discontinued service to these models they would render them useless. You could find them anywhere you wanted, but without a way to connect, it is just another paper weight. Almost like in the Matrix when Agent Smith tells Neo "What good i
Re:Interesting (Score:4, Insightful)
If all the carriers discontinued service to these models they would render them useless.
I wasn't aware that the model of the phone was part of the GSM protocol. Even if it was, if you can program the phone to lie about the IEMI or IMSI, then you can program the phone to lie about the phone model to the provider.
Re: (Score:2)
Maybe, maybe not. It is a particular model made in a particular factory. Changing the model may break the hack since the provider may talk to the device differently since it now thinks it is a different handset. There is something very specific about the phones in question and reprogr
Re:Interesting (Score:4, Interesting)
According to the other posts earlier in this thread, the critical thing about this phone is that the firmware is a flashable ROM that can be easily reprogrammed. So the critical thing is that you can easily get this phone to lie, about the phone account used, and about anything else that would be transmitted over the standard GSM protocols. So the GP is correct: locking out the phone type - assuming it was possible, wouldn't do any good because the phone could be reprogrammed to impersonate something else.
It is extremely unlikely that the existing cell tower/receiver infrastructure could be used to determine that a phone is an 1100 impersonating some other model (or even upgraded to do so). It would be better to spend the development costs on revamping GSM to use a secure handshake protocol with large asymmetric key sizes and non-removable private keys, and securing OOB control channels with AES. Good luck getting police forces and spook agencies to roll over for that one though.
Re: (Score:2)
Re:Interesting (Score:5, Funny)
I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.
Don't forget hookers. I think it's illegal to mention drugs and guns without mentioning hookers. And just to be safe, let's mention blackjack.
Damn... (Score:4, Funny)
I think I had one of those & gave it to my 4 yr old nephew to play with / destroy it.
Re:Damn... (Score:5, Funny)
You've turned him to a life of crime!!
Re: (Score:2)
Hardware hack? (Score:5, Interesting)
"The modified firmware is then uploaded to the Nokia 1100. Certain models of the 1100 used erasable ROM, which allows data to be read and written to the chip, Becker said."
If that's the case, how hard would it be to desolder a non-flashable ROM and replace it with one that is? It would certainly be more hassle than buying a phone already built that way, but with the right tools and enough effort, why wouldn't any phone be susceptible to this type of attack?
the real security defect (Score:5, Insightful)
Re:Hardware hack? (Score:5, Informative)
It probably isn't so much just the ROM, but also the code on the phone itself, and the amount of available room in the memory to work with. The hackers probably developed their code specifically for that phone, and are counting on memory addresses being in a particular place, and all sorts of other variables that have to be considered when writing assembly code for a specific piece of hardware.
Back in the day, everyone wanted an Oki 900 because it could store between 5 and 99 ESN/MIN pairs AND swap them on the fly. In theory, you could just use G2 and reprogram a Motorola flip phone, but that required a laptop and a loader phone. So sure, you could do the same with with a Motorola, but it was a lot easier to use an Oki. In the end though, the result was the same. You were able to make calls and not pay for them.
In the case of the Nokia phone, whoever developed the hack developed it for the Nokia 1100. They probably spent a lot of time reverse engineering/disassembling the original EEPROM and a lot of time hacking the code together to make it work.
Re: (Score:2)
It probably isn't so much just the ROM, but also the code on the phone itself
erm the code is in the rom, FLASHROM
They probably spent a lot of time reverse engineering/disassembling the original EEPROM and a lot of time hacking the code together to make it work.
Except user authentication on GSM network is between Network and SIM card, PHONE is just a dump data pipe during that phase. This is just a scam.
Re: (Score:2)
The code is in the ROM, but the code is specific to the phone. The user auth might happen on the GSM network, and sure it's between the network and the SIM, but the phone has to run the authentication code. The hacker obviously knows how the code runs on the Nokia 1100. To go back to the Oki 900 example, the Oki 900 was the phone of choice because of the hardware architecture of the phone. The Oki 910 was almost the exact same phone, but it couldn't do what the 900 could do. Similarly, while there are
Re: (Score:2)
The user auth might happen on the GSM network, and sure it's between the network and the SIM, but the phone has to run the authentication code.
