Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Investigators Replicate Nokia 1100 Banking Hack

timothy posted more than 5 years ago | from the could-be-an-ebay-scam-rumor dept.

Security 181

Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."

cancel ×

181 comments

Sorry! There are no comments related to the filter you selected.

It may be illegal.. (4, Interesting)

Anonymous Coward | more than 5 years ago | (#28044517)

It may be illegal, but the hackers deserve some credit for being able to figure this out.

Re:It may be illegal.. (3, Interesting)

OeLeWaPpErKe (412765) | more than 5 years ago | (#28044637)

Even now clearly the over-the-air gsm protocol allows for this hack. Perhaps 1100 phones will be in short supply, but clearly the protocol itself is vulnerable.

If they found the 1100 flaw, how hard could it be to duplicate the flaw in a something like a 800 Mhz tuner + fpga ?

Re:It may be illegal.. (3, Informative)

cbrocious (764766) | more than 5 years ago | (#28044853)

You don't even need to go the FPGA route. The baseband firmware on the iPhone has been patched for an unlocking, there's nothing stopping someone from patching it to change the IMEI built into the phone or the IMSI it "reads" from the SIM. Change these and the phone can become any other.

Re:It may be illegal.. (5, Informative)

rtfa-troll (1340807) | more than 5 years ago | (#28045893)

Bullshit. Not on any properly run network. Apart from the IMEI (which is written on the back of the phone) and the IMSI (which you can get with a special code from some phones) there's also the Ki. This is a secret which is buried in the SIM card and _never_ sent out to the phone. Without the physical SIM card in your phone you do not have the number.

Now, there have been flaws in this; it has been possible to clone the SIM card because of implementation flaws, but properly made new SIMS should not have most of these. The authentication algorithms used originally were weak and could leak the key, but modern SIMs should be using stronger ones (e.g. AES). However none of these were magically to do with one particular model of a phone.

Something different is going on here. E.g. a security company marketing scam or that the mobile can work as a short range base station and do interception or something else. Definitely not the way that it seems to be explained in the article. And definitely not that the just "changed the IMEI and the IMSI and became the other subscriber"; apart from anything else, you have no need to change the IMEI to do that.

Re:It may be illegal.. (4, Interesting)

K. S. Kyosuke (729550) | more than 5 years ago | (#28044937)

If I am not mistaken, you already can buy [wikipedia.org] and run something like that [sourceforge.net] .

Re:It may be illegal.. (2, Insightful)

Bill, Shooter of Bul (629286) | more than 5 years ago | (#28044999)

Depends on your definition of hard. If I were a Criminal I'd be looking at an open moko, to see if you could hack that in a similar manner. The firmware is fully open [openmoko.org]

Re:It may be illegal.. (2, Insightful)

cbrocious (764766) | more than 5 years ago | (#28045111)

That's the firmware for the application CPU, but I don't believe the GSM baseband chip's firmware is open.

Re:It may be illegal.. (3, Informative)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#28045123)

I'm fairly sure that the OpenMoko only achieves that level of firmware openness by integrating a separate GSM module, with which it communicates via standard AT commands. Just as, back in the bad old days of dialup, modems were closed source; and you could either get a winmodem, or a modem with a proper processor of its own.

Were I a criminal with a technical inclination, I'd be more interested in something like GNU radio, as suggested in this comment [slashdot.org]

Re:It may be illegal.. (3, Informative)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#28045953)

Evidence for above claim:

" CALYPSO ASIC digital baseband Unfortunately we cannot provide many details on the GSM chipset due to very tight NDAs. However, this is not neccessarily required, since it interfaces using a standard UART serial line with the S3C2442. On that interface, GSM 07.05, GSM 07.10 and other standardized protocols are used. "

Re:It may be illegal.. (5, Funny)

K. S. Kyosuke (729550) | more than 5 years ago | (#28044727)

I guess they think as well that they deserve some credit. That's why they are breaking into a bank.

Re:It may be illegal.. (5, Funny)

FooAtWFU (699187) | more than 5 years ago | (#28044893)

I guess they think as well that they deserve some credit. That's why they are breaking into a bank.

That's debit, silly.

Re:It may be illegal.. (0)

Anonymous Coward | more than 5 years ago | (#28045347)

I guess they think as well that they deserve some credit. That's why they are breaking into a bank.

That's debit, silly.

Actually it's debt, since money is only created in our current system when it is borrwed.

Re:It may be illegal.. (1)

Z00L00K (682162) | more than 5 years ago | (#28044985)

And if this flaw exists in those phones it also means that there may be other phones with a similar flaw.

And don't forget that the smartphones that are around can be subject to hacks that does the same thing.

Don't ever think that the operating system on the smartphones are safer than the operating system you run on your PC.

