Tek Review

Jeremy Kirk, IDG News Service 04.21.2009

The mystery why cybercriminals want a discontinued Nokia phone isn't getting any clearer.

Hackers have been offering up to €25,000 (US$32,413) in undergrounds forums for Nokia 1100 phones made in the company's former factory in Bochum, Germany. The phone can allegedly be hacked so as to facilitate illegal online banking transfers, according to the Dutch company Ultrascan Advanced Global Investigations.

Prediction: Nokia Tube outsells Apple iPhone

Nokia said on Tuesday it is not aware that resale prices for a phone that retailed for less than €100 when it debuted in 2003 have risen so high. Further, Nokia maintains the phone's software isn't flawed.

"We have not identified any phone software problem that would allow alleged use cases," the company said in an e-mailed statement.

The 1100 can apparently be reprogrammed to use someone else's phone number, which would also let the device receive text messages. That capability opens up an opportunity for online banking fraud.

In countries such as Germany, banks send an mTAN (mobile Transaction Authentication Number) to a person's mobile phone that must be entered into a Web-based form in order to, for example, transfer money into another account. A TAN can only be used once, a security feature known as a one-time passcode.

Criminals have proven adept at obtaining peoples' user names and logins for online bank accounts, either through tricking people into visiting look-alike bank Web sites, through clever e-mail messages or simply hacking PCs.

European banks typically issue customers a list of TANs, but phishers tricked people into revealing those. Deutsche Postbank used to accept any TAN from the list to complete a transaction. Then the bank moved to requesting specific TANs from the list. After continuing fraud, it in 2005 decided to expanded the use of mTANs.

"The mTAN is valid only for the requested transfer and only for a short period," according to the bank's Web site. "It thus has no value for a fraudster."

That is, unless the hacker could also receive the mTAN, which Nokia 1100 hack allegedly allows.

Nokia said it doesn't know of an 1100 software problem that would allow call spoofing. The company said that a phone's SIM (Subscriber Identity Module) card -- which holds the device's phone number -- has security mechanisms that are separate from the phone itself.

Nokia said it is aware of commercial services that claim to provide caller identification or phone-number spoofing services, but in those cases the service provider acts as a proxy between the caller and the recipient, Nokia said.

But it is possible to have multiple phones running on a service provider's network that use the same phone number, said Sean Sullivan, a security advisor with the security vendor F-Secure in Finland. Usually, the last phone that used the network will be the one that receives inbound messages, he said.

"So if this particular Nokia 1100 can be modified to spoof the victims phone number, it should be possible to become the primary handset -- at least long enough to receive the TAN," Sullivan said.

Technical details on how the 1100 is being modified are still unknown, said Frank Engelsman of Ultrascan. However, a woman in Finland contacted his company on Monday after seeing a news story and offered to send her Bochum-made Nokia 1100. When it arrives, the phone will be examined and tested to see if the TAN interception can be replicated, Engelsman said.

Meanwhile, a Dutch technology site, portablegear.nl, wrote that it placed a fake advertisement for the particular Nokia 1100 on an online marketplace. People offered as much as €500, offering to immediately come pick up the device.

Nokia produced more than 200 million devices in the 1100 model family. The company said it doesn't disclosure figures such as how many 1100s were made in Bochum.

Labels: co:nokia, Nokia 1100, Software and Web

# posted by FT Review @ 9:17 PM 0 comments

An old candy-bar style Nokia 1100 mobile phone has been used to break into someone's online bank account, affirming why criminals are willing to paying thousands of euros for the device.

Using special software written by hackers, certain models of the 1100 can be reprogrammed to use someone else's phone number and receive their SMS (Short Message Service) messages, said Max Becker, CTO of Ultrascan Knowledge Process Outsourcing, a subsidiary of fraud investigation firm Ultrascan.

Prediction: Nokia enters the laptop market in '09?

The Nokia 1100 hack is powerful since it undermines a key technology relied on by banks to secure transactions done over the Internet.

Banks in countries such as Germany and Holland send a one-time password called an mTAN (mobile Transaction Authentication Number) to a person's phone in order to allow, for example, the transfer of money to another account.

Since the Nokia 1100 can be reprogrammed to respond to someone else's number, it means cybercriminals can also obtain the mTAN by SMS. Cybercriminals must already have a person's login and password for a banking site, but that's easy since millions of computers worldwide contain malicious software that can record keystrokes.

Ultrascan obtained Nokia 1100 phones made in Bochum, Germany. Phones made around 2003 in that now-closed factory have the firmware version that can be hacked, Becker said. Nokia has sold more than 200 million of the 1100 and its successors, although it's unknown how many devices have the particular sought-after firmware.

Ultrascan was able to successfully reprogram an 1100 and intercept an mTAN, but just one time. Becker said they are undertaking further tests to see if the attack can be executed repeatedly.

"We've done it once," Becker said. "It looks like we know how to do it."

Ultrascan experts obtained the hacker software to reprogram the phone through its network of informants, said Frank Engelsman, a fraud and security specialist with the company.

That application allows a hacker to decrypt the Nokia 1100's firmware, Becker said. Then, the firmware can be modified and information such as the IMEI (International Mobile Equipment Identity) number can be changed as well as the IMSI (International Mobile Subscriber Identity) number, which allows a phone to register itself with an operator.

The modified firmware is then uploaded to the Nokia 1100. Certain models of the 1100 used erasable ROM, which allows data to be read and written to the chip, Becker said. For the final step, the hacker must also clone a SIM (Subscriber Identity Module) card, which Becker said is technically trivial.

Nokia, which was closed on Thursday due to a holiday, could not be contacted. However, the company has said it does not believe there is a vulnerability in the 1100's software.

Becker said that may be semantically true, however, it's possible that the encryption keys used to encrypt the firmware have somehow slipped into the public domain. "We would really like to speak with Nokia," Becker said.

Ultrascan was also able to confirm that criminals are willing to pay a lot of money for the right Nokia 1100. An Ultrascan informant sold one of the devices recently in Tangiers, Morocco, for €5,500 (US$7,567), Engelsman said. Ultrascan previously confirmed data earlier this year that one Nokia 1100 sold for €25,000.

Ultrascan, which specializes in tracking criminals involved in Internet and electronic fraud, is trying to trace criminals who are using Nokia 1100s in online banking frauds.

"We keep trying to infiltrate these groups," Engelsman said.

Labels: Data protection, Exploits, Fraud, IDGNS, Mobile security, Nokia 1100, Security, Software and Web, vulnerabilities

# posted by FT Review @ 9:13 PM 0 comments