No, phone just pushes data between SIM and network, encrypted data.
Re: (Score:2)
Re: (Score:2)
Its trivial to change IMEI. Its trivial to get IMSI. You CANT just use someone elses IMSI, you need at least ki.
and who the F is Ultrascan KPO?
This looks like a big fat scam to sell old stock of Nokias 1100 and this nobody Ultrascan is riding the scam wave trying to establish some good PR.
Correct use of the term (Score:2, Interesting)
still using one (Score:5, Funny)
I've got one of these in my pocket right now. Do you think it would raise any suspicion if I posted it on eBay now?
Nokia 1100 L000000K! RARE! HACK BANKS!!!
Re: (Score:2)
My newer phones have all been stolen
I thought I was safe carrying this old phone, now it might be even more of a target than a new phone, how ironic (though this kind of stuff is not happening here in Uruguay - we're still 5-10 years behind Europe as always).
Re:still using one (Score:5, Funny)
Do you think it would raise any suspicion if I posted it on eBay now? Nokia 1100 L000000K! RARE! HACK BANKS!!!
A++++++ thief. Would steal with him again!
Re: (Score:2)
THIS IS the Best Phone EVER!
I have two. They're awesome.
4+ years of continuous use,
3 DAYS of battery on ONE HOUR of charge,
NO features except a flashlight,
EXCELLENT sound and reception.
Tons of free chargers and headsets all over
It's just a phone. It just works.
They let me take it into secure places.
I love it.
The only bummer about this story is that now I'll ha
Nokia: 1 - Apple: 0 (Score:5, Funny)
Re: (Score:3, Informative)
Actually, this particular model outselled iPod. All models.
Re:Nokia: 1 - Apple: 0 (Score:5, Informative)
Trying to outsell?
Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
(http://www.engadget.com/2005/09/21/nokia-crosses-one-billion-mark/)
Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.
Re: (Score:3, Funny)
Trying to outsell?
Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
(http://www.engadget.com/2005/09/21/nokia-crosses-one-billion-mark/)
Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.
They seem to have a lot of royalty. Maybe Apple should go after them.
Re:Nokia: 1 - Apple: 0 (Score:5, Funny)
Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.
That's just because the average Nigerian's money is caught up in an off-shore bank account, and we aren't doing our part to help them access the funds despite the generous offer of 10% commission.
They're just reprogramming the IMEI and IMSI... (Score:5, Interesting)
Uh... this ability is hardly unique to this device, I have a feeling there's something else they're not telling us.
Re: (Score:3, Interesting)
They are probably eavesdropping only, if complete SIM cloning without physical access was possible with just a modified phone that would be much bigger news than this.
Re:They're just reprogramming the IMEI and IMSI... (Score:4, Informative)
Re:They're just reprogramming the IMEI and IMSI... (Score:5, Interesting)
Agreed - the explanation seems weird. I'm not sure about Nokia patching scene, but most of the Siemens *45, *55, *65 phones could be completely reprogrammed and were well understood. SL45 was one of the best examples - it's annotated assembler firmware was so nice to work with that people simply wrote binary patches in assembler, or used C compiler + binary patched some jump addresses. There were complete design notes circulating on P2P networks. I'm not sure what can be so specific to Nokia 1100 that they don't want to reprogram any other device.
Even better - if they're good enough to reprogram Nokia to interact directly with SIM and GSM module, why won't they just buy GSM modules themselves and clone some random SIM cards? It's not like GSM transmitters are some controlled goods available only to Nokia et al. If you can afford 100 of them, they should be quite easy to obtain.
So yeah - it seems there's something more going on here. Or they're just some script kiddies who bought a "hacking technique" from someone more advanced and now they can only replicate the issue on that one device.
Re: (Score:2)
So yeah - it seems there's something more going on here. Or they're just some script kiddies who bought a "hacking technique" from someone more advanced and now they can only replicate the issue on that one device.
