Investigators Replicate Nokia 1100 Banking Hack

← Back to Stories (view on slashdot.org)

Investigators Replicate Nokia 1100 Banking Hack

Posted by timothy on Thursday May 21, 2009 @07:32AM from the could-be-an-ebay-scam-rumor dept.

Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."

36 of 181 comments (clear)

Min score:

Reason:

Sort:

It may be illegal.. by Anonymous Coward · 2009-05-21 07:35 · Score: 4, Interesting

It may be illegal, but the hackers deserve some credit for being able to figure this out.
1. Re:It may be illegal.. by OeLeWaPpErKe · 2009-05-21 07:41 · Score: 3, Interesting
  
  Even now clearly the over-the-air gsm protocol allows for this hack. Perhaps 1100 phones will be in short supply, but clearly the protocol itself is vulnerable.
  If they found the 1100 flaw, how hard could it be to duplicate the flaw in a something like a 800 Mhz tuner + fpga ?
2. Re:It may be illegal.. by K.+S.+Kyosuke · 2009-05-21 07:46 · Score: 5, Funny
  
  I guess they think as well that they deserve some credit. That's why they are breaking into a bank.
  
  --
  Ezekiel 23:20
3. Re:It may be illegal.. by cbrocious · 2009-05-21 07:54 · Score: 3, Informative
  
  You don't even need to go the FPGA route. The baseband firmware on the iPhone has been patched for an unlocking, there's nothing stopping someone from patching it to change the IMEI built into the phone or the IMSI it "reads" from the SIM. Change these and the phone can become any other.
  
  --
  Disconnect and self-destruct, one bullet at a time.
4. Re:It may be illegal.. by FooAtWFU · 2009-05-21 07:57 · Score: 5, Funny
  
  I guess they think as well that they deserve some credit. That's why they are breaking into a bank.
  That's debit, silly.
  
  --
  The World Wide Web is dying. Soon, we shall have only the Internet.
5. Re:It may be illegal.. by K.+S.+Kyosuke · 2009-05-21 07:59 · Score: 4, Interesting
  
  If I am not mistaken, you already can buy and run something like that.
  
  --
  Ezekiel 23:20
6. Re:It may be illegal.. by sexconker · 2009-05-21 08:11 · Score: 4, Insightful
  
  It's not the phone.
  A phone is nothing but a transceiver.
  It's the system we have for identifying phones, and the practice of letting people bank over it (or sending authentication pins for pc banking to phones).
  Using a phone number as a method of authentication is inherently flawed. The practice will continue, however, because the plebes want easy more than they want secure. After all, it'll never happen to them.
7. Re:It may be illegal.. by fuzzyfuzzyfungus · 2009-05-21 08:12 · Score: 3, Informative
  
  I'm fairly sure that the OpenMoko only achieves that level of firmware openness by integrating a separate GSM module, with which it communicates via standard AT commands. Just as, back in the bad old days of dialup, modems were closed source; and you could either get a winmodem, or a modem with a proper processor of its own.
  
  Were I a criminal with a technical inclination, I'd be more interested in something like GNU radio, as suggested in this comment
8. Re:It may be illegal.. by Chelloveck · 2009-05-21 08:32 · Score: 3, Funny
  
  That's right. People should be required to enter their 1024-bit PGP key by hand every time they make a transaction.
  
  --
  Chelloveck
  I give up on debugging. From now on, SIGSEGV is a feature.
9. Re:It may be illegal.. by rtfa-troll · 2009-05-21 09:18 · Score: 5, Informative
  
  Bullshit. Not on any properly run network. Apart from the IMEI (which is written on the back of the phone) and the IMSI (which you can get with a special code from some phones) there's also the Ki. This is a secret which is buried in the SIM card and _never_ sent out to the phone. Without the physical SIM card in your phone you do not have the number.
  Now, there have been flaws in this; it has been possible to clone the SIM card because of implementation flaws, but properly made new SIMS should not have most of these. The authentication algorithms used originally were weak and could leak the key, but modern SIMs should be using stronger ones (e.g. AES). However none of these were magically to do with one particular model of a phone.
  Something different is going on here. E.g. a security company marketing scam or that the mobile can work as a short range base station and do interception or something else. Definitely not the way that it seems to be explained in the article. And definitely not that the just "changed the IMEI and the IMSI and became the other subscriber"; apart from anything else, you have no need to change the IMEI to do that.
  
