Itch3: Anti-lost/theft protection
t3st3r at mail.ru
Sun Mar 4 23:08:34 CET 2007
Paul Wouters wrote:
> On Wed, 28 Feb 2007, Wolfgang S. Rupprecht wrote:
>> Personally I like the idea of periodic SMS messages with the
>> lat/lon/altitude. When in stolen mode, having the phone receive SMS
>> msgs containing commands for the phone would seem to be very useful.
> The first thing that happens to a stolen phone is that the SIM is
> chucked. You won't be able to *send* SMS messages, since you will not
> know the phone number. Unless you make sure it SENDS you its new
> phone number as well.
FYI: just to let you know, an anti-thief\anti-lost system for phones
already exists.Here is the story.Maybe someone already heard that
proprietary Siemens mobile phones (x55 series based on 80C166 CPU and
x65 and x75 series based on ARM9) were reverse-engineered deeply and
people has bypassed boot loader protection (preventing user's code from
being uploaded) so everyone can run it's own code on phone's CPU.Also I
heard some other vendors were hacked successfully as well.Some
SonyEricsson for example.
One of the first firmware patches has been the anti-thief subsystem.How
does it works?It does detects SIM card change (by IMSI checking IIRC)
and then SMSes to predefined number(s) (should be someone of your family
or friends of course).This reveals new phone number (allowing to take a
legal actions) and can allow owner to regain remote control, get
coordinates (actually, on Siemens phones you can get Cell ID at very
most, funny enough anyway).
Btw, few interesting things to mention...
- People did implemented own run-time and executable files loader.It
loads ARM .ELF files (lots of arm compilers can produce these
files).Amazing hack.It allows direct code execution by user on main
phone's CPU easily (almost as easy as launching Java apps).
- Trojans do you say?Well... you should be a real idiot to download real
executable code from untrusted place.Anyway, I _never_ heard about ELF
trojans and even Window$ Mobile allows to run unsigned code but it still
lacks trojans hell as well.But there is already JAVA trojans targeted
for USUAL restricted phones.Virtualization does not helps.Users are
often stupid enough to confirm Java SMS send few times before they
recognize it costs them few US $ per sms.The ONLY way to prevent abuse
is to make users smarter. Otherwise no matter what is protection, it
will fail due to user stupidity.The only perfect solution is either to
disable to execute anything (even Java!) and have "dumb dialer" instead
of "smart phone" or to educate users a bit so they're aware of potential
issues. Also I guess that there is very few native code trojans just
because stupid users are usually using stupid phones (which are able to
dial and send smses and able just to run Java at very most) since
they're cheaper.Smart phones users are usually smarter itself (they have
to know why they're paying for more expensive device, right?) and hence
they're less vulnerable to trojans.
- Also I have to admit funny thing.Those cell operators who afraid of
network hacking and disable to run native code on the phones because of
this are a *real morons*.There is already a dozens of "hacked" phones
where user's code runs on main phone's CPU and while this is 1-chip
solution, this code has COMPLETE access to cell networks, their
internals and can craft absolutely any data to network.However I never
heard about cell operator network hacked.But if someone will decide to
hack network, he has just to use own hacked phone, replace SIM to target
operator's one and (possibly) craft IMEI allowed to log in to network
(perfectly possible of course once your code has full control on the
whole phone, this can be illegal in some countries but hacking networks
is illegal as well so who cares?).So, operators are better to secure
their networks.Disabling to run native code just will cause users
unhappy but it will actually never stop persons with evil intentions
from doing something wrong with network.Actually looks like an ostrich
:).Hiding just an head will not save their ass, even if they can no
longer see danger when head is hidden.
>> Something as simple as having a way of remotely submitting a short
>> shell script would do the trick.
> Stuffing something useful in 160 chars is hard. It's better to design
> things beforehand, so you can just send simple commands with arguments.
> I wonder if you can send SMSes on the Neo without the user noticing
> anything, or wether things like the backlight will be turned on (by the
> closed off chip hardware).
> OpenMoko community mailing list
> community at lists.openmoko.org
More information about the community