Read Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker Online
Authors: Kevin Mitnick,Steve Wozniak,William L. Simon
Tags: #BIO015000
Long afterward, I met Shawn Nunley, and we became good friends. I’m happy that today we can laugh about the whole episode.
With the Novell hack behind me, I decided to target one of the biggest cell phone manufacturers, Nokia.
I called Nokia Mobile Phones in Salo, Finland, posing as an engineer from Nokia USA in San Diego. Eventually I was transferred to a gentleman named Tapio. He sounded like a very nice guy, and I felt kind of bad about social-engineering him. But then I put those feelings aside and told him I needed the current source code release for the Nokia 121 cell phone. He extracted the latest version to a temporary directory in his user account, which I then had him transfer (via FTP) to Colorado Supernet. At the end of the call, he wasn’t suspicious in the least and even invited me to call him back if I needed anything else.
That all went so smoothly that I thought I’d see if I could gain direct access to Nokia’s network in Salo. A call to an IT guy there proved awkward when his English turned out not to be all that good. Maybe a Nokia facility in an English-speaking country would be more productive. I tracked down a Nokia Mobile Phones office in the town of Camberley, England, and reached a lady in IT named Sarah, who had a deliciously thick British accent but used so much unfamiliar slang that I had to stay focused and pay close attention.
I cited my standard excuse of “problems with the network connection between Finland and the U.S., and a critical file to transfer.” The company didn’t have direct dial-ups, she said, but she could give me the dial-up number and password for “Dial Plus,” which would let me connect to the VMS system in Camberley over an X25 packet switched network. She provided the X25 subscriber address—234222300195—and
told me I would need an account on the VAX, which she would set up for me.
At this point I was on edge, in a state of high excitement, because I was pretty sure I’d be able to get into my target, “Mobira,” one of the VMS systems used by Nokia’s Cellular Engineering Group. I logged in to the account and quickly exploited a vulnerability that gave me full system privileges, then gave a “show users” command to list all the users currently logged in, which in part looked like this:
Username | Process Name | PID | Terminal |
---|---|---|---|
CONBOY | CONBOY | 0000C261 | NTY3: (conboy.uk.tele.nokia.fi) |
EBSWORTH | EBSWORTH | 0000A419 | NTY6: (ebsworth.uk.tele.nokia.fi) |
FIELDING | JOHN FIELDING | 0000C128 | NTY8: (dylan.uk.tele.nokia.fi) |
LOVE | PETER LOVE | 0000C7D4 | NTY2: ([131.228.133.203]) |
OGILVIE | DAVID OGILVIE | 0000C232 | NVA10: (PSS.23420300326500) |
PELKONEN | HEIKKI PELKONEN | 0000C160 | NTY1: (scooby.uk.tele.nokia.fi) |
TUXWORTH | TUXWORTH | 0000B52E | NTY12: ([131.228.133.85]) |
Sarah wasn’t logged in. Great: that meant she wasn’t paying much attention to what I was doing on the system.
Next I installed my modified Chaos Computer Club patch to the VMS Loginout program, which allowed me to log in to anyone’s account with a special password, first checking Sarah’s account to see if she might have access to the Mobira in Salo. I ran a simple test and realized that I had access to her account over a networking protocol called DECNET and didn’t even need her password: Mobira was configured to trust the VMS system in the UK. I could simply upload a script to run my commands under Sarah’s account.
I was going to get in! I was ecstatic.
I used a security bug to get full system privileges and then created my own fully privileged account—all in about five minutes. Within about an hour, I was able to find a script that allowed me to extract the source code for any Nokia handset currently under development. I transferred source code for several different firmware releases for the Nokia 101 and Nokia 121 phones to Colorado Supernet. Afterward, I decided to see how security aware the administrators were. It turned out they had security auditing enabled for events such as creating accounts and
adding privileges to existing accounts. It was just another speed bump on my way to getting the code.
I uploaded a small VAX Macro program that fooled the operating system and allowed me to disable all the security alarms, without detection, just long enough to change passwords and add privileges on a few dormant accounts—probably belonging to terminated employees—in case I needed to get back in.
Apparently, though, one of the system admins noticed alerts that were triggered when I initially created an account for myself, before I had disabled the alarms. So the next time I tried to get into the Camberley VMS system, I found myself locked out. I called Sarah to see if I could learn anything about this. She told me, “Hannu disabled remote access ’cause there’s some hackering going on.”
“Hackering”—was that what the Brits called it?
Shifting gears, I decided to target getting a copy of the source code for a product referred to internally as “HD760”: the first Nokia digital phone that was currently under development. Reaching the lead developer, Markku, in Oulu, Finland, I convinced him to extract and compress the latest source code version for me.
I wanted him to transfer it via an FTP connection to a server in the United States, but Nokia had just blocked outbound file transfers because of the Mobira security breach.
How about loading it onto a tape? Markku didn’t have a tape drive. I started calling around to other people in Oulu, looking for a drive. Eventually I located a guy in IT who was very friendly, had a good sense of humor, and even more important, had a tape drive. I had Markku send him an archived file containing the code I wanted, and then talked to him about shipping the tape, once the code had been copied onto it, to the Nokia USA office in Largo, Florida. This took a good deal of arranging, but I finally got it put together.
Around the time I knew the package should be arriving, I began calling the mail room at Largo to see if it had gotten there yet. During the last of my several calls, I was put on hold for a long time. When the lady came back on the line, she apologized and said that because the department was moving offices, she would have to “look harder” for my package. Yeah, right: my gut instinct was that they were onto me.