Re:It may be illegal.. (4, Insightful)

sexconker (1179573) | more than 5 years ago | (#28045103)

It's not the phone.
A phone is nothing but a transceiver.

It's the system we have for identifying phones, and the practice of letting people bank over it (or sending authentication pins for pc banking to phones).

Using a phone number as a method of authentication is inherently flawed. The practice will continue, however, because the plebes want easy more than they want secure. After all, it'll never happen to them.

Re:It may be illegal.. (3, Funny)

Chelloveck (14643) | more than 5 years ago | (#28045353)

That's right. People should be required to enter their 1024-bit PGP key by hand every time they make a transaction.

Re:It may be illegal.. (0)

Anonymous Coward | more than 5 years ago | (#28045617)

The practice will continue, however, because the plebes want easy more than they want secure. After all, it'll never happen to them.

This trick apparently works only after the attacker already has your username and password. This was an extra layer of security on top of that. Although one those devices like Blizzard has setup for WoW accounts would probably be a better bet.

Regardless you can hardly say having to log in with a username and password, then waiting for a text and typing in the sent authentication code is super convenient.

Re:It may be illegal.. (0)

Anonymous Coward | more than 5 years ago | (#28045909)

Well, If the European internet banking systems work like a lot of the NA ones, another possibility might be that they deliberately provide the wrong password so that the user out so that he is presented with one a "personally-identifying" question (which the user may have chosen to be their child/pet's name or high school). Some minimal research by hanging out near the home or working in the same office and/or googling gives the answer. Only really worth it if the target is relatively wealthy (low-level executive or better) but still fairly low hanging fruit.

Re:It may be illegal.. (2, Insightful)

mea37 (1201159) | more than 5 years ago | (#28045903)

Cell phones don't use the phone number as a method of authentication. Cell phone users use the phone number as a method of identification (when they place a call or send a message to the number).

The network "looks for" the identified phone so it can deliver the message. Rather, the network looks for a phone that has authenticated as a match for the phone number.

The process by which the phone authenticates may well be flawed, but this has nothing to do with the end-user simplicity of "phone numbers"; the process is already decoupled from that simplicity as the phone # is not the information used to authenticate the phone on the network.

The other side of the coin (1)

Kabuthunk (972557) | more than 5 years ago | (#28046157)

Wow, what you describe is exactly the 'other side of the coin' from the security theater that is... well... security nowadays.

In most other fields, people are forced to (or even choosing to) inconvenience the hell out of themselves in the name of some extremely minor (or only just perceived) increase in their security.

I applaud the fact that after hearing this, companies didn't immediately slam the door shut on banking over the phone. Personally, I'd FAR rather be able to check my bank account by phone when standing next to something expensive that I want, rather than no longer have that infinitessimally small chance that my bank account information will be gleaned by having done so.

coincidental captcha: victims

Interesting (1, Interesting)

Lord Kestrel (91395) | more than 5 years ago | (#28044523)

The fun little loopholes people find are always interesting to see. I'm guessing it won't take long for these phones to be outlawed in the EU though.

i doubt it (2, Interesting)

wjh31 (1372867) | more than 5 years ago | (#28044699)

they are actually very widespread, i see that model all over the place. Not everyone wants a top of the range phone, some just want to make calls and use texts. This is one of the few dirt cheap phones available.

Re:i doubt it (1)

Klasyk (927823) | more than 5 years ago | (#28045563)

This is one of the few dirt cheap phones available.

Really? If your interpretation of 'dirt cheap' is â25,000, then I'd love to have your wallet. :)

Re:i doubt it (2, Insightful)

Achromatic1978 (916097) | more than 5 years ago | (#28045937)

Not just any Nokia 1100. One made in a certain factory in a certain date range with a certain revision of the firmware. And how long before you sold such a phone before the police came knocking on your door, wanting that money back (I'm fairly sure that 'hackers wanting a phone for its ability to easily be hacked for online banking' are not actually giving you 25,000 of their own euro...)

Re:Interesting (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28044711)

Outlawing the phones might not do much. As far as I can gather from the article, these 1100's work because their firmware is easily modifiable because it's stored on a reflashable ROM chip.

It really wouldn't be too complicated to manufacture phones somewhere outside the EU that happen to have that feature. Whatever software steps are necessary for spoofing SIM cards clearly already exist---the only obstacle is appropriate hardware.

When people are paying thousands of Euros for the vulnerable 1100's, I really don't see them balking at paying two hundred Euros for a phone specifically manufactured to allow SIM card spoofing---no matter how illegal it might be.

Hell, manufacture them in a country where goods counterfeiting is already endemic, like China. It'd be a real trick to enforce a law banning phones capable of this kind of trick when they look externally like half a dozen various garden variety phones.

