Slashdot Mirror
Investigators Replicate Nokia 1100 Banking Hack
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
It may be illegal, but the hackers deserve some credit for being able to figure this out.
The fun little loopholes people find are always interesting to see. I'm guessing it won't take long for these phones to be outlawed in the EU though.
I think I had one of those & gave it to my 4 yr old nephew to play with / destroy it.
There is a war going on for your mind.
"The modified firmware is then uploaded to the Nokia 1100. Certain models of the 1100 used erasable ROM, which allows data to be read and written to the chip, Becker said."
If that's the case, how hard would it be to desolder a non-flashable ROM and replace it with one that is? It would certainly be more hassle than buying a phone already built that way, but with the right tools and enough effort, why wouldn't any phone be susceptible to this type of attack?
It's nice to see an example of correct use of "hacker" by the mainstream media, even if it's just by chance
I've got one of these in my pocket right now. Do you think it would raise any suspicion if I posted it on eBay now?
Nokia 1100 L000000K! RARE! HACK BANKS!!!
Smart move from Nokia trying to outsell the iPhone
My fried gave me his because he got a new one and he knew I like to take stuff apart, but sadly I don't live in Europe, so I can't sell it (at least easily) for some quick cash.
they are actually very widespread, i see that model all over the place. Not everyone wants a top of the range phone, some just want to make calls and use texts. This is one of the few dirt cheap phones available.
from tfa: That application allows a hacker to decrypt the Nokia 1100's firmware, Becker said. Then, the firmware can be modified and information such as the IMEI (International Mobile Equipment Identity) number can be changed as well as the IMSI (International Mobile Subscriber Identity) number, which allows a phone to register itself with an operator.
Uh... this ability is hardly unique to this device, I have a feeling there's something else they're not telling us.
e to the pi i plus one equals zero
ha! now i feel better for having an ancient phone, and i thought the only good bit was being able to freely toss the phone on the floor without breaking it
Is this one particular factory in China, by some chance?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Correct. The real defect here isn't the phone, it's the system it's spoofing. This phone just makes it easier to construct the spoof.
If you mod me down, I shall become more powerful than you could possibly imagine.
Bidding has started ...
http://catalog.ebay.co.uk/Nokia-1100-Mobile-Phone_W0QQ_fclsZ1QQ_pidZ56002720QQ_tabZ3
Don't make your problems my problems!
Here on /. we're always bragging about find good use for old hardware. Well these guys did just that, and now you're going to chastise them for it.
You people have been asking for us to recycle our electronics for years now, bitching about throwing away cell phones, and their toxic batteries. This guys deserve some sort of award for this.
Good job
where can I get one?
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
For implementing such a flawed banking transaction protocol.
Don't bother replying, I know the answer is no-one.
Nullius in verba
People are paying thousands of euros for that junkie phone? I have one . YES! may actually be able to pay for this year at university
I asked myself a few questions after reading this, as I am kinda familiar with baseband (phone modem) firmwares and mobile network security.
Why are 1100 sold that expessive? You can do the same with the iPhone baseband pretty easy, same goes for blackberry and nearly any available HTC, there are even tools for that any moron can use.
Why change IMSI? IMSI is taken from the simcard usally.
Also cloning simcards is not that trival, this works only for old sims, so the criminal needs to obtain the sim from the victim to clone it and the process of brute forcing old simcards to clone them usally breaks the original ( I done that myself ).
So where is the trick and why should this be interesting for a criminal? I donâ(TM)t get the whole story reported. Stuff needed to do this trick, including the victims simcard is that hard to get, itâ(TM)s easier for a criminal to steal a TAN block from the victims desk.
1. physical access to SIM-card to get the IMSI
2. info on bank account / phone number
3. hacking in PC/internet connection to determine if/when the code is used.
4. raise no suspicion when a code is sent and not received by the original recipient, and recipient is not able to call/being called or send/receive text because the original phone will be blocked until it is paired again with the GSM-system (power cycled)
5. you need to have a bank that does have this system. (mine does not)
so not as viable as it looks.
There's an app for that...
What crazy bank sends *TANs to mobile phones in the first place?? Even this possibility would be a reason for me to terminate the contract.
I really recommend chipcard based systems. I use a class 2 terminal, and HBCI. It's not only much more comfortable, it's also on a completely different level in terms of security.
(In case you do not know how it works: Everything between the chipcard controller and the bank system basically only forwards encrypted packets. And if anything meddles with them, it detects this. You need the card, and a code of six numbers, and the server associates a user with that login. Every transaction that follows this, has to be accepted by the chipcard/terminal. The ones with keypads *and* displays are the most secure, because they show the details of the transaction *on* the terminal, and you have to say ok *with* that terminal. So the only open hole that I know of, is physical tinkering with the card and the terminal. Which still would be pretty hard, but not impossible. But if anyone can do this, I'm fucked anyway. ^^ [Oh, and of course, if you know of any problems with this system, I'm happy to hear them.])
