The very strange story of an old mobile phone

It is spreading like a small slumbering fire over the internet: Criminals pay big money for your old Nokia 1100 mobile phone. They only seem to be interested in Nokia 1100’s from 2001 or 2002 and they have to be manufactured in Germany (to be more precise: from Bochum). The news was released by the ‘company’ UltraScan on Saturday 18 April 2009 and the original press release can be read on the UltraScan website. All the media coverage on the subject made me think of the following.

The press release states that the criminals use these phones to capture SMS messages with TAN codes (one time passwords to sign an online banking transaction) of online banking systems. But it does not give any proof for these claims.

How would this work? The attacker will need your login credentials for the online banking website and your mobile phone number. Of course the mobile phone number can for a lot of people be found on the social networks, but then they still need your credentials. They can not retrieve your mobile phone number from the online banking website, as this is – at least at the Dutch ING bank – partly obscured and can not be changed online without a letter being sent to your postal address to confirm the change. The attackers need quite some information from you before they can target you with this kind of attack. Capturing TAN codes is just a small part of the attack in that case.

But let’s assume that the attacker indeed has retrieved your credentials, your mobile phone number and he is targeting you. Will in that case your own phone disconnect from the providers network during the attack? If so, you would most likely notice your phone being disconnected from the network, which is a nice trigger that something is going on.

The other way is that both you and the attacker will receive the SMS message at the same time, like some sort of cloned connection. In that case it is a nice warning system when your account is being plundered, because you will receive a TAN SMS at a time when you are most likely not even using the online banking system. If you call the bank as soon as you receive the SMS, the bank should have enough time to get your money back.

I doubt if this attack will work better than the current Man in the Middle and Man in the Browser attacks which only need a little piece of malware installed on the victims PC and don’t require the difficult intelligence phase to collect the credentials and the mobile phone numbers.

Well if the attack would work, how much would the criminals pay for this phone? The press release quotes the amount of 25.000 Euro’s (around 32.000 dollars), which is quite a lot for a phone even with these characteristics – you would need to be able to finish quite a lot of successful transactions to even get your investment back, let alone make some money. What kind of things could you do with 25.000 Euro’s? Well for starters you could build your own hardware which mimics the hardware from the Nokia 1100. If it is just for stealing SMS messages from other people it doesn’t matter if the device doesn’t look like a phone. Criminals are smarter than to hunt down old mobiles if they can build the hardware themselves. So why didn’t they build the hardware themselves? Possibly because it needs to be a phone, not some SMS receiver. But why does it need to be a phone?

One of the people leaving a comment on this subject on the Engadget website is Paul Prijs. Paul explains that the phones can be used to send out SMS messages to someone else using the same provider, the provider then does not keep records of where the SMS has been send to. This is of course highly useful for criminals, they can communicate by SMS without traces. That is worth something isn’t it? They are not going to walk around with some home made device for this, so it needs to be the Nokia 1100. Of course until someone finds a way to modify any phone to do this.

I hope UltraScan is wrong, but if they are right we have much worse problems than criminals trying to snoop our TAN codes. If the story would be true then it doesn’t mean that the attackers can only steal TAN codes by SMS but that the whole SMS system has been broken. Since this is a problem with an old phone it seems that it can not be solved from the providers point of view. Or it can and they just don’t seem to bother to fix it.

In that case from this day on we can not trust SMS anymore. All your SMS messages to your loved one, all your SMS messages with passwords or any SMS you could think of can be read by another. But on the other side, I just looked through my SMS messages and overall they are actually pretty boring, who would want to read those anyways.

On the topic of UltraScan I could probably write another long blog post, which I won’t at this moment. The Dutch based ‘company’ however does not have a Dutch Chamber of Commerce registration and therefore is not a real company. Despite having cool flowcharts containing al the different parts of the ‘company’ and claims of more than 3000 informants on their websites the only person that ever surfaced to the outside world is Frank Engelsman. You might just think that it is just a big one man show.

I wouldn’t dare to say that Frank Engelsman has great delusions. But people could think that, and you can’t blame them.

Internet law (Dutch only)

Just a plain old linkdump to start the new year (happy new year of course ! ). New year’s resolution: blog more !

A lot of readers will probably already know this site, but just for those few who don’t: Arnoud Engelfriet regularly blogs (in Dutch only) about law, more specifically internet/ICT law. And as a new year is a good time to look back, a link to his overview of what happened in this area in 2008.

Forensics in space?

Two days ago the website SpaceRef.com told us ‘NASA Discovers Computer Virus Aboard the International Space Station‘. Somehow a computer virus made it to at least one of the Space Station not critical computers. This might seem like a small thing because it wasn’t an important computer. But then again, we all know how dangerous a space virus can be, if you have seen Independence Day of course.

The SpaceRef website states: Theory is virus either in initial software load or possibly transferred from personal compact flash card.

Well, only a theory is not enough, is it? This sounds like a very good reason to do a full forensic investigation. Send an investigator to space, that might be quite a challenging job. 

So NASA, if you are looking for a forensic investigator: Just contact us

Beware what you travel with

Multiple news sites tell the story of the USA now being able to detain the laptops (or any other electronic device) from travelers. The Policy Regarding Border Search of Information states:

Officers may detain documents and electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search. The search may take place on-site or at an off-site location.

What does this mean for a traveling Forensic Investigator? At first, how are you going to do your job when your electronic friend is being held for investigation. What is a “Reasonable period of time”, maybe you can pick it up again when you are leaving?

And if it is being detained, what data is on it? Of course you should never have any case data on your own laptop, right? But what if you have a new case and you did a quick investigation on the secured evidence with your own laptop? There might be some traces left in the slack and free space. Let’s hope the data doesn’t contain any references to terrorist acts, it might be a long stay then instead of a short trip.

Or, what if you just made a forensic copy for a case and you are traveling with that copy to deliver it in your own lab for your investigation. If the hard disk with the forensic copy is being detained how does that look on your chain of evidence? Not to think of the data that might be on a just newly imaged evidence item.

Of course if you keep thinking about it there will be a lot more consequences when your items are being detained at the border. But then again, why would a good Forensic Investigator be stopped at the border for such a investigation? Oh well, as long as they don’t take my PSP.

• Archives

  • April 2009
  • February 2009
  • January 2009
  • October 2008
  • August 2008
  • July 2008
  • June 2008
  • September 2007
  • July 2007

• Recent Comments

  • Lee on InPrivate Browsing; Fancy or Flawed?
  • Katherine Campbell on InPrivate Browsing; Fancy or Flawed?
  • Freya Harris on InPrivate Browsing; Fancy or Flawed?
  • Bert Klikspaan on The very strange story of an old mobile phone
  • Bookmarks about Gmail on Gmail account protection

• Categories

  • *nix
  • Apple
  • Browsers
  • Challenges
  • Forensic readiness
  • General Forensics
  • Interesting reading
  • internet
  • Tools
  • Uncategorized
  • Windows

• Blogroll

  • A Geek Raised by Wolves
  • blog.teusink.net
  • CyberSpeak Podcast
  • Distracted
  • Hugo’s security weblog
  • Schneier on Security
  • Stoked Security
  • Windows IR

• Tags

  account Apple Challenges Competitions dutch firefox Forensics fun gadget gmail hidden tool history IE8 Beta InPrivate browsing internet ip law linkdump mac osx sqlite terrorism

• Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org