I suspect this particular fun little loophole will require a technical solution---or a shift away from using SMS for sensitive data.

Re:Interesting (5, Insightful)

e4g4 (533831) | more than 5 years ago | (#28045025)

I'm guessing it won't take long for these phones to be outlawed in the EU though.

Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.

Re:Interesting (1)

johnsonav (1098915) | more than 5 years ago | (#28045291)

It works so fantastically well for drugs, guns and pirated music/movies.

Hasn't stopped people from trying though, has it?

Re:Interesting (1)

lorenzino (1130749) | more than 5 years ago | (#28045863)

WOOOOOOOOOOOOOOOOOSH

Re:Interesting (1)

Lord Kestrel (91395) | more than 5 years ago | (#28045333)

That's kind of my point. It'll be illegal for normal users to have them, but the criminals will keep doing what they always do, ignore the law. People who have one because it's old and they can't afford a new one, or like a limited feature-set or whatever would be screwed by the law, but the criminals who are already breaking the law would continue to do so.

Re:Interesting (1)

knight24k (1115643) | more than 5 years ago | (#28045433)

Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.

A little bit different here though. The device in question requires a service in order to work. If all the carriers discontinued service to these models they would render them useless. You could find them anywhere you wanted, but without a way to connect, it is just another paper weight. Almost like in the Matrix when Agent Smith tells Neo "What good is a phone call, when you are unable to speak?"

What good is a hackable phone, if you are unable to get a dial tone?

Now, they may or may not go down that route, but I think if they choose to do so, they will have a much more successful time removing them from use than with consumable items.

Re:Interesting (3, Insightful)

codegen (103601) | more than 5 years ago | (#28045539)

If all the carriers discontinued service to these models they would render them useless.

I wasn't aware that the model of the phone was part of the GSM protocol. Even if it was, if you can program the phone to lie about the IEMI or IMSI, then you can program the phone to lie about the phone model to the provider.

Re:Interesting (1)

knight24k (1115643) | more than 5 years ago | (#28045683)

I wasn't aware that the model of the phone was part of the GSM protocol. Even if it was, if you can program the phone to lie about the IEMI or IMSI, then you can program the phone to lie about the phone model to the provider.

Maybe, maybe not. It is a particular model made in a particular factory. Changing the model may break the hack since the provider may talk to the device differently since it now thinks it is a different handset. There is something very specific about the phones in question and reprogramming the model type/number may or may not work. Frankly, I don't know one way or the other.

My point was that since these devices require an outside service to operate it is far easier to target them for bans than other types of prohibitions which target mainly consumables that require no outside entity to function as desired.

Re:Interesting (4, Funny)

mdielmann (514750) | more than 5 years ago | (#28045813)

I'm guessing it won't take long for these phones to be outlawed in the EU though.

Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.

Don't forget hookers. I think it's illegal to mention drugs and guns without mentioning hookers. And just to be safe, let's mention blackjack.

Re:Interesting (0)

Anonymous Coward | more than 5 years ago | (#28045535)

GSM is already a government-protected standard in most parts of the world. Touching it is illegal without the blessing of your local radio regulatory agency.

Damn... (3, Funny)

Jaysyn (203771) | more than 5 years ago | (#28044533)

I think I had one of those & gave it to my 4 yr old nephew to play with / destroy it.

Re:Damn... (5, Funny)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#28044859)

You've turned him to a life of crime!!

Hahahaha. (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28044535)

Haha, that's awesome.
-Taylor

Hahahaha. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28044823)

Haha, your comment is retarded.
-Clay

Re:Hahahaha. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28045211)

And both of you have gay names.

-Derek Jeter

Re:Hahahaha. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28045467)

Haha, this comment thread is pointless. -Billiam

Hardware hack? (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28044577)

"The modified firmware is then uploaded to the Nokia 1100. Certain models of the 1100 used erasable ROM, which allows data to be read and written to the chip, Becker said."

If that's the case, how hard would it be to desolder a non-flashable ROM and replace it with one that is? It would certainly be more hassle than buying a phone already built that way, but with the right tools and enough effort, why wouldn't any phone be susceptible to this type of attack?

Re:Hardware hack? (0)

Anonymous Coward | more than 5 years ago | (#28044771)

I would think that any phone could be screwed with,.

From the article, it says they reprogram the phone so they can alter the IMSI(which I'm pretty sure is related to the SIM card in the phone and not the phone itself), IMEI (phone identifier), and then they clone a SIM card.

I'm not entirely sure what they are doing then. If they are cloning the SIM card (which I would want to guess includes the IMSI) then why do they need to modify the IMSI in the phone? (unless they are cloning a different SIM card and have the phone lie about the IMSI).

