back to article €25k for an old Nokia handset?

Scammers are reportedly prepared to pay €25,000 for German Nokia 1100 handsets, on the basis that they can be reprogrammed to intercept SMS messages and thus crack banking security. The claim comes from Ultrascan, a security association that generally follows up 419 scams and ID theft. Ultrascan tells us it was approached by …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    Or maybe!

    They contain "Red Mercury"

  2. James
    Unhappy

    Why ....

    ... give the scammers the warning then ?

    Surely it'd be much better to let them bankrupt themselves buying useless gear rather than spending it somewhere more productive to them.......

    Perhaps you should have raved about how effective these handsets really are in this situation .....

    (and there was me thinking I'd get a premium price for my old Nokia.....)

  3. Steve

    What are the odds...

    ...that this rumour can be tracked backed to a German guy with a warehouse full of 1100s that he can't get shot of?

  4. Pete Foster

    eBay.de

    A quick search of eBay.de doesn't seem to indicate that Nokia 1100s are selling at all, never mind for silly money.

  5. Anonymous Coward
    Thumb Up

    Good work!

    This story has spread like wildfire without much evidence to back any of it up. It sounds like bullshit. Good work on not getting fooled like every other tech site copying and pasting this piece of crap!

  6. Eddy Ito
    Thumb Up

    Splendid!

    I give it 10 days before there is a sudden flood of knock-off 1100s coming in from China. Now if you'll excuse me, I have some long distance calls to make to some friends in Shanghai.

  7. This post has been deleted by its author

  8. Fred

    The real reason

    I heard they can do it because of the red mercury they contain.

  9. CreamyInTheMiddle
    Go

    @Steve

    That's exactly what I thought too.....

    Great minds / Fools?

  10. Ross Fleming
    Coat

    Money in the penny jar

    "We put these technical issues to Ultrascan who told us that they "did not investigate [the technical] part", but are hoping to get hold of a '1100 for testing in the next few days to see what is possible."

    Better start saving up then, Ultrascan... unless you've got €25k sitting in the penny jar already

  11. Code Monkey

    Moto V66

    I'm considering paying over the odds for an old Moto V66. I'm no scammer, it's just I've not liked a phone since that one got nicked.

  12. Frank

    Please shut up

    Me and my friend Hans were onto a good thing until this article came along!

  13. Anonymous John
    Happy

    @ Or maybe!

    You saw this item to, did you?

    http://news.bbc.co.uk/1/hi/world/middle_east/7999168.stm

  14. UltimateSephiroth

    Re: eBay.de

    Pete Foster, did you check if the models on sale were the exact models made in Bochum 2002? (I'm referring to this article: http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=114589 - it mentions this small detail not said here)

  15. Anonymous Coward
    Happy

    Only German?

    Isnt it strange how its only the german handset. Im thinking a comspiracy theory to help drive sales for some poor guy with a load on boxes.

  16. Rob Crawford

    Well if they want

    an 1100 they can have the one in my desk drawer for a much more reasonable price

  17. Anonymous Coward
    Boffin

    Er . . .

    As indicated in the article GSM uses multiple keys to ensure end to end cryptography. This is performed between the SIM and the network (not the handset!), primarily the MSC and HLR (specifically the AUC functionality).

    So the actually device itself should theoretically be irrelevant as using a lot of GSM modules you can read, modify (including: header, PID, DCS etc.) and send SMS. That is using an application on your PC. I'm failing to see how the handset in use would make any difference at all.

    I'm not even sure if any banking SMS's contain further useful information beyond the actual content and perhaps the PDU. In which case all you'd get is metadata, and the A party is hopefully a secure gateway anyway. Even so any would be fraudster should be transferring these to a PC anyway, so again why the need for this model Nokia?

    Everything sounds very dubious about this to me and I wouldn't be at all surprised if Steve was right!

  18. Gareth Davies

    On the other hand......

    The only way I can think this could work is if the hackers managed to scam the Bank Account holders IMEI and IMSI (SIM Card Number).

    It wouldn't surprise me if the 1100 can be reprogrammed to accept a spoofed IMSI without a clone of the SIM card and can have it's IMEI changed to duplicate the holders phone. It may well be that the 1100 only requests the IMSI once on startup and stores it in RAM. If the hackers probe the ram and rewrite......well, you can guess the rest.

    When the GSM network sends the SMS out, the duplicate phone would also be in receipt of the message, as it's encryption status would show the correct IMEI and IMSI registered on the HLR and as long as the handset was on a BTS/BSC registered to the same MSC, it 'May' get through. The only networks that would be vulnerable though are likely to be those that support multiple sim cards, i.e. for Car Phones etc.

    If there is any truth to this, expect any existing Nokia 1100's to stop working soon (Then can do this via IMEI for non-changed ones) and for the networks to free issue a new mobile to any Customer who complained.

    Having said all this, I can't see it happening tbh.

  19. Anonymous Coward
    Pirate

    The Germans

    Ve haff vays ov making you SMS!

  20. mark
    Thumb Down

    @Graeth Davies - No!