  --
  =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
10. Re:It may be illegal.. by fuzzyfuzzyfungus · 2009-05-21 09:21 · Score: 3, Informative
  
  Evidence for above claim:
  
  " CALYPSO ASIC digital baseband Unfortunately we cannot provide many details on the GSM chipset due to very tight NDAs. However, this is not neccessarily required, since it interfaces using a standard UART serial line with the S3C2442. On that interface, GSM 07.05, GSM 07.10 and other standardized protocols are used. "
11. Re:It may be illegal.. by cheater512 · 2009-05-21 15:06 · Score: 3, Informative
  
  In a hash function as a challenge response.
  The tower sends a chunk of data, its sent to the SIM, its then transformed by Ki and then sent back to the tower.
  The tower knows what Ki is and does the same transformation and verifies that the reply is the same.
Damn... by Jaysyn · 2009-05-21 07:36 · Score: 3, Funny

I think I had one of those & gave it to my 4 yr old nephew to play with / destroy it.

--
There is a war going on for your mind.
1. Re:Damn... by ObsessiveMathsFreak · 2009-05-21 07:54 · Score: 5, Funny
  
  You've turned him to a life of crime!!
  
  --
  May the Maths Be with you!
Hardware hack? by Anonymous Coward · 2009-05-21 07:38 · Score: 5, Interesting

"The modified firmware is then uploaded to the Nokia 1100. Certain models of the 1100 used erasable ROM, which allows data to be read and written to the chip, Becker said."
If that's the case, how hard would it be to desolder a non-flashable ROM and replace it with one that is? It would certainly be more hassle than buying a phone already built that way, but with the right tools and enough effort, why wouldn't any phone be susceptible to this type of attack?
1. Re:Hardware hack? by dave562 · 2009-05-21 08:04 · Score: 4, Informative
  
  It probably isn't so much just the ROM, but also the code on the phone itself, and the amount of available room in the memory to work with. The hackers probably developed their code specifically for that phone, and are counting on memory addresses being in a particular place, and all sorts of other variables that have to be considered when writing assembly code for a specific piece of hardware.
  Back in the day, everyone wanted an Oki 900 because it could store between 5 and 99 ESN/MIN pairs AND swap them on the fly. In theory, you could just use G2 and reprogram a Motorola flip phone, but that required a laptop and a loader phone. So sure, you could do the same with with a Motorola, but it was a lot easier to use an Oki. In the end though, the result was the same. You were able to make calls and not pay for them.
  In the case of the Nokia phone, whoever developed the hack developed it for the Nokia 1100. They probably spent a lot of time reverse engineering/disassembling the original EEPROM and a lot of time hacking the code together to make it work.
still using one by jaroslav · 2009-05-21 07:40 · Score: 5, Funny

I've got one of these in my pocket right now. Do you think it would raise any suspicion if I posted it on eBay now?
Nokia 1100 L000000K! RARE! HACK BANKS!!!
1. Re:still using one by syousef · 2009-05-21 08:45 · Score: 4, Funny
  
  Do you think it would raise any suspicion if I posted it on eBay now? Nokia 1100 L000000K! RARE! HACK BANKS!!!
  A++++++ thief. Would steal with him again!
  
  --
  These posts express my own personal views, not those of my employer
Nokia: 1 - Apple: 0 by Jonas+Buyl · 2009-05-21 07:40 · Score: 5, Funny

Smart move from Nokia trying to outsell the iPhone
1. Re:Nokia: 1 - Apple: 0 by kovari · 2009-05-21 08:02 · Score: 3, Informative
  
  Actually, this particular model outselled iPod. All models.
2. Re:Nokia: 1 - Apple: 0 by Keruo · 2009-05-21 08:09 · Score: 4, Informative
  
  Trying to outsell?
  Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
  (http://www.engadget.com/2005/09/21/nokia-crosses-one-billion-mark/)
  Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.
  
  --
  There are no atheists when recovering from tape backup.
3. Re:Nokia: 1 - Apple: 0 by SydShamino · 2009-05-21 09:03 · Score: 5, Funny
  
  Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.
  That's just because the average Nigerian's money is caught up in an off-shore bank account, and we aren't doing our part to help them access the funds despite the generous offer of 10% commission.
  
  --
  It doesn't hurt to be nice.
They're just reprogramming the IMEI and IMSI... by admiralfrijole · 2009-05-21 07:45 · Score: 4, Interesting

from tfa: That application allows a hacker to decrypt the Nokia 1100's firmware, Becker said. Then, the firmware can be modified and information such as the IMEI (International Mobile Equipment Identity) number can be changed as well as the IMSI (International Mobile Subscriber Identity) number, which allows a phone to register itself with an operator.

Uh... this ability is hardly unique to this device, I have a feeling there's something else they're not telling us.

--
e to the pi i plus one equals zero
1. Re:They're just reprogramming the IMEI and IMSI... by internerdj · 2009-05-21 07:58 · Score: 3, Informative
  
  It was probably just set up so that it was easy to do compared to other phones. When I worked for LG's Cell division there was a hidden password protected menu on some models for changing any of the firmware settings, finding the menu would have been next to impossible but the default password was something similar to 8 0's. While this sounds a bit more complex my guess would be they did something stupid with the flash updater like not put any protections on the firmware downloads.
2. Re:They're just reprogramming the IMEI and IMSI... by Viraptor · 2009-05-21 08:04 · Score: 5, Interesting
  
  Agreed - the explanation seems weird. I'm not sure about Nokia patching scene, but most of the Siemens *45, *55, *65 phones could be completely reprogrammed and were well understood. SL45 was one of the best examples - it's annotated assembler firmware was so nice to work with that people simply wrote binary patches in assembler, or used C compiler + binary patched some jump addresses. There were complete design notes circulating on P2P networks. I'm not sure what can be so specific to Nokia 1100 that they don't want to reprogram any other device.
  Even better - if they're good enough to reprogram Nokia to interact directly with SIM and GSM module, why won't they just buy GSM modules themselves and clone some random SIM cards? It's not like GSM transmitters are some controlled goods available only to Nokia et al. If you can afford 100 of them, they should be quite easy to obtain.
  So yeah - it seems there's something more going on here. Or they're just some script kiddies who bought a "hacking technique" from someone more advanced and now they can only replicate the issue on that one device.
the real security defect by Gary+W.+Longsine · 2009-05-21 07:50 · Score: 4, Insightful

Correct. The real defect here isn't the phone, it's the system it's spoofing. This phone just makes it easier to construct the spoof.

--
If you mod me down, I shall become more powerful than you could possibly imagine.
Kudos to the Crooks by alta · 2009-05-21 07:52 · Score: 4, Funny

Here on /. we're always bragging about find good use for old hardware. Well these guys did just that, and now you're going to chastise them for it.
You people have been asking for us to recycle our electronics for years now, bitching about throwing away cell phones, and their toxic batteries. This guys deserve some sort of award for this.
Good job
where can I get one?

--
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
Re:Interesting by e4g4 · 2009-05-21 08:05 · Score: 5, Insightful

I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.

--
The secret to creativity is knowing how to hide your sources. - Albert Einstein
Re:So who will be fired by jimicus · 2009-05-21 08:05 · Score: 5, Insightful

A number of people in IT seem to believe that the only acceptable form of security - particularly as it relates to anything remotely important - is one which is not susceptible to any sort of attack, real or theoretical, until some time after the heat death of the universe.
Banks don't. They know full well that there will always be a certain amount of fraud no matter what you do.
Every change you want to make to the bank's system costs - in man hours to develop, test and deploy the fix and also in terms of the risk of something going wrong when you come to deploy, Most of these costs can be boiled down to cold hard cash. If making the necessary changes will cost more than the amount of fraud it's expected to prevent, don't be surprised to see nothing change.
Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.
what is needed for this to work...??? by broomer · 2009-05-21 08:12 · Score: 5, Interesting