Of course, I don't know about cloning SIM cards or anything like that. My most interesting experience with SIM cards was when they activated it and gave us someone else's number (my sister's phone, the number's owner's girlfriend was very annoyed. (and it was a Texas rather than WA state number))

the real security defect (4, Insightful)

Gary W. Longsine (124661) | more than 5 years ago | (#28044791)

Correct. The real defect here isn't the phone, it's the system it's spoofing. This phone just makes it easier to construct the spoof.

Re:Hardware hack? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28044833)

you're assuming that each ic is independant, most times custom ic's are ordered for production runs to prevent exactly the kind of hack that you propose.

that and all the chips are Ball Grid Array contacts,ever tried to replace one? without a good workstation its damn near impossible.

Re:Hardware hack? (4, Informative)

dave562 (969951) | more than 5 years ago | (#28045007)

It probably isn't so much just the ROM, but also the code on the phone itself, and the amount of available room in the memory to work with. The hackers probably developed their code specifically for that phone, and are counting on memory addresses being in a particular place, and all sorts of other variables that have to be considered when writing assembly code for a specific piece of hardware.

Back in the day, everyone wanted an Oki 900 because it could store between 5 and 99 ESN/MIN pairs AND swap them on the fly. In theory, you could just use G2 and reprogram a Motorola flip phone, but that required a laptop and a loader phone. So sure, you could do the same with with a Motorola, but it was a lot easier to use an Oki. In the end though, the result was the same. You were able to make calls and not pay for them.

In the case of the Nokia phone, whoever developed the hack developed it for the Nokia 1100. They probably spent a lot of time reverse engineering/disassembling the original EEPROM and a lot of time hacking the code together to make it work.

Re:Hardware hack? (1)

citizenr (871508) | more than 5 years ago | (#28045989)

It probably isn't so much just the ROM, but also the code on the phone itself

erm the code is in the rom, FLASHROM

They probably spent a lot of time reverse engineering/disassembling the original EEPROM and a lot of time hacking the code together to make it work.

Except user authentication on GSM network is between Network and SIM card, PHONE is just a dump data pipe during that phase. This is just a scam.

Re:Hardware hack? (1)

dave562 (969951) | more than 5 years ago | (#28046169)

The code is in the ROM, but the code is specific to the phone. The user auth might happen on the GSM network, and sure it's between the network and the SIM, but the phone has to run the authentication code. The hacker obviously knows how the code runs on the Nokia 1100. To go back to the Oki 900 example, the Oki 900 was the phone of choice because of the hardware architecture of the phone. The Oki 910 was almost the exact same phone, but it couldn't do what the 900 could do. Similarly, while there are dozens of Nokia models and hundreds of GSM phones, the code that is being used to intercept SMS information from the banks was obviously developed for the Nokia 1100 and probably only works on the Nokia 1100. What makes you think it's a scam? Have you ever written assembly code for cell phones? Do you have any idea what you are talking about?

Is it possible that other phones could do the same thing? Sure it is. Someone even said that the iPhone might be able to do it. Does the guy who wrote the code originally want to redevelop it on another platform? Probably not. Do the people who purchased the code from some underground website have the expertise to port the code to another phone? More than likely not. They just know that they have some code and the only works on a Nokia 1100. That has nothing to do with being a scam, and everything to do with the way market forces work.

Re:Hardware hack? (1)

citizenr (871508) | more than 5 years ago | (#28045969)

EVERY SINGLE Nokia phone uses flash rom to store firmware. That alone makes me think its a hoax.

Its trivial to change IMEI. Its trivial to get IMSI. You CANT just use someone elses IMSI, you need at least ki.

and who the F is Ultrascan KPO?

This looks like a big fat scam to sell old stock of Nokias 1100 and this nobody Ultrascan is riding the scam wave trying to establish some good PR.

Correct use of the term (2, Interesting)

kidde_valind (1060754) | more than 5 years ago | (#28044579)

It's nice to see an example of correct use of "hacker" by the mainstream media, even if it's just by chance

still using one (5, Funny)

jaroslav (467876) | more than 5 years ago | (#28044613)

I've got one of these in my pocket right now. Do you think it would raise any suspicion if I posted it on eBay now?

Nokia 1100 L000000K! RARE! HACK BANKS!!!

Re:still using one (1)

Acer500 (846698) | more than 5 years ago | (#28044975)

LOL I have one too.

My newer phones have all been stolen :( - I've been mugged for a bad camera/mp3 phone over here, it's pathetic, so I refuse to buy a new one.

I thought I was safe carrying this old phone, now it might be even more of a target than a new phone, how ironic (though this kind of stuff is not happening here in Uruguay - we're still 5-10 years behind Europe as always).

