Warning - Fraud/Cloning on VZW 700WX

[rpgraves]

Greetings everyone, It’s been a strange week for me. I support my company’s corporate cell/Smartphone users. We have 135 700WX from Verizon. Tuesday I receive a call from the VZW Fraud Department asking me to confirm if one of my users was in the Dominican Republic. (Santa Domingo to be exact). I called the users assistant who stated that he was in his office! I called vzw back and they confirmed that they have been seeing some cloning issues out of that area and that I needed to install the 1.22_ or 1.22 R1 firmware upgraded. They stated that VZW and Palm recently discovered a 'hole' in the security setting on the previous versions of the firmware and that the 1.22 R1 updated corrected the issue and prevented the cloning.

I will be honest, I really don’t understand how this is happening and VZW and Palm are being extremely tight lipped about the cause of this issue.

Since Tuesday, I have had 4 Treo's reported as cloned by Verizon Wireless.

I will also point out that the 1.22 R1 or 1.22_ was issued in Sept 2007. I have received a new 700 WX that did not have the updated (1.22R1) firmware on the device. The last devices I received was this past Monday 7/21. It appears that for some reason devices are still being shipped with out the most recent firmware.

Needless to say, I am not too happy with Verizon Wireless right now.

Is anyone out there having the same issue with their device(s)?

[gksmithlcw]

I hope this doesn't affect the 1.15 Sprint revision...

[GeekCop]

First I've heard of this.

[kocoman]

I thought USA networks uses the AKEY. If the Treo was cloned to 'another phone', that cannot be avoided with an Treo update.

[Ebag333]

Quote:

Originally Posted by kocoman

I thought USA networks uses the AKEY.

USA networks (or at least Sprint) does not use the AKEY.

The only way I know to clone a phone is to steal the NV. My guess is that someone was trying random ESN's on their phone, and got lucky (or unlucky, depending on your perspective).

There's no way to "steal" an ESN (which is all that they really care about as far as the phone goes).

[kocoman]

You can steal accounts if you know the following

ESN attached to account
MSID attached to account
Phone # attached to account

All 3 MUST match exactly as per victim account, then it will work

[Ebag333]

Quote:

Originally Posted by kocoman

You can steal accounts if you know the following

ESN attached to account
MSID attached to account
Phone # attached to account

All 3 MUST match exactly as per victim account, then it will work

Actually for Sprint you just need the ESN and phone #.

That's all I needed when I rebuilt my NV from scratch.

I dunno about Verizon, but I'd imagine it'd be similar.

[rpgraves]

I just received an update from my contact at Palm regarding this issue. Nothing yet from Verizon although my account team has been a big help in updating the 135 devices that needed the patch.

The following info is for Verizon Customers only.

According to my palm rep, he stated that if the device was manufactured prior to April 4, 2007 and does not have " TREO700WX_-1.22-VZW " software version (the underscore is critical). the device is at risk for cloning. If the device was manufactured after 4/4/07 and has software version TREO700WX-1.22-VZW, the device is not at risk and does not require any action.

My thought is better safe than sorry, so I continue to install the _-1.22 software on ALL devices regardless of manufacture date.

As of this posting, I have had 5 devices 'hotlined' by the VZW Fraud Dept. because of this issue.

[Ebag333]

Hum.

I still fail to see how a device could be more at risk or less at risk regardless of the ROM. There's no way an ESN is even useful without the matching phone number.

Something smells fishy to me here.

How many devices do you have in the field?

[docstang]

Got a text today from VZW pointing to link with the following message:
I guess there are some "billing" issues.

July 2008


Dear Customer,


Palm has posted a critical software patch for customers with a Palm Treo 700p, Palm Treo 700w and Palm Treo 700wx handset. This patch is important to ensure proper billing.


Please visit the Palm website (www.palm.com/us/support/downloads/) from your PC to ensure that you have the latest firmware and software installed on your smartphone. Follow the instructions posted to check for a software upgrade.


If your device is already running the latest software, the website information will inform you and no further action will be needed on your part.


If your device needs to be updated, the Palm upgrade tool will upgrade your device's software and apply any patches as needed.


Thank you for your business,
Verizon Wireless

[Ebag333]

Makes me wonder if there was something in the 1.22 patch to try and close some of the phone as modem loopholes.

Many companies are trying to cut back on data usage they're not getting (directly) paid for.

[kocoman]

You can also clone the Treo's esn into a data card (like Novatel U720), the tethered connection is much more stable under high load. ie: no modem freeze, hang-ups..etc,

[strykernyc]

I just want to point out that Verizon is the owner for all the telecom/wireless service on the Dominican Republic. something is fishy here.

[rpgraves]

Quote:

Originally Posted by Ebag333

Hum.

I still fail to see how a device could be more at risk or less at risk regardless of the ROM. There's no way an ESN is even useful without the matching phone number.

Something smells fishy to me here.

How many devices do you have in the field?

I have 135 devices. All VZW 700 wx.

I would agree that something is fishy... VZW has refused to issue my company a statement explaining the cause of the issue and what VZW is doing to prevent it from happening in the future.

[Ebag333]

The whole "manufacturing" date is extremely curious to me.

The manufacturing date shouldn't matter as for the 700, as far as I know they were all essentially identicle except for the 32 megs RAM vs 64 megs.

Maybe Malatesta or someone else can shed light on possible hardware changes?

