Some time ago, before English version of NokiaMob existed, we covered an interesting, movie-like report on our Croatian site that someone stole a Symbian encryption key from Nokia in 2007. It was first reported (in 2014) that the key allowed a 3rd party to install applications without users knowledge or consent, but MTV.fi, that broke this store, reports that by doing that the 3rd party could gain access to the microphone, messages, photos and other system features.
The police was involved in the case, but Nokia decided to fulfill the demands to get the encryption key back. In 2017, the investigation was closed and a year later tasty details about it were made public.
In the year 2007, a Nokia employee received an email alleging that the sender of the email was in possession of a Symbian encryption key and asked for ransom to return the key back to Nokia. The issue was brought up to the highest levels of the company, but a tight circle was created not to spread panic about a potential serious vulnerability of, back then, most used mobile operating system on the planet. In a 6 months long negotiation the perpetrator(s) was using, at first, gmail addresses like “firstname.lastname@example.org, email@example.com or firstname.lastname@example.org”, and later SMSs from burner phones to communicate.
Nokia involved the Finnish police in the case, but at the end, after, I assume, unsuccessfully tracing the person of interest, they decided to pay 2 million euros to get their encription key back. In a, somewhat, “Robin Hood-like” story, Nokia was asked or better to say, blackmailed to donate 400,000 euros to two charities – Arvo and Lea Ylppö Foundation (a group supporting efforts in pediatric neurology) and the Lasentautien Tutkimussäätiö (a foundation researching childhood diseases). Nokia also delivered 1.6 million euros in a bag (30kg heavy if you’re interested how much does that sum of money weight) on an agreed pickup location.
The 400,000 euro donation was announced as if Nokia donated without any pressure the money to the charities. The police lost track of the money, and Nokia asked the police not to do an active investigation or cooperate with foreign agencies before the company reduces the risk for their customers. In 2011, the risk was reduced to a minimum and the police got the green light from Nokia to publicly investigate the case, but the perpetrator was never found.
It’s pretty clear why Nokia decided to pay the sum for the encryption key. The few kilobytes large key could endanger millions of Nokia devices – to be precise, Symbian 9.1 S60 devices from the famous N and E series, which would cost the company billions. That year, Nokia’s revenue surpassed 50 billion euros with over 8 billion euros in profit. The company could afford 2 million and it was critical to solve the situation as quickly as possible, because a leak of the story to the press, could cause a serious amount of damage, even before the thieves make the key public.
This story also shows the power that Nokia had back then and they greenlighted the authorities in an investigation, which shows the trust in Nokia and the seriousness of the situation. As uncle Ben said: “With great power comes great responsibility”, and Nokia had a lot of power and responsibility back then as the biggest vendor of mobile devices on the planet. Action of releasing the encryption key would impact customers way beyond Finland and everyone included in the process was certainly well aware of that.
We could also point out that 4 years were needed for Nokia to reduce the risk to minimum, and that suggest problems with OS development and, in other hand, emphasises the need for regular security updates. If you’re after more context about the situation regarding Symbian and the critical years of Nokia’s phone business, from the bottom of my heart I recommend the book Operation Elop. It gives a good overview of what happened and why Nokia sold the Devices and services division to Microsoft.
What do you think about this story? Tell us down below. 🙂