The case of a money bag and an encryption key

Business

A few days ago we blogged about Cabir, the first ever virus for a smartphone – or, rather, a specific mobile software platform. That platform used to be known as Symbian, and for weal or for woe, it’s history now.

640-2

 

Just the day after, a new story emerged, unrelated to Cabir but directly related to Symbian itself and – in general – to information security. So we think this “detective thriller” is worth relaying.

A Finnish TV channel MTV (unrelated to the global music channel) broke the news, reporting that the Finnish police has an ongoing investigation into the blackmailing incident with Nokia as the injured party.

The incident took place roughly six years ago – in late 2007. Details are rather scarce, but it appears that someone got access to “the source code for part of an operating system”, according to Reuters, or, rather, to the encryption key “for a core part of Nokia’s Symbian software”. The perpetrator then threatened to make it public unless paid a multizero sum.

800

 

Let’s make a small stop here. What would it mean if this key would be made public? Plain and simple: malware writers would possibly have the ability to circumvent any protection and create all sorts of malware and rootkits with access to security sensitive functionality. A cybercriminal’s dream. 

At the time Symbian’s then-current version Series 60 3rd Edition (S60v3), a hardened version of Symbian OS 9.1 developed by the company, had been armed with Platform Security framework first introduced in 0.91 (late 2005).

As we know, this framework which brought in digital signatures for certain APIs was the Nokia’s response to the emerging mobile malware problem. The company enforced the mandatory code signing and ran an application certification program through which developers could submit their apps for testing and signing by the company. The certified apps were able to access “more powerful capabilities” or “restricted Java APIs” and displayed less warning messages to users, according to Computerworld.

300

Attackers with access to a Symbian digital signing key could have used it to sign their own applications and evade security mechanisms – system would accept them as legitimate. The problem was further aggravated with the fact that the stolen key could not have easily been invalidated once it was leaked since Symbian OS did not check whether digital signing certificates had been revoked. And given that there was nothing similar to a centralized apps stores such as iTunes or Google Play for Symbian at the time, and the apps were commonly downloaded from random sources, a very bad things could happen. Speaking to Computerworld, Victor Yablokov, head of mobile at Kaspersky Lab, said that if such a key was stolen, then two years of development of Symbian 9 would have been rendered useless.

Apparently Nokia, which market share by that time was still high but rolling downhill already (73% in 2006 to 52,4% in 2008), had to choose between bad and worse. The decision to pay the ransom had been made with the topmost echelon.

The perpetrator played Robin Hood a bit and demanded that half of the ransom be given to charity and the other half delivered to a parking lot in the Finnish city of Tampere. Nokia complied, but the police was alerted. 

On the night of delivery, however, the culprit just picked the bag with “several million euros” and disappeared into the dark with police losing his track almost immediately.

According to a later report, Nokia believes that the person responsible for the 2008 extortion was “a Finnish citizen who participated in the development of the [Symbian] user interface”, which means that the police have a very clear suspect in the case. But so far no arrests had been announced.

Also, Nokia apparently paid more than once to the people who discovered certain vulnerabilities in software, hardware or services and threatened to make them public. These payments, however, were “less serious” than the one made to the aforementioned “vanishing blackmailer”. Still, it looks like Nokia spent a fortune to prevent data from going public.

How all this ended? We all well know, that Symbian is dead or, rather, will become such by 2016: according to an outsourcing agreement struck in 2011, Accenture now handles Symbian-based software development till 2016. But the last Symbian smartphone had been released in 2012 and there won’t be any more of them.

Nokia switched to Microsoft Phone as its platform of choice, and eventually sold its mobile phone business to Microsoft entirely with the deal closed earlier this year. What was once the world’s largest vendor of mobile phones became the subdivision of a company that had rather modest achievements on a mobile market on its own.

Of course the claim that Nokia’s misfortunes are the direct reason of that incident in a parking lot in Tampere would be unsubstantiated at best. Nokia’s demise had been brought about by a great multitude of various factors. But this story is an example of apparent repeated mishandling and under securing of sensitive data – bad practice that was just bound to contribute to the final result.

By the way, what happened to that code that the blackmailer presumably had in store is unclear. The overall number of Symbian-oriented malware is relatively small compared to that of Android, and while the stolen encryption key might indeed enable the very powerful strain of Symbian malware, so far it hasn’t been witnessed.