Any sufficiently advanced intelligence is indistinguishable from stupidity.
If the authentication protocol relies on the client not spoofing another client, then the authentication protocol if profoundly broken. I don't see why this specific phone is required; you should be able to build hardware from scratch to do this or even do most of it in software.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
But isn't that actually the tough part? That's the whole key to GSM.
Cloning a SIM is supposed to be non-trivial and should be nigh-impossible if you cannot get physical access to the person's SIM. I know there was an issue where the secret keys in the SIMs weren't random enough, but that's a long time ago now, newer SIMs are not subject to that problem.
As to the thing about erasable ROM, I thought something like the iPhone 1G had been completely pwned and should be as subject to an IMEI cloning hack as any of these phones.
http://lkml.org/lkml/2005/8/20/95
You should NEVER rely on the client in a network security model.
Maybe the phone system as it was designed has no other way to work other then to rely on an existing trust relationship with the host but it could have been designed a different way, or at least one that could be revoked or challenged with a new key or mechanism if needed.
I can understand something like CSS/DeCSS where the exchange is local and a revokation being bypassed but at least there was a system that could revoke, how could a phone system that has live two way communication not have incorporated something like that?
Probably the same as the US laws that make it ilegal to listen to analog cell phones, it was easier and cheaper to beg for forgiveness and get laws changed than to implement a better secure model from the start.
Eh? Well, a Nokia is a very crappy phone to own (from first person perspective). But I guess it's finally good for something! (Disregard the "hack" only proves it's even more poorly programmed by Nokia's Finnish programmers). I doubt making the "hack" was even hard in the first place.
This article is plain stupid, Nokia 1110 has nothing than other phones in the same Nokia DCT4 family don't have, while DCT4 firmwares can be decrypted, Nokia DCT3 phones(Nokia 3310, etc) are much more well suited for this job, given the fact that already exists an open source(GPL) firmware in C for this devices... And about SIM cloning, YOU CANÂT clone a GSM SIM card in seconds!!!! The most advanced software for clone SIM cards(SimScan - http://users.net.yu/~dejan/) still has to do some brute-force to extract the Ki key, witch is designed to never leave the card, while we can extract IMSI with no problems , to clone a SIM card, you need two values: IMSI and Ki, and without Ki, IMSI is worthless...
I don't understand why banks want to extend their services on to every single device out there including a refrigerator.
Recently I was opening an account with Target
and asked me to send out fax of my id and ssn card.
The lady was assuring me about how secure the fax line is.
I simply withdrew from opening the account.
-- It is the mark of an educated mind to be able to entertain a thought without accepting it. -- Aristotle
"We have not identified any phone software problem that would allow alleged use cases,"
Nokia are completely clueless as usual. Nokia 1100 belongs to the dct4 generation of phones. Security is based on safer-k64 (symmetric algo for all important stuff) and simple vhdl logic for encrypting/decrypting instructions from Flash memory. All security, hidden bootrom - completely hacked in 2001.
Even latest Nokia models (BB5 generation) running OMAP trust zone are fully cracked, except for a small issue of making fully blank boards running without IMEI certificate. All the rest - spaggeti mix of soft implemented AES, SHA and badly implemented RSA1024 have been hacked/circumvented.
Further, police have announced that Nokia phones other than the 1100s with prime serial numbers contain no red mercury.
Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.
I would have had faith in that statement before the credit crisis of 2008 took hold.
"All great wisdom is contained in .signature files"
Wow, what you describe is exactly the 'other side of the coin' from the security theater that is... well... security nowadays.
In most other fields, people are forced to (or even choosing to) inconvenience the hell out of themselves in the name of some extremely minor (or only just perceived) increase in their security.
I applaud the fact that after hearing this, companies didn't immediately slam the door shut on banking over the phone. Personally, I'd FAR rather be able to check my bank account by phone when standing next to something expensive that I want, rather than no longer have that infinitessimally small chance that my bank account information will be gleaned by having done so.
coincidental captcha: victims
Planet Zebeth - Metroid with a twist
That's the best phone I ever had. Sure, it only did calling + SMS (it also had a flashlight). Then I stupidly wanted to listen to mp3 and wanted the phone to look nice, so I've change it for a *newer*, *more advanced* one... And that's when my problems started...
The ING Bank, formerly Postbank, in The Netherlands does a TAN over phone, for one, but only optionally*; you have to sign up for it.
It's actually reasonably secure. You need to log in with username/password first, then you have to set up the transaction, then you have to wait for the TAN by phone, and then enter that. It's quite nice when, say, abroad and you do need to do some banking while abroad. If you're away for a month or more, you might have rent to pay, for example; not everybody accepts 2 months' rent, or allow you to pay upon your return.