Re:still using one (1)

Squeeonline (1323439) | more than 5 years ago | (#28045383)

Wonder how much I could get for my old phone sitting in the drawer next to me. couple of grand wouldnt go a miss!

Re:still using one (4, Funny)

syousef (465911) | more than 5 years ago | (#28045517)

Do you think it would raise any suspicion if I posted it on eBay now? Nokia 1100 L000000K! RARE! HACK BANKS!!!

A++++++ thief. Would steal with him again!

Nokia: 1 - Apple: 0 (5, Funny)

Jonas Buyl (1425319) | more than 5 years ago | (#28044619)

Smart move from Nokia trying to outsell the iPhone

Re:Nokia: 1 - Apple: 0 (3, Informative)

kovari (34550) | more than 5 years ago | (#28044971)

Actually, this particular model outselled iPod. All models.

Re:Nokia: 1 - Apple: 0 (4, Informative)

Keruo (771880) | more than 5 years ago | (#28045085)

Trying to outsell?

Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
(http://www.engadget.com/2005/09/21/nokia-crosses-one-billion-mark/)

Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.

Re:Nokia: 1 - Apple: 0 (2, Funny)

megamerican (1073936) | more than 5 years ago | (#28045411)

Trying to outsell?

Nokia's one billionth phone sold was a Nokia 1100 purchased in Nigeria.
(http://www.engadget.com/2005/09/21/nokia-crosses-one-billion-mark/)

Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.

They seem to have a lot of royalty. Maybe Apple should go after them.

Re:Nokia: 1 - Apple: 0 (5, Funny)

SydShamino (547793) | more than 5 years ago | (#28045721)

Although something tells me that Nigeria isn't neccessarily most prominent market for apple, since price of an iphone is equal to one years salary for an average nigerian.

That's just because the average Nigerian's money is caught up in an off-shore bank account, and we aren't doing our part to help them access the funds despite the generous offer of 10% commission.

Re:Nokia: 1 - Apple: 0 (0)

Anonymous Coward | more than 5 years ago | (#28046013)

I know plenty of millionaires in Nigeria, they email me all the time.

Re:Nokia: 1 - Apple: 0 (0)

Anonymous Coward | more than 5 years ago | (#28046037)

That's great! Now I can use my Nokia 1100 to finally collect the $30 million dollars promised to me by the Nigerian High Commissioner of Treasury and Banking. That's so much more convenient than sending him $4000 dollars and waiting for the check to come in the mail.

I hope the mail person hasn't picked up the mail yet.

I have that phone (0)

Anonymous Coward | more than 5 years ago | (#28044691)

My fried gave me his because he got a new one and he knew I like to take stuff apart, but sadly I don't live in Europe, so I can't sell it (at least easily) for some quick cash.

They're just reprogramming the IMEI and IMSI... (4, Interesting)

admiralfrijole (712311) | more than 5 years ago | (#28044713)

from tfa: That application allows a hacker to decrypt the Nokia 1100's firmware, Becker said. Then, the firmware can be modified and information such as the IMEI (International Mobile Equipment Identity) number can be changed as well as the IMSI (International Mobile Subscriber Identity) number, which allows a phone to register itself with an operator.

Uh... this ability is hardly unique to this device, I have a feeling there's something else they're not telling us.

Re:They're just reprogramming the IMEI and IMSI... (2, Interesting)

Pinky's Brain (1158667) | more than 5 years ago | (#28044915)

They are probably eavesdropping only, if complete SIM cloning without physical access was possible with just a modified phone that would be much bigger news than this.

Re:They're just reprogramming the IMEI and IMSI... (3, Informative)

internerdj (1319281) | more than 5 years ago | (#28044919)

It was probably just set up so that it was easy to do compared to other phones. When I worked for LG's Cell division there was a hidden password protected menu on some models for changing any of the firmware settings, finding the menu would have been next to impossible but the default password was something similar to 8 0's. While this sounds a bit more complex my guess would be they did something stupid with the flash updater like not put any protections on the firmware downloads.

Re:They're just reprogramming the IMEI and IMSI... (5, Interesting)

Viraptor (898832) | more than 5 years ago | (#28045009)

Agreed - the explanation seems weird. I'm not sure about Nokia patching scene, but most of the Siemens *45, *55, *65 phones could be completely reprogrammed and were well understood. SL45 was one of the best examples - it's annotated assembler firmware was so nice to work with that people simply wrote binary patches in assembler, or used C compiler + binary patched some jump addresses. There were complete design notes circulating on P2P networks. I'm not sure what can be so specific to Nokia 1100 that they don't want to reprogram any other device.

