Forgot your password?
typodupeerror
Cellphones Crime Encryption Security The Almighty Buck

Nokia Extorted For Millions Over Stolen Encryption Keys 89

Posted by Soulskill
from the good-showing-all-around dept.
jppiiroinen writes: At the end of 2007, when Nokia still had huge market share with Symbian devices, they failed to disclose that somebody had stolen their encryption keys and extorted them for millions of Euros. The Finnish National Bureau of Investigation has not been able to figure out who did it. "The blackmailer had gotten hold of the Symbian encryption key used for signing. The code is a few kilobytes in size. Had the key been leaked, Nokia would not have been able to ensure that the phones accept only applications approved by the company."
This discussion has been archived. No new comments can be posted.

Nokia Extorted For Millions Over Stolen Encryption Keys

Comments Filter:
  • by Anonymous Coward

    all good ransom getaways seem to involve motocycles

  • by psyclone (187154) on Tuesday June 17, 2014 @04:21PM (#47257543)

    The money was left in a bag at a parking lot nearby Särkänniemi amusement park. Then things went wrong. The blackmailer took the bag. Police, however, lost track of the blackmailer and the money was gone.

    What, no GPS transmitter in the filament of each paper Euro? Amateurs.

    • by Anonymous Coward

      What, no GPS transmitter in the filament of each paper Euro? Amateurs.

      Actually, the 1 and 2 unit currencies here on this side of the lake are not bills but coins. And while I wouldn't be surprised if our information hungry governmental overlords have tried putting GPS electronics in there, luckily the all-metal outside should keep us safe from any such spying activities.

    • What, no GPS transmitter in the filament of each paper Euro? Amateurs.

      They have planned to add RFID [eetimes.com]. However AFAIK this has never been realized (yet).

  • Feature or bug? (Score:3, Insightful)

    by ron_ivi (607351) <sdotno&cheapcomplexdevices,com> on Tuesday June 17, 2014 @04:22PM (#47257547)

    Nokia would not have been able to ensure that the phones accept only applications approved by the company.

    Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

    • The problem is that any applications signed by the key would look like they were officially approved by the company, even if they were not. There would be no way to differentiate them... that's the purpose of the key!
      • by sjames (1099)

        And we know the key would never be used because the blackmailer pinkie swore.

        • That's just it. The summary says "Had the keys been leaked..." when in reality it is very obvious that they were leaked, Nokia just paid somebody and hoped they wouldn't use it. Encryption keys aren't something you can just give back, and a giant certificate revocation would have been noticed by a lot of security researchers.

          Basically, this story boils down to the fact that Nokia is out millions of dollars and their infrastructure is STILL compromised. Pinky swear indeed...

    • Re:Feature or bug? (Score:5, Insightful)

      by Jeff Flanagan (2981883) on Tuesday June 17, 2014 @04:41PM (#47257765)
      >Do device "owners" really want phones that "accept only applications approved by the company".

      Of course they do. You may not have heard of it, but there's a device called an iPhone that's tremendously popular, and this feature is one of the reasons.

      Locked down devices are not for me, but one would have to really have their head in the sand to not notice that safer to use devices are popular with many, many people.
      • And most ordinary users that use Android are doing so because they are cheap, or they are the phone that the salesman at the store pushed at them. They aren't doing it because they think they have access to multiple app stores. Of the Android minority that ever download an app, most of them will never go outside Google Play.

    • Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

      On phones, yes. Phone users don't want their data compromised, or to end up being scammed for money. The thought that they are limited to one store doesn't even register as an issue. In fact they mostly like the idea of a single store where they can find every app.

      The Slashdot user's ideas of free software come from a RMS. Ordinary people have never heard of him let alone care what he thinks.

    • The story is badly told. Symbian never restricted apps. I believe it did check their signatures on install, informing users (kinda like UAC in Windows).

      • by mr_jrt (676485)

        Yeah it did - my N95 (Symbian OS v9.2, S60 3rd Edition) was unable to play OGGs via the stock media player as the codecs weren't signed. Previous versions were able to fine, apparently.

        • I believe my N97 had an option to allow unsigned apps (which were blocked by default, for obvious reasons).

          The stock media player not accepting new codecs is also different from the OS not accepting new apps that are unsigned.

    • Do device "owners" really want phones that "accept only applications approved by the company".

      Yes.

      As BasilBrush and CronoCloud have explained here several times, the majority of people are not geeks and don't want to have to spend time doing their own vetting of safety, usefulness, and battery efficiency of apps. Instead, they choose to delegate this vetting to Nokia, Apple, Microsoft, Sony, Nintendo, etc. I've summarized the purported advantages of closed platforms [pineight.com].

