Scammers are reportedly prepared to pay €25,000 for German Nokia 1100 handsets, on the basis that they can be reprogrammed to intercept SMS messages and thus crack banking security. The claim comes from Ultrascan, a security association that generally follows up 419 scams and ID theft. Ultrascan tells us it was approached by …
They contain "Red Mercury"
... give the scammers the warning then ?
Surely it'd be much better to let them bankrupt themselves buying useless gear rather than spending it somewhere more productive to them.......
Perhaps you should have raved about how effective these handsets really are in this situation .....
(and there was me thinking I'd get a premium price for my old Nokia.....)
What are the odds...
...that this rumour can be tracked backed to a German guy with a warehouse full of 1100s that he can't get shot of?
A quick search of eBay.de doesn't seem to indicate that Nokia 1100s are selling at all, never mind for silly money.
This story has spread like wildfire without much evidence to back any of it up. It sounds like bullshit. Good work on not getting fooled like every other tech site copying and pasting this piece of crap!
I give it 10 days before there is a sudden flood of knock-off 1100s coming in from China. Now if you'll excuse me, I have some long distance calls to make to some friends in Shanghai.
The real reason
I heard they can do it because of the red mercury they contain.
That's exactly what I thought too.....
Great minds / Fools?
Money in the penny jar
"We put these technical issues to Ultrascan who told us that they "did not investigate [the technical] part", but are hoping to get hold of a '1100 for testing in the next few days to see what is possible."
Better start saving up then, Ultrascan... unless you've got €25k sitting in the penny jar already
I'm considering paying over the odds for an old Moto V66. I'm no scammer, it's just I've not liked a phone since that one got nicked.
Please shut up
Me and my friend Hans were onto a good thing until this article came along!
@ Or maybe!
You saw this item to, did you?
Pete Foster, did you check if the models on sale were the exact models made in Bochum 2002? (I'm referring to this article: http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=114589 - it mentions this small detail not said here)
Isnt it strange how its only the german handset. Im thinking a comspiracy theory to help drive sales for some poor guy with a load on boxes.
Well if they want
an 1100 they can have the one in my desk drawer for a much more reasonable price
Er . . .
As indicated in the article GSM uses multiple keys to ensure end to end cryptography. This is performed between the SIM and the network (not the handset!), primarily the MSC and HLR (specifically the AUC functionality).
So the actually device itself should theoretically be irrelevant as using a lot of GSM modules you can read, modify (including: header, PID, DCS etc.) and send SMS. That is using an application on your PC. I'm failing to see how the handset in use would make any difference at all.
I'm not even sure if any banking SMS's contain further useful information beyond the actual content and perhaps the PDU. In which case all you'd get is metadata, and the A party is hopefully a secure gateway anyway. Even so any would be fraudster should be transferring these to a PC anyway, so again why the need for this model Nokia?
Everything sounds very dubious about this to me and I wouldn't be at all surprised if Steve was right!
On the other hand......
The only way I can think this could work is if the hackers managed to scam the Bank Account holders IMEI and IMSI (SIM Card Number).
It wouldn't surprise me if the 1100 can be reprogrammed to accept a spoofed IMSI without a clone of the SIM card and can have it's IMEI changed to duplicate the holders phone. It may well be that the 1100 only requests the IMSI once on startup and stores it in RAM. If the hackers probe the ram and rewrite......well, you can guess the rest.
When the GSM network sends the SMS out, the duplicate phone would also be in receipt of the message, as it's encryption status would show the correct IMEI and IMSI registered on the HLR and as long as the handset was on a BTS/BSC registered to the same MSC, it 'May' get through. The only networks that would be vulnerable though are likely to be those that support multiple sim cards, i.e. for Car Phones etc.
If there is any truth to this, expect any existing Nokia 1100's to stop working soon (Then can do this via IMEI for non-changed ones) and for the networks to free issue a new mobile to any Customer who complained.
Having said all this, I can't see it happening tbh.
Ve haff vays ov making you SMS!
@Graeth Davies - No!
How does having the IMSI help when the radio comms are encrypted?
Without cloning the SIM you may be able to receive the message, but you can't decrypt it!
This "hack", if it even exists, is absolutely useless, at least in the security system my bank uses. One specific mTan can only be used to authorize one specific transaction. And the online banking of my bank doesn't allow multiple logins. So how in heaven would an (used) mTan be of any interest to anyone??