1. physical access to SIM-card to get the IMSI
2. info on bank account / phone number
3. hacking in PC/internet connection to determine if/when the code is used.
4. raise no suspicion when a code is sent and not received by the original recipient, and recipient is not able to call/being called or send/receive text because the original phone will be blocked until it is paired again with the GSM-system (power cycled)
5. you need to have a bank that does have this system. (mine does not)
so not as viable as it looks.
crack bank accounts? by IlluminatedOne · 2009-05-21 08:21 · Score: 5, Funny

There's an app for that...
Re:Interesting by codegen · 2009-05-21 08:48 · Score: 3, Insightful

If all the carriers discontinued service to these models they would render them useless.

I wasn't aware that the model of the phone was part of the GSM protocol. Even if it was, if you can program the phone to lie about the IEMI or IMSI, then you can program the phone to lie about the phone model to the provider.

--
Atlas stands on the earth and carries the celestial sphere on his shoulders.
Nokia DCT4 security by Mulder3 · 2009-05-21 08:52 · Score: 5, Informative

This article is plain stupid, Nokia 1110 has nothing than other phones in the same Nokia DCT4 family don't have, while DCT4 firmwares can be decrypted, Nokia DCT3 phones(Nokia 3310, etc) are much more well suited for this job, given the fact that already exists an open source(GPL) firmware in C for this devices... And about SIM cloning, YOU CANÂT clone a GSM SIM card in seconds!!!! The most advanced software for clone SIM cards(SimScan - http://users.net.yu/~dejan/) still has to do some brute-force to extract the Ki key, witch is designed to never leave the card, while we can extract IMSI with no problems , to clone a SIM card, you need two values: IMSI and Ki, and without Ki, IMSI is worthless...
Re:Interesting by mdielmann · 2009-05-21 09:12 · Score: 4, Funny

I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.
Don't forget hookers. I think it's illegal to mention drugs and guns without mentioning hookers. And just to be safe, let's mention blackjack.

--
Sure I'm paranoid, but am I paranoid enough?
Re:Interesting by ppanon · 2009-05-21 10:17 · Score: 3, Interesting

According to the other posts earlier in this thread, the critical thing about this phone is that the firmware is a flashable ROM that can be easily reprogrammed. So the critical thing is that you can easily get this phone to lie, about the phone account used, and about anything else that would be transmitted over the standard GSM protocols. So the GP is correct: locking out the phone type - assuming it was possible, wouldn't do any good because the phone could be reprogrammed to impersonate something else.
It is extremely unlikely that the existing cell tower/receiver infrastructure could be used to determine that a phone is an 1100 impersonating some other model (or even upgraded to do so). It would be better to spend the development costs on revamping GSM to use a secure handshake protocol with large asymmetric key sizes and non-removable private keys, and securing OOB control channels with AES. Good luck getting police forces and spook agencies to roll over for that one though.

--
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
Re:i doubt it by Achromatic1978 · 2009-05-21 17:44 · Score: 3, Insightful

When receiving stolen property, the law looks at what a "reasonable" person would believe. A reasonable person would believe that someone selling on CL/eBay a Samsung 55" 1080p 120Hz LED TV complete with packaging, receipt for warranty purposes for say $2,500 (from an selling prize at Amazon of $3,199) was getting a good, but legitimate deal.
A reasonable person, in the eyes of the law, would not believe if I came up to them at an outdoor cafe and said "Want a 55" LED TV for $300? Meet me in the parking lot in 5 minutes" that they were buying anything other than illegally obtained or acquired property.
A reasonable person selling his Nokia 1100 (currently settling in the market for around $70) would assume that if they got, say an offer of $150, that the buyer might be an aficionado of old school cellular technology.
A reasonable person selling his Nokia 1100 would not "ask no questions" about a bidding war on their phone which saw it run into the five digit territory. A reasonable person would also have doubts about such money, and the motivations of a buyer. Whilst under no obligation to investigate either, a reasonable person, in the eyes of the law, would have "concerns" about whether the payment they were about to receive was the proceeds of a crime, or similar.