Odds are that you'll have your phone with you - so why lug around another (USB) device, a card, etc. Worse yet, who says you can actually plug a USB device into the internet cafe you happen to be at?
Combine that convenience with the odds that somebody 1. has your username/password and 2. has a copy of your phone in terms of what would be needed to pull this off, are so tiny that - as per other replies - I think there's something more going on here than just duping the network and getting the TANs intended for another person, somehow; it would be far -more- likely a burglar took your actual phone and found your username/password written down on it or something.
The networks don't just authenticate the phones here, they will simply -not- allow a second copy of an IMEI on the networks. If that happens, they -will- investigate, triangulate, and send in the forces to find out wtf happened that they got a duplicate IMEI. Obviously that may be different outside of the nl-be region (i.e. I'm not even sure how they handle it in germany; but it was my understanding that practically all networks only allow a single ID and red flags get raised when a duplicate pops up)
* That said, I don't use it. My phone could die, and I would be f'n stuck until I got a new phone to drop the SIM in. Worse yet, I could lose my phone - which is always a possibility for any goods you take with you everywhere, all the time.
I just work with the long list of TAN numbers printed out on a sheet of paper** The bank asks me for the TAN number corresponding to a given index, I type it in, transaction completed. The only way for that to be intercepted is for it to be done so somewhere along the snailmail line, and any tampering with the envelope/etc. would be glaringly obvious.
Yes, that paper can be stolen (which would be noticeable) or even copied, and -if- they then have my login information as well, I'm still screwed. But at least there's no possibility of some manner of 'eavesdropping', short of a high powered telescope aimed at my window from an undisclosed location, and I can't easily 'lose' it as I might a phone, as I'm not carrying that list with me all the time. Slight sacrifice of convenience, but I'll live.
** Ideally they would send two pages, one with the indices randomized, one with the TAN numbers, that could then be kept in separate locations and simply overlaid to find the TAN corresponding to an index, but this can be done manually if one were just shy of a tinfoil hat.
=====
I have yet to be convinced by anybody that one of those 'calculators' / USB devices + a card + lord knows what else is actually more secure without being glaringly less convenient, than what I'm working with now. But maybe I haven't heard the right arguments yet.
I'm still using one of these in New Zealand. Who knew I could get paid thousands of dollars for my old phone, I thought I would have to give it away it's so old.
Disclaimer. I've no idea what factory it's from
You can only expect evil from a phone with a flashlight.
> Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
I wonder if they'd record that in their corporate history if they were to find out that their one billionth phone was used in some kind of scam, whether this banking hack or some 419 scam...
I mean, I'm sure there are plenty of decent Nigerians out there, but given that this phone is best known for its popularity with scammers and it's being sold to Nigeria, well...
It's one of the most popular Tracfone models, but those can't be hacked.
It's one of the most popular AT&T GoPhone models, and AT&T (then Cingular) had to restrict purchase.
They didn't really restrict them... the "quantity" drop-down menu was "restricted" to a mere 10 units per order.
Now we know why the restriction existed. And we thought it was for export to drug dealers. Turns out it was something else entirely.
Kriston
We have one-time pads.
I'm sorry if I haven't offended anyone
Isn't this exactly the same trick that Gene Hackman's character did in 'Enemy Of The State'?
Nobody has demonstrated anything. Ultrascan, if the company even really exists, only claims they have demonstrated the Nokia 1100 hack. Frank Engelsman can find his way to the media and even Slashdot now, but he cannot keep his story straight about his alleged employer Ultrascan. In the Dutch media Frank claims to be liaison of a British (or sometimes American) company operating world wide with "3200 experts", with offices in Amsterdam and Paris. In the international media he claims to represent a Dutch company. No companies named Ultrascan are registered with the Dutch Chamber of Commerce however and the Dutch Justice Department even let a statement out in 2007 doubting the existence of Ultrascan. In fact Ultrascan is so secret nobody knows where it's located and all traces of Ultrascan on the web point to Frank Engelsman's website and his press releases parroted in the media.
I recently just terminated a part-time gig with a major US Retailer (low prices always anyone?), and went rounds and rounds with management over the sheer stupidity of having a physical person from Security to escort all AT&T Go Phone purchases from register to front door for the last six months.
Since the Nokia 1100 was our most popular seller (and stolen, but w/e), things make a bit more sense now. Because, regardless of whether or not the hack is viable, or ever was in the US, chances are some script kiddie heard about it on a warez/ l334 haxors site (sarcasm fully intended), and tried to get their hands on a few to WOW their idiot friends. Enter mommy/daddy, game over.
Seems I feel like a bit of ass now... nah. I was still right more times than not. But, when arguing with idiots, don't. They drag you down to their level and beat you with experience.
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101