@ Gareth Davies
Even then, you with your "spoofed" phone would have to be within range of the *same* base station as the "real" one. The GSM network always knows which base station any phone is using, so SMS messages for any phone *only* go through that phone's closest base station (or, get cached until some base station spots the phone waking up). It's not like the old VHF paging, where any message gets broadcast from all base stations in the hope that the right person is listening!
Also, two phones with apparently the same IMEI and IMSI within range of two widely-separated base stations should be flagged as an error condition.
An Alternative Explanation
High prices for relatively useless items can also indicate money laundering activities.
Not quite.....the BTS is simply an RF Front End in many deployed networks, with the BSC handling all encryption exchanges and switching functions.
If the Phone is asociated with the same BSC and in some cases even the same MSC, the SMS can get sent out on a broadcast basis, rather than a host-client basis. This is to ensure delivery without multiple attempts from an individual BSC, i.e. it sends to all/several BTS's connected to the BSC simultaneously, however this is not the method I expect the black hats to use as it is rarely implemented other than on small networks such as private GSM PBX's.
I believe the way to do it would be to force the handset to re-register continually with the Network, forcing updates to the HLR and ensuring that the SMS is directed to the fraudulent handset as the SMSC requests the current status of the recipient handset and the HLR informs the SMSC which MSC/BSC the handset currently resides on. Since the encryption key is generated as a function of the IMSI and IMEI.............well you can see the rest.
Also, @ Mark think GSM encryption is that good do you?
These encryption methods can and are broken on a regular basis, 3GPP has made it more secure, but not unbreakable.
Money for old phones
One of my mates used to lug around a godawful old brick of a phone for one simple reason - it radiated at 4W instead of the measly .4W of newer kit. HE never had a problem with loss-of-signal.
Dunno if he's still got it - we lost touch...
@ Gareth Davies
The encryption key depends not only on the IMEI and IMSI, but also on a code which is stored on the SIM at manufacture time (and a copy transferred separately to the HLR), never sent over the air and not even directly accessible via the SIM's smartcard interface -- though this would almost certainly be vulnerable to some sort of known-plaintext attack. If there was a way to get this code from a badly-made SIM, it would not depend on a particular handset model but on a particular batch of SIMs.
If you want truly secure communications, stick to cocoa tins and string.
Nokia 1100 for sale...
... only one German owner.
Er . . . x2
@ Gareth Davies Wed 22 April 2009 10:04
I think you've got mobility management in the core network side of things a bit mixed up. But more importantly what network has BTS's (or any node/element/host) that isn't individually addressed? Or rather phones that aren't locatable! I'd suggest you read: Wiley - GSM - Architecture, Protocols and Services, 3rd Edition.
Also as A J Stiles quite rightly said the Ki is securely loaded onto the network and SIM. So no further communication beyond manufacture is required. "The Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AUC. This Ki is never transmitted between the AUC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications."* Further authentication measures are involved. . . GSM is not as easy to hack as Hollywood makes it. Unless it involves an insider.
*http://en.wikipedia.org/wiki/GMSC#Authentication_centre_.28AUC.29 - Yeah it's Wikipedia but it's actually pretty much accurate in this case.
@ AC 19:58
I expect the Ki would be vulnerable to a convoluted known-plaintext attack, but I can't see how this would be dependent upon a particular model of handset. Even if it has a diagnostic mode that reveals more than most, it can't do anything that can be done using any computer and some Open Source software
It's far more plausible that this is simply a myth, like the sewing machine hoax, which someone has created to inflate the value of something that should ordinarily not be worth much.
Mobile banking phone hacks.
Apparently the early models of the HTC Touch can intercept and change mobile banking transactions without needing a cloned SIM at all. You don't even have to be in the same country, let alone on the same cell tower.
There. Now all I need to do is wait a bit for Google to do its stuff, put mine on eBay and a nice, shiny new HTC Touch Pro 2 shall be mine for no additional expense, with enough change out of the deal to buy a new motorcycle......
It's a plan (sounds like it might be someone elses, but I'm not above plagiarism for profit).
- Breaking news: Google exec in terrifying SKY PLUNGE DRAMA
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Google CEO Larry Page gives Sundar Pichai keys to the kingdom
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL