Itch3: Anti-lost/theft protection

t3st3r t3st3r at
Sun Mar 4 23:08:34 CET 2007

Paul Wouters wrote:
> On Wed, 28 Feb 2007, Wolfgang S. Rupprecht wrote:
>> Personally I like the idea of periodic SMS messages with the
>> lat/lon/altitude.  When in stolen mode, having the phone receive SMS
>> msgs containing commands for the phone would seem to be very useful.
> The first thing that happens to a stolen phone is that the SIM is
> chucked. You won't be able to *send* SMS messages, since you will not
> know the phone number. Unless you make sure it SENDS you its new
> phone number as well.
FYI: just to let you know, an anti-thief\anti-lost system for phones 
already exists.Here is the story.Maybe someone already heard that 
proprietary Siemens mobile phones (x55 series based on 80C166 CPU and 
x65 and x75 series based on ARM9) were reverse-engineered deeply and 
people has bypassed boot loader protection (preventing user's code from 
being uploaded) so everyone can run it's own code on phone's CPU.Also I 
heard some other vendors were hacked successfully as well.Some 
SonyEricsson for example.

One of the first firmware patches has been the anti-thief subsystem.How 
does it works?It does detects SIM card change (by IMSI checking IIRC) 
and then SMSes to predefined number(s) (should be someone of your family 
or friends of course).This reveals new phone number (allowing to take a 
legal actions) and can allow owner to regain remote control, get 
coordinates (actually, on Siemens phones you can get Cell ID at very 
most, funny enough anyway).

Btw, few interesting things to mention...
- People did implemented own run-time and executable files loader.It 
loads ARM .ELF files (lots of arm compilers can produce these 
files).Amazing hack.It allows direct code execution by user on main 
phone's CPU easily (almost as easy as launching Java apps).

- Trojans do you say?Well... you should be a real idiot to download real 
executable code from untrusted place.Anyway, I _never_ heard about ELF 
trojans and even Window$ Mobile allows to run unsigned code but it still 
lacks trojans hell as well.But there is already JAVA trojans targeted 
for USUAL restricted phones.Virtualization does not helps.Users are 
often stupid enough to confirm Java SMS send few times before they 
recognize it costs them few US $ per sms.The ONLY way to prevent abuse 
is to make users smarter. Otherwise no matter what is protection, it 
will fail due to user stupidity.The only perfect solution is either to 
disable to execute anything (even Java!) and have "dumb dialer" instead 
of "smart phone" or to educate users a bit so they're aware of potential 
issues. Also I guess that there is very few native code trojans just 
because stupid users are usually using stupid phones (which are able to 
dial and send smses and able just to run Java at very most) since 
they're cheaper.Smart phones users are usually smarter itself (they have 
to know why they're paying for more expensive device, right?) and hence 
they're less vulnerable to trojans.

- Also I have to admit funny thing.Those cell operators who afraid of 
network hacking and disable to run native code on the phones because of 
this are a *real morons*.There is already a dozens of "hacked" phones 
where user's code runs on main phone's CPU and while this is 1-chip 
solution, this code has COMPLETE access to cell networks, their 
internals and can craft absolutely any data to network.However I never 
heard about cell operator network hacked.But if someone will decide to 
hack network, he has just to use own hacked phone, replace SIM to target 
operator's one and (possibly) craft IMEI allowed to log in to network 
(perfectly possible of course once your code has full control on the 
whole phone, this can be illegal in some countries but hacking networks 
is illegal as well so who cares?).So, operators are better to secure 
their networks.Disabling to run native code just will cause users 
unhappy but it will actually never stop persons with evil intentions 
from doing something wrong with network.Actually looks like an ostrich 
:).Hiding just an head will not save their ass, even if they can no 
longer see danger when head is hidden.
>> Something as simple as having a way of remotely submitting a short
>> shell script would do the trick.
> Stuffing something useful in 160 chars is hard. It's better to design
> things beforehand, so you can just send simple commands with arguments.
> I wonder if you can send SMSes on the Neo without the user noticing
> anything, or wether things like the backlight will be turned on (by the
> closed off chip hardware).
> Paul
> _______________________________________________
> OpenMoko community mailing list
> community at

More information about the community mailing list