    How does having the IMSI help when the radio comms are encrypted?

    Without cloning the SIM you may be able to receive the message, but you can't decrypt it!

  21. Hans-Peter Lackner
    Alien

    Absolutely useless

    This "hack", if it even exists, is absolutely useless, at least in the security system my bank uses. One specific mTan can only be used to authorize one specific transaction. And the online banking of my bank doesn't allow multiple logins. So how in heaven would an (used) mTan be of any interest to anyone??

  22. A J Stiles
    Boffin

    @ Gareth Davies

    Even then, you with your "spoofed" phone would have to be within range of the *same* base station as the "real" one. The GSM network always knows which base station any phone is using, so SMS messages for any phone *only* go through that phone's closest base station (or, get cached until some base station spots the phone waking up). It's not like the old VHF paging, where any message gets broadcast from all base stations in the hope that the right person is listening!

    Also, two phones with apparently the same IMEI and IMSI within range of two widely-separated base stations should be flagged as an error condition.

  23. Anonymous Coward
    Linux

    An Alternative Explanation

    High prices for relatively useless items can also indicate money laundering activities.

  24. Gareth Davies

    @AJ Stiles

    Not quite.....the BTS is simply an RF Front End in many deployed networks, with the BSC handling all encryption exchanges and switching functions.

    If the Phone is asociated with the same BSC and in some cases even the same MSC, the SMS can get sent out on a broadcast basis, rather than a host-client basis. This is to ensure delivery without multiple attempts from an individual BSC, i.e. it sends to all/several BTS's connected to the BSC simultaneously, however this is not the method I expect the black hats to use as it is rarely implemented other than on small networks such as private GSM PBX's.

    I believe the way to do it would be to force the handset to re-register continually with the Network, forcing updates to the HLR and ensuring that the SMS is directed to the fraudulent handset as the SMSC requests the current status of the recipient handset and the HLR informs the SMSC which MSC/BSC the handset currently resides on. Since the encryption key is generated as a function of the IMSI and IMEI.............well you can see the rest.

    Also, @ Mark think GSM encryption is that good do you?

    http://blogs.techrepublic.com.com/wireless/?p=206

    These encryption methods can and are broken on a regular basis, 3GPP has made it more secure, but not unbreakable.

  25. Anonymous Coward
    Anonymous Coward

    Money for old phones

    One of my mates used to lug around a godawful old brick of a phone for one simple reason - it radiated at 4W instead of the measly .4W of newer kit. HE never had a problem with loss-of-signal.

    Dunno if he's still got it - we lost touch...

  26. A J Stiles

    @ Gareth Davies

    The encryption key depends not only on the IMEI and IMSI, but also on a code which is stored on the SIM at manufacture time (and a copy transferred separately to the HLR), never sent over the air and not even directly accessible via the SIM's smartcard interface -- though this would almost certainly be vulnerable to some sort of known-plaintext attack. If there was a way to get this code from a badly-made SIM, it would not depend on a particular handset model but on a particular batch of SIMs.

    If you want truly secure communications, stick to cocoa tins and string.

  27. Anonymous Coward
    Anonymous Coward

    Nokia 1100 for sale...

    ... only one German owner.

  28. Anonymous Coward
    Boffin

    Er . . . x2

    @ Gareth Davies Wed 22 April 2009 10:04

    I think you've got mobility management in the core network side of things a bit mixed up. But more importantly what network has BTS's (or any node/element/host) that isn't individually addressed? Or rather phones that aren't locatable! I'd suggest you read: Wiley - GSM - Architecture, Protocols and Services, 3rd Edition.

    Also as A J Stiles quite rightly said the Ki is securely loaded onto the network and SIM. So no further communication beyond manufacture is required. "The Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AUC. This Ki is never transmitted between the AUC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications."* Further authentication measures are involved. . . GSM is not as easy to hack as Hollywood makes it. Unless it involves an insider.

    *http://en.wikipedia.org/wiki/GMSC#Authentication_centre_.28AUC.29 - Yeah it's Wikipedia but it's actually pretty much accurate in this case.

  29. A J Stiles

    @ AC 19:58

    I expect the Ki would be vulnerable to a convoluted known-plaintext attack, but I can't see how this would be dependent upon a particular model of handset. Even if it has a diagnostic mode that reveals more than most, it can't do anything that can be done using any computer and some Open Source software

    It's far more plausible that this is simply a myth, like the sewing machine hoax, which someone has created to inflate the value of something that should ordinarily not be worth much.

  30. TeeCee Gold badge
    Joke

    Mobile banking phone hacks.

    Apparently the early models of the HTC Touch can intercept and change mobile banking transactions without needing a cloned SIM at all. You don't even have to be in the same country, let alone on the same cell tower.

    There. Now all I need to do is wait a bit for Google to do its stuff, put mine on eBay and a nice, shiny new HTC Touch Pro 2 shall be mine for no additional expense, with enough change out of the deal to buy a new motorcycle......

    It's a plan (sounds like it might be someone elses, but I'm not above plagiarism for profit).

This topic is closed for new posts.

Other stories you might like