{"id":14967,"date":"2014-06-20T17:59:21","date_gmt":"2014-06-20T17:59:21","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2073"},"modified":"2020-02-26T10:51:56","modified_gmt":"2020-02-26T15:51:56","slug":"the-case-of-a-money-bag-and-an-encryption-key","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/the-case-of-a-money-bag-and-an-encryption-key\/14967\/","title":{"rendered":"The case of a money bag and an encryption key"},"content":{"rendered":"

A few days ago we blogged <\/a>about Cabir, the first ever virus for a smartphone \u2013 or, rather, a specific mobile software platform. That platform used to be known as Symbian, and for weal or for woe, it\u2019s history now.<\/p>\n

\n<\/p>

\u00a0<\/p>\n

Just the day after, a new story emerged, unrelated to Cabir but directly related to Symbian itself and \u2013 in general \u2013 to information security. So we think this \u201cdetective thriller\u201d is worth relaying.<\/p>\n

A Finnish TV channel MTV (unrelated to the global music channel) broke the news<\/a>, reporting that the Finnish police has an ongoing investigation into the blackmailing incident with Nokia as the injured party.<\/p>\n

The incident took place roughly six years ago \u2013 in late 2007. Details are rather scarce, but it appears that someone got access to \u201cthe source code for part of an operating system\u201d, according to Reuters<\/a>, or, rather, to the encryption key \u201cfor a core part of Nokia\u2019s Symbian software\u201d. The perpetrator then threatened to make it public unless paid a multizero sum.<\/p>\n

\"800\"<\/a><\/p>\n

\u00a0<\/p>\n

Let\u2019s make a small stop here. What would it mean if this key would be made public? Plain and simple: malware writers would possibly have the ability to circumvent any protection and create all sorts of malware and rootkits with access to security sensitive functionality. A cybercriminal\u2019s dream.\u00a0<\/p>

Someone threatened to make a Symbian encryption key public, unless Nokia pays up.<\/p>Tweet<\/a><\/blockquote>\n

At the time Symbian\u2019s then-current version Series 60 3rd Edition (S60v3), a hardened version of Symbian OS 9.1 developed by the company, had been armed with Platform Security framework first introduced in 0.91 (late 2005).<\/p>\n

As we know, this framework which brought in digital signatures for certain APIs was the Nokia\u2019s response to the emerging mobile malware problem<\/a>. The company enforced the mandatory code signing and ran an application certification program through which developers could submit their apps for testing and signing by the company. The certified apps were able to access \u201cmore powerful capabilities\u201d or \u201crestricted Java APIs\u201d and displayed less warning messages to users, according to Computerworld<\/a>.<\/p>\n

\"300\"<\/a><\/p>\n

Attackers with access to a Symbian digital signing key could have used it to sign their own applications and evade security mechanisms \u2013 system would accept them as legitimate. The problem was further aggravated with the fact that the stolen key could not have easily been invalidated once it was leaked since Symbian OS did not<\/em> check whether digital signing certificates had been revoked. And given that there was nothing similar to a centralized apps stores such as iTunes or Google Play for Symbian at the time, and the apps were commonly downloaded from random sources, a very bad things could happen. Speaking to Computerworld, Victor Yablokov, head of mobile at Kaspersky Lab, said that if such a key was stolen, then two years of development of Symbian 9 would have been rendered useless<\/a>.<\/p>\n

Apparently Nokia, which market share by that time was still high but rolling downhill already (73% in 2006 to 52,4% in 2008), had to choose between bad and worse. The decision to pay the ransom had been made with the topmost echelon.<\/p>\n

The perpetrator played Robin Hood a bit and demanded that half of the ransom be given to charity and the other half delivered to a parking lot in the Finnish city of Tampere. Nokia complied, but the police was alerted.\u00a0<\/p>

With market share going down, Nokia had to choose between bad and worst. It chose to pay ransom.<\/p>Tweet<\/a><\/blockquote>\n

On the night of delivery, however, the culprit just picked the bag with \u201cseveral million euros\u201d and disappeared into the dark with police losing his track almost immediately.<\/p>\n

According to a later report<\/a>, Nokia believes that the person responsible for the 2008 extortion was \u201ca Finnish citizen who participated in the development of the [Symbian] user interface\u201d, which means that the police have a very clear suspect in the case. But so far no arrests had been announced.<\/p>\n

Also, Nokia apparently paid more than once to the people who discovered certain vulnerabilities in software, hardware or services and threatened to make them public. These payments, however, were \u201cless serious\u201d than the one made to the aforementioned \u201cvanishing blackmailer\u201d. Still, it looks like Nokia spent a fortune to prevent data from going public.<\/p>\n

How all this ended? We all well know, that Symbian is dead or, rather, will become such by 2016: according to an outsourcing agreement struck in 2011, Accenture now handles Symbian-based software development till 2016. But the last Symbian smartphone had been released in 2012 and there won\u2019t be any more of them.<\/p>\n

Nokia switched to Microsoft Phone as its platform of choice, and eventually sold its mobile phone business to Microsoft entirely with the deal closed earlier this year. What was once the world\u2019s largest vendor of mobile phones became the subdivision of a company that had rather modest achievements on a mobile market on its own.<\/p>\n

Of course the claim that Nokia\u2019s misfortunes are the direct reason of that incident in a parking lot in Tampere would be unsubstantiated at best. Nokia\u2019s demise had been brought about by a great multitude of various factors. But this story is an example of apparent repeated mishandling and under securing of sensitive data \u2013 bad practice that was just bound to contribute to the final result.<\/p>\n

By the way, what happened to that code that the blackmailer presumably had in store is unclear. The overall number of Symbian-oriented malware is relatively small<\/a> compared to that of Android, and while the stolen encryption key might indeed enable the very powerful strain of Symbian malware, so far it hasn\u2019t been witnessed.<\/p>\n","protected":false},"excerpt":{"rendered":"

On the trail of Cabir’s “jubilee”, a new story about Nokia’s Symbian surfaced, involving stolen code, blackmail, charity donation, and a bag with several million euros. One day it could become a script for a criminal drama, but for now it is a story about sensitive data mishandling.<\/p>\n","protected":false},"author":209,"featured_media":15442,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[1750,261,2113,2114],"class_list":{"0":"post-14967","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-blackmail","10":"tag-encryption","11":"tag-jubilee","12":"tag-nokia"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/the-case-of-a-money-bag-and-an-encryption-key\/14967\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/the-case-of-a-money-bag-and-an-encryption-key\/14967\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/the-case-of-a-money-bag-and-an-encryption-key\/14967\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/blackmail\/","name":"blackmail"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14967","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14967"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14967\/revisions"}],"predecessor-version":[{"id":33189,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14967\/revisions\/33189"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15442"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}