      • I disagree. I do not think this is a major consideration for most users. The idea of multiple software stores, some of which may or may not be trustworthy, is not high on the list when comparing phones.

        Issues they do care about in general order of importance:
        * Cost of the phone
        * Provider support (e.g., will I be able to use this phone with my carrier)
        * Features of the phone (does it have a keyboard, or a camera, and what does it look like)
        * App support (can I download apps I am interested in?)

        The fact is, m

    • Also - "Had the key been leaked Nokia would not have been able to ensure that the phones accept only applications approved by the company."
      This choice of words implies that the money somehow miraculously prevented the key from leaking. The key already HAD LEAKED. All nokia got for the money was a promise that the leaked key won't be misused.

    • In the alternate universe where nokia execs say "Fuck you, disseminate the key" we have nokia with a hacker friendly smartphone platform OR an instantly obsoleted platform thanks to evil hackers. I guess they would be better off than this nokia.
      "Being broken" was the business model of microsoft windows and they became number one with it.

    • Do device "owners" really want phones that "accept only applications approved by the company".

      No, and if this feature were dropped, a lot of us would want Symbian phones even now. This is the "feature" that killed Symbian. However, it was mandated by the carriers. It took Google to kill it, and Android gets stick daily for not having this "feature".

    • Nokia would not have been able to ensure that the phones accept only applications approved by the company.

      Sounds more like a feature than a bug. Do device "owners" really want phones that "accept only applications approved by the company".

      The dive can run any code, the signing key makes it look "officially approved" by Nokia.

  • by Anonymous Coward

    Keys get compromised, expire, etc. They should have had a process for updating keys, and then it would have cost nothing but a little egg on the face for letting someone steal it.

    • by Anonymous Coward

      There should have been a scenario test where keys were released, or perhaps RSA or ECC itself gets cracked.

      Perhaps the best solution would be devices having both a symmetric key for the individual device, and a symmetric key for that model. That way, if all public keys were blown, there could be a mechanism for updates that would essentially use symmetric encryption to "sign" code [1].

      Of course, if the symmetric key database is compromised, it is a bad thing, but a company as big as Nokia can easily keep a

  • by Anonymous Coward

    I don't get why they actually paid people for this. Even if they received the key _back_ the attacker could have still used them.

    "nokia would not have been able to ensure that the phones accept only applications approved by the company"

    is complete BS, they could not verify that at the point they realized they screwed up key security.

    • by Copid (137416)
      That does sound really fishy. I guess if you're going to do that, you need to set the ransom low enough that the company will pay it for a "maybe he'll hold up his end of the bargain" level of assurance rather than a "problem is solved forever" level of assurance. If I said, "Give me a dollar or I'll expose your keys," it's probably worth a dollar to reduce the 100% probability of key exposure to anything marginally less than 100%. If I said, "Give me a hundred million dollars for an unkown but nonzero r
  • From a strategic point of view this is a clusterfuck. Why did Nokia put real money in the bag if they were planning to arrest the person that came to pick it up? If the police had succeeded then it wouldn't matter if the money was real. If the blackmailer gets away, then maybe, if you are lucky, he might keep his promise if he thinks you acted in good faith. But now I am reading a story on slashdot about how they tried to catch this guy and botched the plan, so now the blackmailer knows that Nokia was no

  • So how do you trust a company? Profit is their primary goal, and if they feel that hiding a breach like this will be more profitable than disclosing it that's exactly what happens... Meanwhile, you now potentially have to also trust some criminals who have already demonstrated their willingness to commit blackmail.

  • Blackmailer blackmails blackmailer. More at 11.
  • by WaffleMonster (969671) on Tuesday June 17, 2014 @05:21PM (#47258109)

    Damn you just have to feel sorry for Nokia...

    I couldn't imagine the pain and suffering must be associated with selling devices and then losing the ability to control what software can be installed on them.

  • Moriarty Calls every Nokia phone and broadcasts the image of himself laughing.
  • by Kaz Kylheku (1484) on Tuesday June 17, 2014 @05:36PM (#47258209) Homepage

    Pay me, or you don't get to extort your users with your locking scheme! :)

  • since nobody wrote or used symbian in the android era anyways.

  • For those who don't understand the reference, the Keystone Cops were incompetent policemen in a series of American silent movies. I read the article linked to in the article and basically Nokia dropped the money off in a paper bag in a parking lot and the police watched the pickup and then completely lost the blackmailer. To this day they have no idea at all who got the money and it seems that Nokia has only the word of the blackmailer that they wouldn't use the keys for nefarious purposes.

The universe does not have laws -- it has habits, and habits can be broken.

Working...