You mean somebody posted this on 4chan (alongside tome cruise's number OFC)?
Re: (Score:3, Informative)
Knowing the general gist of how cellular protocols work, I don't think there is anything they're not telling us. It's just that most phones don't have reprogrammable IMEIs, for very obvious reasons.
Although, I didn't think GSM phones even authenticated via the IMEI normally, just via the info on the SIM, so cloning the SIM would be enough. Guess I was wrong.
CDMA phones do authenticate via the MEID or ESN (or pESN, an encoded form of the MEID, for backwards compatibility with equipment that can't handle MEID
Re: (Score:2)
Knowing the general gist of how cellular protocols work, I don't think there is anything they're not telling us. It's just that most phones don't have reprogrammable IMEIs, for very obvious reasons.
Although, I didn't think GSM phones even authenticated via the IMEI normally,
They certainly do as part of the initial authentication otherwise it would be impossible for the network operator to blacklist stolen phones.
Re: (Score:2)
It's just that most phones don't have reprogrammable IMEIs
Most do, its not user reprogrammable, but every corner GSM shop in Europe can do it with repair tools they use.
Although, I didn't think GSM phones even authenticated via the IMEI normally
they dont
so cloning the SIM would be enough.
good luck trying to clone sim cards now, we are long past comp128v1
you're not laughing now (Score:2)
Get them for 5.50 from ebay (Score:2, Interesting)
Bidding has started ...
http://catalog.ebay.co.uk/Nokia-1100-Mobile-Phone_W0QQ_fclsZ1QQ_pidZ56002720QQ_tabZ3 [ebay.co.uk]
Kudos to the Crooks (Score:5, Funny)
Here on /. we're always bragging about find good use for old hardware. Well these guys did just that, and now you're going to chastise them for it.
You people have been asking for us to recycle our electronics for years now, bitching about throwing away cell phones, and their toxic batteries. This guys deserve some sort of award for this.
Good job
where can I get one?
Re: (Score:2)
This guys deserve some sort of award for this.
The cash prize should be enough.
So who will be fired (Score:3, Insightful)
Don't bother replying, I know the answer is no-one.
Re:So who will be fired (Score:5, Insightful)
A number of people in IT seem to believe that the only acceptable form of security - particularly as it relates to anything remotely important - is one which is not susceptible to any sort of attack, real or theoretical, until some time after the heat death of the universe.
Banks don't. They know full well that there will always be a certain amount of fraud no matter what you do.
Every change you want to make to the bank's system costs - in man hours to develop, test and deploy the fix and also in terms of the risk of something going wrong when you come to deploy, Most of these costs can be boiled down to cold hard cash. If making the necessary changes will cost more than the amount of fraud it's expected to prevent, don't be surprised to see nothing change.
Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.
Re: (Score:2)
It is not as if methods for authentication, non-repudiation, encryption and key exchange need to be re-invented every time a new application shows up for them.
Re: (Score:2)
Every change you want to make to the bank's system costs - in man hours to develop, test and deploy the fix and also in terms of the risk of something going wrong when you come to deploy, Most of these costs can be boiled down to cold hard cash. If making the necessary changes will cost more than the amount of fraud it's expected to prevent, don't be surprised to see nothing change.
So if you want to reduce fraud, make banks financially responsible for it. Real security can be had, if they had financial inc
Oh they do, do they? (Score:3, Funny)
Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.
I would have had faith in that statement before the credit crisis of 2008 took hold.
Re: (Score:2)
Re: (Score:2)
I really think the banks apply the bare minimum of oversight, bec
what is needed for this to work...??? (Score:5, Interesting)
1. physical access to SIM-card to get the IMSI
2. info on bank account / phone number
3. hacking in PC/internet connection to determine if/when the code is used.
4. raise no suspicion when a code is sent and not received by the original recipient, and recipient is not able to call/being called or send/receive text because the original phone will be blocked until it is paired again with the GSM-system (power cycled)
5. you need to have a bank that does have this system. (mine does not)
so not as viable as it looks.