But regardless, I'm not sure why a VZW phone with an older version of the ROM would not be at risk if manufactured after April 4th, 2007. I can understand a security hole in the ROM, but Sprint should have had the same problem if this was true, and I am unaware of any noise from their side.

I've compared the different ROM's and am unable to find this major security hole that could cause it. Frankly, I call BS on them for this.

If I were in your shoe's I'd be upgrading to 1.22 anyway. But for different reasons than someone (theoretically) stealing your ESN.

[realace]

OK, this happened to a person I know as well. They said the same thing, "your phone was cloned and someone was making calls to the Dominican Republic".

Wanted to upgrade to the underscore version. Very strange....

[Ebag333]

Just one more reason to be glad I'm not with Verizon. Their primary color should be brown, not red.

[Ebag333]

That was e-mailed to me from another user who had this problem.

Quote:

------------ Begin --------------

I will apologize up front here as I'm tired and this is mostly just a
way to get past being ****ed off at VZW for not watching out for the
customer.

I have a Treo 700p and it was cloned Friday night, just in time for the
weekend. If you're wondering how to tell if your phone has been cloned,
it's really easy. Call yourself from another phone. If you get no
indication whatsoever of that call happening, including voicemail
notification, you're in trouble. If you periodically get through, it's
likely due to the other phone having been turned off and your phone is
termporarily winning.

I just went through the process of getting my phone back from being
cloned. The most awesome part of this is the complete lack of support
that VZW gives to prevent the inconvenience of having your phone cloned.

The sequence of events:

1. Drive to Vegas for a weekend conference on a Thursday
2. Friday evening, no calls or text messages are getting through to
my phone
3. Sunday, while driving back, I have eleven (11) voice mails with no
evidence of a missed call or that I might have a voicemail.
4. Sunday night, contact VZW help (611) and find out that:

A) support will try to help you and tell you they believe that
your phone has been cloned. Once they believe that your phone
has been cloned, they will tell you that something is wrong
with the device and you should hard reset it.

This will do you no good, whatsoever. However, I'm pretty sure
that they have a pool running on the other end of the phone to
see how many customers they can stroke out by zapping all of
the data on their phones "on accident."

B) The cloning and fraud department at VZW only works M-F,
0500-1800 PST. Obviously, this is because your phone can only
get cloned during banker hours. *SIGH*

C) Nobody at VZW can actually look at your account and tell you if
there are weird charges on the bill. In my case, there was no
indication of misuse during the episode and the one phone call
that I did get from the DR was from a local area code.

5. Monday morning, call VZW cloning/fraud department. I had to speak
to two separate people to complete my phone transaction.

The first person was very kind and genuinely wanted to help me but
was an idiot. "Yes, Mr. Smith, I'm going to send you a text
message with the URL you can use to update your phone firmware
with."

"But my phone has been cloned."

"Right. Did you get the text message?"

The second person was ****ed off to be alive. They cut me off
every time I started to say something and then seemed to think
that it was obvious that doing a complete restore from backup to
the device would not overwrite the settings just downloaded from
Palm.

Anyway, the information that you will need to get your phone uncloned,
or that you should use to keep from having it get cloned in the first
place:

1. Go to
http://www.palm.com/us/support/downl...e/verizon.html

2. Follow the directions on updating your phone firmware.

3. After the 35 minutes it takes the software to install, call
cloning/fraud at the number below:

Cloning/Fraud Dept.
888 483-7200
Hours: M-F, 0500 - 1800 PST only

4. They will "verify" your phone via the following process:

o Dial #2539 - Authorization from verizon host, they send
programming to phone.
o Turn phone radio off
- Tell support person when it's off
o Turn phone radio on
- Tell support person when it's on


NOTE: It's very likely that over the air programming ( *228, option 1 )
will not work at this time since your phone has been flagged in
the system as being cloned. It may take a day or more for this to
clear. However, updating roaming ( *228, option 2 ) works.

After updating your phone, the firmware version displayed for the phone
firmware is Treo700p_-1.10-VZW.

According to a treocentral article on the interweb [0] and the Verizon
tech, this flaw is due to there being no AKEY shipped with the phone
firmware and has been known for quite some time. It's just now coming
up in numbers as it's been discovered at large. Most of the phone
numbers are being cloned to the Dominican Republic.

The importance of the A-Key is described well by this quote:

"Security of the A-Key is critical in a CDMA system. Over-the-Air
provisioning uses Diffie-Hellman algorithm, making it the best choice
for A-Key programming from the alternatives mentioned above.
Diffie-Hellman algorithm is used for secure key exchange between two
entities so that a third party cannot deduce the value in the process
of exchange." [1]

What this basically boils down to is that all the information required
to clone a phone is being broadcast unencrypted over the air for anyone
to partake of with very little effort.

Thank you so much, Verizon.

Adding insult to injury, not only did I lose use of my phone for an
entire weekend because my phone got nabbed on a Friday night and VZW
fraud/cloning works banker hours, but I had to perform a 90 minute hokey
pokey to get the new software installed, call back to VZW and then do
the hokey pokey, turn the phone off and on with VZW on the phone.

[0] http://discussion.treocentral.com/sh....php?p=1477412

[1] Over-The-Air Provisioning in CDMA, Rohini P.P., Gemplus Technologies, October 2004
http://www.cdg.org/resources/white_p...20Oct%2004.pdf

Anyone familiar with the AKEY setting? Mal, think this might be worthy of an article on WMExperts?