Even better - if they're good enough to reprogram Nokia to interact directly with SIM and GSM module, why won't they just buy GSM modules themselves and clone some random SIM cards? It's not like GSM transmitters are some controlled goods available only to Nokia et al. If you can afford 100 of them, they should be quite easy to obtain.

So yeah - it seems there's something more going on here. Or they're just some script kiddies who bought a "hacking technique" from someone more advanced and now they can only replicate the issue on that one device.

Re:They're just reprogramming the IMEI and IMSI... (2, Informative)

bhtooefr (649901) | more than 5 years ago | (#28045471)

Knowing the general gist of how cellular protocols work, I don't think there is anything they're not telling us. It's just that most phones don't have reprogrammable IMEIs, for very obvious reasons.

Although, I didn't think GSM phones even authenticated via the IMEI normally, just via the info on the SIM, so cloning the SIM would be enough. Guess I was wrong.

CDMA phones do authenticate via the MEID or ESN (or pESN, an encoded form of the MEID, for backwards compatibility with equipment that can't handle MEIDs,) meaning such an attack would be VERY effective on CDMA. And, a lot of older CDMA equipment has the ESN such that it's not too hard to reprogram with the right software.

Re:They're just reprogramming the IMEI and IMSI... (1)

jimicus (737525) | more than 5 years ago | (#28045897)

Knowing the general gist of how cellular protocols work, I don't think there is anything they're not telling us. It's just that most phones don't have reprogrammable IMEIs, for very obvious reasons.

Although, I didn't think GSM phones even authenticated via the IMEI normally,

They certainly do as part of the initial authentication otherwise it would be impossible for the network operator to blacklist stolen phones.

Re:They're just reprogramming the IMEI and IMSI... (1)

citizenr (871508) | more than 5 years ago | (#28046059)

It's just that most phones don't have reprogrammable IMEIs

Most do, its not user reprogrammable, but every corner GSM shop in Europe can do it with repair tools they use.

Although, I didn't think GSM phones even authenticated via the IMEI normally

they dont

so cloning the SIM would be enough.

good luck trying to clone sim cards now, we are long past comp128v1

you're not laughing now (1)

wjh31 (1372867) | more than 5 years ago | (#28044715)

ha! now i feel better for having an ancient phone, and i thought the only good bit was being able to freely toss the phone on the floor without breaking it

A certain factory (0, Troll)

Hognoxious (631665) | more than 5 years ago | (#28044777)

Is this one particular factory in China, by some chance?

Re:A certain factory (2, Informative)

Acer500 (846698) | more than 5 years ago | (#28045003)

Is this one particular factory in China, by some chance?

No, if you happened to read the article you'd find out it was the Bochum, Germany factory.

Re:A certain factory (0)

Anonymous Coward | more than 5 years ago | (#28045639)

Is this one particular factory in China, by some chance?

Kind of what I was thinking. There has to be more to this than simply being able to reprogram the chips.

I'll hazard a guess that a manufacturing defect or design flaw required some type of hack or work-around in the bank security mechanism for this chipset to function properly.

Kudos to the Crooks (4, Funny)

alta (1263) | more than 5 years ago | (#28044813)

Here on /. we're always bragging about find good use for old hardware. Well these guys did just that, and now you're going to chastise them for it.

You people have been asking for us to recycle our electronics for years now, bitching about throwing away cell phones, and their toxic batteries. This guys deserve some sort of award for this.

Good job
where can I get one?

Re:Kudos to the Crooks (1)

Farmer Tim (530755) | more than 5 years ago | (#28045011)

This guys deserve some sort of award for this.

The cash prize should be enough.

So who will be fired (2, Insightful)

bugs2squash (1132591) | more than 5 years ago | (#28044815)

For implementing such a flawed banking transaction protocol.
Don't bother replying, I know the answer is no-one.

Re:So who will be fired (5, Insightful)

jimicus (737525) | more than 5 years ago | (#28045029)

A number of people in IT seem to believe that the only acceptable form of security - particularly as it relates to anything remotely important - is one which is not susceptible to any sort of attack, real or theoretical, until some time after the heat death of the universe.

Banks don't. They know full well that there will always be a certain amount of fraud no matter what you do.

Every change you want to make to the bank's system costs - in man hours to develop, test and deploy the fix and also in terms of the risk of something going wrong when you come to deploy, Most of these costs can be boiled down to cold hard cash. If making the necessary changes will cost more than the amount of fraud it's expected to prevent, don't be surprised to see nothing change.

Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.

Re:So who will be fired (1)

bugs2squash (1132591) | more than 5 years ago | (#28045235)

I did not expect the bank to develop a new form of security so much as implement an established system reasonably well.
It is not as if methods for authentication, non-repudiation, encryption and key exchange need to be re-invented every time a new application shows up for them.

