Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nokia Extorted For Millions Over Stolen Encryption Keys

Posted by Soulskill on from the good-showing-all-around dept.

jppiiroinen writes: At the end of 2007, when Nokia still had huge market share with Symbian devices, they failed to disclose that somebody had stolen their encryption keys and extorted them for millions of Euros. The Finnish National Bureau of Investigation has not been able to figure out who did it. "The blackmailer had gotten hold of the Symbian encryption key used for signing. The code is a few kilobytes in size. Had the key been leaked, Nokia would not have been able to ensure that the phones accept only applications approved by the company."

11 of 89 comments (clear)

  1. Needs more Spy Thrilling by psyclone · · Score: 3, Insightful

    The money was left in a bag at a parking lot nearby Särkänniemi amusement park. Then things went wrong. The blackmailer took the bag. Police, however, lost track of the blackmailer and the money was gone.

    What, no GPS transmitter in the filament of each paper Euro? Amateurs.

  2. Feature or bug? by ron_ivi · · Score: 2, Insightful

    Nokia would not have been able to ensure that the phones accept only applications approved by the company.

    Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

    1. Re:Feature or bug? by jeffmflanagan · · Score: 4, Insightful

      >Do device "owners" really want phones that "accept only applications approved by the company".

      Of course they do. You may not have heard of it, but there's a device called an iPhone that's tremendously popular, and this feature is one of the reasons.

      Locked down devices are not for me, but one would have to really have their head in the sand to not notice that safer to use devices are popular with many, many people.

    2. Re:Feature or bug? by sjames · · Score: 2

      Also, the Tooth Fairy insisted. We don't know why.

    3. Re:Feature or bug? by sjames · · Score: 2

      And we know the key would never be used because the blackmailer pinkie swore.

    4. Re:Feature or bug? by ericloewe · · Score: 2

      The story is badly told. Symbian never restricted apps. I believe it did check their signatures on install, informing users (kinda like UAC in Windows).

    5. Re:Feature or bug? by mr_jrt · · Score: 2

      Yeah it did - my N95 (Symbian OS v9.2, S60 3rd Edition) was unable to play OGGs via the stock media player as the codecs weren't signed. Previous versions were able to fine, apparently.

      --
      Boo.
    6. Re:Feature or bug? by DarwinSurvivor · · Score: 2

      That's just it. The summary says "Had the keys been leaked..." when in reality it is very obvious that they were leaked, Nokia just paid somebody and hoped they wouldn't use it. Encryption keys aren't something you can just give back, and a giant certificate revocation would have been noticed by a lot of security researchers.

      Basically, this story boils down to the fact that Nokia is out millions of dollars and their infrastructure is STILL compromised. Pinky swear indeed...

  3. Unimaginable horror by WaffleMonster · · Score: 2

    Damn you just have to feel sorry for Nokia...

    I couldn't imagine the pain and suffering must be associated with selling devices and then losing the ability to control what software can be installed on them.

  4. Extort the extorer? by Kaz+Kylheku · · Score: 4, Funny

    Pay me, or you don't get to extort your users with your locking scheme! :)

  5. Re:Delegation of vetting by Somebody+Is+Using+My · · Score: 2

    I disagree. I do not think this is a major consideration for most users. The idea of multiple software stores, some of which may or may not be trustworthy, is not high on the list when comparing phones.

    Issues they do care about in general order of importance:
    * Cost of the phone
    * Provider support (e.g., will I be able to use this phone with my carrier)
    * Features of the phone (does it have a keyboard, or a camera, and what does it look like)
    * App support (can I download apps I am interested in?)

    The fact is, most people have a rudimentary understanding of how the apps work and what risks they are taking when they download software from the internet. Nor are they aware of how powerful and versatile these pocket-computers really are. So long as they get their email, facebook, music, mapping, a few choice games, and perhaps the usual word-processing apps, most people are satisfied with the selection they get from the app store (there may be more to that list, but for the vast bulk of people, everything they need or want can be had from the official app stores). It doesn't occur to them that they are "locked-in" because they already get everything they need so they don't go looking for more. However, when they do feel the restrictions - when they discover that FlappyBirds or whatever fad-app isn't available on the app store, they are more than willing to visit alternative sites to get their software fix, regardless of the risk this to which this puts their data.

    In other words, it is true that users usually do not care about being locked in to one application provider. But they also don't care that the official app-stores vet the software either and when push comes to shove they will readily accept software from any source. Once made aware of the issue, the multiple sources of apps is a selling point for Android, because it gives the users more selection. That it comes with significant risk to their privacy and data is rarely a consideration. When the garden wall gets in their way, they dislike it as much as power users without understanding the benefits it might bring.