Re: (Score:3, Interesting)
Not necessarily - phones transmit the IMSI to the network, and there's known flaws in the encryption scheme GSM uses (and some carriers don't use encryption, though it's not very common, AFAIK). It's plausible that those two would get you the IMSI.
Re: (Score:2)
crack bank accounts? (Score:5, Funny)
Re: (Score:3, Funny)
Yes, and it runs on an Atari Portfolio [oldcomputers.net].
Easy money.
Just one question: (Score:3, Insightful)
What crazy bank sends *TANs to mobile phones in the first place?? Even this possibility would be a reason for me to terminate the contract.
I really recommend chipcard based systems. I use a class 2 terminal, and HBCI. It's not only much more comfortable, it's also on a completely different level in terms of security.
(In case you do not know how it works: Everything between the chipcard controller and the bank system basically only forwards encrypted packets. And if anything meddles with them, it detects this. You need the card, and a code of six numbers, and the server associates a user with that login. Every transaction that follows this, has to be accepted by the chipcard/terminal. The ones with keypads *and* displays are the most secure, because they show the details of the transaction *on* the terminal, and you have to say ok *with* that terminal. So the only open hole that I know of, is physical tinkering with the card and the terminal. Which still would be pretty hard, but not impossible. But if anyone can do this, I'm fucked anyway. ^^ [Oh, and of course, if you know of any problems with this system, I'm happy to hear them.])
Re: (Score:2)
Sure, HBCI with a chip card is the way to go in the terms of security, but mTAN is the way to go in the terms of comfort - you can do banking from anywhere.
ING Bank, The Netherlands, for one (optionally!) (Score:3, Interesting)
The ING Bank, formerly Postbank, in The Netherlands does a TAN over phone, for one, but only optionally*; you have to sign up for it.
It's actually reasonably secure. You need to log in with username/password first, then you have to set up the transaction, then you have to wait for the TAN by phone, and then enter that. It's quite nice when, say, abroad and you do need to do some banking while abroad. If you're away for a month or more, you might have rent to pay, for example; not everybody accepts 2 mont
Re: (Score:2)
Bad protocol design (Score:2)
Re: (Score:2)
The protocol does not. It has other flaws (lack of authenticaion of the network by the mobile; only the other way round), but none as basic as some people seem to be claiming.
the article says cloning a SIM is trivial (Score:3, Interesting)
But isn't that actually the tough part? That's the whole key to GSM.
Cloning a SIM is supposed to be non-trivial and should be nigh-impossible if you cannot get physical access to the person's SIM. I know there was an issue where the secret keys in the SIMs weren't random enough, but that's a long time ago now, newer SIMs are not subject to that problem.
As to the thing about erasable ROM, I thought something like the iPhone 1G had been completely pwned and should be as subject to an IMEI cloning hack as any of these phones.
Nokia DCT4 security (Score:5, Informative)
Re: (Score:3, Informative)
Red Mercury? (Score:2)
Further, police have announced that Nokia phones other than the 1100s with prime serial numbers contain no red mercury.
Had one of those (Score:2)
That's the best phone I ever had. Sure, it only did calling + SMS (it also had a flashlight). Then I stupidly wanted to listen to mp3 and wanted the phone to look nice, so I've change it for a *newer*, *more advanced* one... And that's when my problems started...
Re: (Score:2)
Tracfone (Score:2)
It's one of the most popular Tracfone models, but those can't be hacked.
It's one of the most popular AT&T GoPhone models, and AT&T (then Cingular) had to restrict purchase.
They didn't really restrict them... the "quantity" drop-down menu was "restricted" to a mere 10 units per order.
Now we know why the restriction existed. And we thought it was for export to drug dealers. Turns out it was something else entirely.
Re: (Score:3, Informative)
Is this one particular factory in China, by some chance?
No, if you happened to read the article you'd find out it was the Bochum, Germany factory.
Re: (Score:2)
The late revenge of the laid off Bochum workers!
Re: (Score:2)
The trick is the wise guy working at the cell phone store.