Re:So who will be fired (1)

Hatta (162192) | more than 5 years ago | (#28045275)

Every change you want to make to the bank's system costs - in man hours to develop, test and deploy the fix and also in terms of the risk of something going wrong when you come to deploy, Most of these costs can be boiled down to cold hard cash. If making the necessary changes will cost more than the amount of fraud it's expected to prevent, don't be surprised to see nothing change.

So if you want to reduce fraud, make banks financially responsible for it. Real security can be had, if they had financial incentives to design truly secure systems.

Re:So who will be fired (1)

markhahn (122033) | more than 5 years ago | (#28045733)

nah. bank people can be as short-sighted as any other human, prone to compromises without sufficient worst-case thinking. notice the economy recently?

the problem isn't just quantitative (so to speak), but rather qualitative: people who work on bank protocols need to study math and CS, not actuarial/stats/accounting. good protocols hold water and can be upgraded without disruption as components become unacceptably weak.

Oh they do, do they? (2, Funny)

hellfire (86129) | more than 5 years ago | (#28045991)

Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.

I would have had faith in that statement before the credit crisis of 2008 took hold.

Re:So who will be fired (0)

Anonymous Coward | more than 5 years ago | (#28045755)

Given how cartelized international banking is, I suspect there were several promotions in order for the guys who designed the system.

Nokia 1100 (1)

Niris (1443675) | more than 5 years ago | (#28044877)

People are paying thousands of euros for that junkie phone? I have one . YES! may actually be able to pay for this year at university

This is not possible (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28044967)

I asked myself a few questions after reading this, as I am kinda familiar with baseband (phone modem) firmwares and mobile network security.

Why are 1100 sold that expessive? You can do the same with the iPhone baseband pretty easy, same goes for blackberry and nearly any available HTC, there are even tools for that any moron can use.

Why change IMSI? IMSI is taken from the simcard usally.

Also cloning simcards is not that trival, this works only for old sims, so the criminal needs to obtain the sim from the victim to clone it and the process of brute forcing old simcards to clone them usally breaks the original ( I done that myself ).

So where is the trick and why should this be interesting for a criminal? I donâ(TM)t get the whole story reported. Stuff needed to do this trick, including the victims simcard is that hard to get, itâ(TM)s easier for a criminal to steal a TAN block from the victims desk.

Re:This is not possible (1)

sexconker (1179573) | more than 5 years ago | (#28045155)

The trick is the wise guy working at the cell phone store.

what is needed for this to work...??? (5, Interesting)

broomer (209132) | more than 5 years ago | (#28045113)

1. physical access to SIM-card to get the IMSI
2. info on bank account / phone number
3. hacking in PC/internet connection to determine if/when the code is used.
4. raise no suspicion when a code is sent and not received by the original recipient, and recipient is not able to call/being called or send/receive text because the original phone will be blocked until it is paired again with the GSM-system (power cycled)
5. you need to have a bank that does have this system. (mine does not)

so not as viable as it looks.

Re:what is needed for this to work...??? (1)

Z_A_Commando (991404) | more than 5 years ago | (#28045227)

Oh is that all?

I guess we now know what the ellipses is in:

  • Acquire Nokia 1100 Phone made in Germany
  • ...
  • Profit!

All kidding aside though, it can't be considerably harder than doing it the "old fashioned way" if black hats are actually going to all that trouble

Re:what is needed for this to work...??? (2, Interesting)

Reality Master 201 (578873) | more than 5 years ago | (#28045363)

1. physical access to SIM-card to get the IMSI

Not necessarily - phones transmit the IMSI to the network, and there's known flaws in the encryption scheme GSM uses (and some carriers don't use encryption, though it's not very common, AFAIK). It's plausible that those two would get you the IMSI.

Re:what is needed for this to work...??? (1)

Pulse_Instance (698417) | more than 5 years ago | (#28045533)

Sure it is a lot of work, but you only need to have it work once on a targeted individual for it to be very profitable. From stories I've seen here and elsewhere these criminals have large networks so it probably isn't that hard for them to pay someone to target a specific person and steal their SIM card.

crack bank accounts? (5, Funny)

IlluminatedOne (621945) | more than 5 years ago | (#28045215)

There's an app for that...