A few days later, I enlisted the help of Lewis De Payne, who was also excited about the idea of getting the source code for this hot new phone. He did a little research and learned that the president of Nokia USA was a guy named Kari-Pekka (“K-P”) Wilska. For some lamebrained reason, Lewis decided to pose as Wilska, a Finnish national, and called the Largo office in that guise to request that the package be reshipped.
We would find out much later that FBI agents had been alerted and had gone to the Largo offices, where they were set up to record the next call either one of us made.
Lewis called, again as Wilska. He confirmed that the package had arrived and asked that it be shipped to a Ramada Inn near his office. I called the hotel to make a reservation for Wilska, knowing that the front desk would hold a package addressed to a guest who was booked to arrive.
The next afternoon, I called the hotel to make sure the package was ready for pickup. The lady I spoke to sounded uncomfortable and put me on hold but then came back on the line to say that yes, the package was there. I asked her to tell me how big it was. She said, “They have it at the bell desk, I’ll go find out.”
She put me on hold again and was gone for a
long
time. I became antsy, then a little panicky. This was a huge red flag.
Finally she came back on the line and described the size of the package, which did sound about right for a computer tape.
But by now I was feeling really uneasy. Did the bell desk really have it, or was this a setup, a trap? I asked, “Was it delivered by FedEx or UPS?” She said she’d find out and again put me on hold. Three minutes. Five. Something like eight minutes passed before I heard her voice again, telling me, “FedEx.”
“Fine,” I said. “Do you have the package in front of you?”
“Yes.”
“Okay, please read me the tracking number.”
Instead, she put me on hold yet again.
I didn’t need to be a rocket scientist to figure out that something was seriously wrong.
I fretted for half an hour, wondering what to do. The only sensible option, of course, would be to just walk away and forget the whole thing.
But I had gone to so much trouble to get that source code, I
really
wanted it. “Sensible” didn’t seem to enter into the equation.
After half an hour, I called the hotel again and asked to speak to the manager on duty.
When he came on the line, I said, “This is Special Agent Wilson with the FBI. Are you familiar with the situation on your premises?” I was half expecting him to reply that he didn’t know what I was talking about.
Instead he answered, “Of course I am! The police have the whole place under surveillance!”
His words hit me like a ton of bricks.
He told me that one of the officers had just come into his office, and I should speak with him.
The officer came on the line. In an authoritative voice, I asked for his name. He told me.
I said I was Special Agent Jim Wilson with the White Collar Crime Squad. “What’s happening down there?” I asked.
The cop said, “Our guy hasn’t shown up yet.”
I said, “Okay, thanks for the update,” and hung up.
Way too close for comfort.
I called Lewis. He was just walking out the door to go and pick up the package. I practically yelled into the phone, “
Wait!
It’s a trap.”
But I couldn’t leave it there. I called a different hotel and made a reservation for K-P Wilska, then phoned back the lady at the Ramada Inn and told her, “I need to have you reship the package to another hotel. My plans have changed, and I’m staying there tonight so I can make an early-morning meeting tomorrow.” I gave her the name and address of the new hotel.
I figured I might as well let the Feds chase another red herring for a while.
When I saw an ad for NEC’s newest cell phone, I didn’t care too much about the phone itself; I just knew I had to have the source code. It didn’t matter that I had already grabbed source code for several other hot cell phones: this was going to be my next trophy.
I knew that NEC, a subsidiary of NEC Electronics, had an account
on the Internet service provider called Netcom. This ISP had become one of my principal routes for accessing the Internet, in part because it conveniently offered dial-up numbers in nearly every major city.
A call to NEC’s U.S. headquarters in Irving, Texas, provided the information that the company developed all its cellular phone software in Fukuoka, Japan. A couple of calls to NEC Fukuoka led me to their Mobile Radio Division, where a telephone receptionist found someone who spoke English to translate for me. That’s always an advantage, because the translator lends authenticity: she’s right there in the same building, speaking the same language as your target. The person at the end of the chain tends to assume you’ve already been vetted. And in this case, it also helped that the level of trust is so high in the Japanese culture.
The translator found a guy to help me who she said was one of the group’s lead software engineers. I told her to tell him, “This is the Mobile Radio Division in Irving, Texas. We have a crisis here. We’ve had a catastrophic disk failure and lost our most recent versions of source code for several mobile handsets.”
His answer came back, “Why can’t you get it on mrdbolt?”
Hmmm. What was that?
I tried, “We can’t get onto that server because of the crash.” It passed the test—“mrdbolt” was obviously the name of the server used by this software group.
I asked the engineer to FTP it to the NEC Electronics account on Netcom. But I got push back because that would mean sending this sensitive data to a system outside the company.
Now what? To buy some time, I told the translator that I had to take another incoming call and would phone back in a few minutes.
My brain conjured up a work-around that seemed as if it might do the trick: I would use as an intermediary NEC’s Transmission Division, in the automotive sector of the company, where the staff probably didn’t deal with much in the way of sensitive, company-confidential information and so would be less security-conscious. And besides, I wouldn’t even be asking for any information.
Telling the guy I reached in the Automotive Group, “We’re having networking difficulties between NEC Japan and the network in Texas,” I asked if he would set up a temporary account so I could FTP a file to
him. He didn’t see any problem with doing that. While I waited on the phone, he set up the account and gave me the hostname for the NEC server, as well as the log-in credentials.
I called Japan back and gave the information to the translator to pass along. Now they would be transferring the source code to another NEC facility, which got them out of their discomfort zone. It took about five minutes for them to complete the transfer. When I called back the guy in the Transmission Division, he confirmed that the file had arrived. Because of the way I had set this up, he naturally assumed that
I
had sent it. I gave him instructions for FTPing the file to the NEC Electronics account at Netcom.