Just one question: (2, Insightful)

Hurricane78 (562437) | more than 5 years ago | (#28045247)

What crazy bank sends *TANs to mobile phones in the first place?? Even this possibility would be a reason for me to terminate the contract.
I really recommend chipcard based systems. I use a class 2 terminal, and HBCI. It's not only much more comfortable, it's also on a completely different level in terms of security.
(In case you do not know how it works: Everything between the chipcard controller and the bank system basically only forwards encrypted packets. And if anything meddles with them, it detects this. You need the card, and a code of six numbers, and the server associates a user with that login. Every transaction that follows this, has to be accepted by the chipcard/terminal. The ones with keypads *and* displays are the most secure, because they show the details of the transaction *on* the terminal, and you have to say ok *with* that terminal. So the only open hole that I know of, is physical tinkering with the card and the terminal. Which still would be pretty hard, but not impossible. But if anyone can do this, I'm fucked anyway. ^^ [Oh, and of course, if you know of any problems with this system, I'm happy to hear them.])

Bad protocol design (1)

Locke2005 (849178) | more than 5 years ago | (#28045251)

If the authentication protocol relies on the client not spoofing another client, then the authentication protocol if profoundly broken. I don't see why this specific phone is required; you should be able to build hardware from scratch to do this or even do most of it in software.

Re:Bad protocol design (1)

rtfa-troll (1340807) | more than 5 years ago | (#28046003)

The protocol does not. It has other flaws (lack of authenticaion of the network by the mobile; only the other way round), but none as basic as some people seem to be claiming.

the article says cloning a SIM is trivial (2, Interesting)

YesIAmAScript (886271) | more than 5 years ago | (#28045287)

But isn't that actually the tough part? That's the whole key to GSM.

Cloning a SIM is supposed to be non-trivial and should be nigh-impossible if you cannot get physical access to the person's SIM. I know there was an issue where the secret keys in the SIMs weren't random enough, but that's a long time ago now, newer SIMs are not subject to that problem.

As to the thing about erasable ROM, I thought something like the iPhone 1G had been completely pwned and should be as subject to an IMEI cloning hack as any of these phones.

Client Security (0)

Anonymous Coward | more than 5 years ago | (#28045381)

You should NEVER rely on the client in a network security model.
Maybe the phone system as it was designed has no other way to work other then to rely on an existing trust relationship with the host but it could have been designed a different way, or at least one that could be revoked or challenged with a new key or mechanism if needed.

I can understand something like CSS/DeCSS where the exchange is local and a revokation being bypassed but at least there was a system that could revoke, how could a phone system that has live two way communication not have incorporated something like that?

Probably the same as the US laws that make it ilegal to listen to analog cell phones, it was easier and cheaper to beg for forgiveness and get laws changed than to implement a better secure model from the start.

asdfghjkl (1)

asdfghjkl__1 (1559691) | more than 5 years ago | (#28045543)

Eh? Well, a Nokia is a very crappy phone to own (from first person perspective). But I guess it's finally good for something! (Disregard the "hack" only proves it's even more poorly programmed by Nokia's Finnish programmers). I doubt making the "hack" was even hard in the first place.

Nokia DCT4 security (5, Informative)

Mulder3 (867389) | more than 5 years ago | (#28045585)

This article is plain stupid, Nokia 1110 has nothing than other phones in the same Nokia DCT4 family don't have, while DCT4 firmwares can be decrypted, Nokia DCT3 phones(Nokia 3310, etc) are much more well suited for this job, given the fact that already exists an open source(GPL) firmware in C for this devices... And about SIM cloning, YOU CANÂT clone a GSM SIM card in seconds!!!! The most advanced software for clone SIM cards(SimScan - http://users.net.yu/~dejan/ [users.net.yu] ) still has to do some brute-force to extract the Ki key, witch is designed to never leave the card, while we can extract IMSI with no problems , to clone a SIM card, you need two values: IMSI and Ki, and without Ki, IMSI is worthless...

The why feature. (1)

anonymousNR (1254032) | more than 5 years ago | (#28045745)

I don't understand why banks want to extend their services on to every single device out there including a refrigerator.

Recently I was opening an account with Target
and asked me to send out fax of my id and ssn card.

The lady was assuring me about how secure the fax line is.

I simply withdrew from opening the account.

Clueless Nokia again (1)

JuniorJack (737202) | more than 5 years ago | (#28045815)

"We have not identified any phone software problem that would allow alleged use cases,"

Nokia are completely clueless as usual. Nokia 1100 belongs to the dct4 generation of phones. Security is based on safer-k64 (symmetric algo for all important stuff) and simple vhdl logic for encrypting/decrypting instructions from Flash memory. All security, hidden bootrom - completely hacked in 2001.

Even latest Nokia models (BB5 generation) running OMAP trust zone are fully cracked, except for a small issue of making fully blank boards running without IMEI certificate. All the rest - spaggeti mix of soft implemented AES, SHA and badly implemented RSA1024 have been hacked/circumvented.

Red Mercury? (1)

mikeee (137160) | more than 5 years ago | (#28045829)

Further, police have announced that Nokia phones other than the 1100s with prime serial numbers contain no red mercury.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>