Skip to content

Report: Nokia's 2m euro extortion investigation hobbled by secrecy

New details have emerged in the recently-closed and unsolved probe of a decade-old case involving Nokia, a vital encryption code and the extortion of two million euros, according to Finnish news outlet MTV.

Nokia's N93 phones on display, a few of the company's millions of devices that were made vulnerable to attack by the threats by extortionists made in 2007. Image: Tero Ylioja / Yle

In 2007 Nokia was at the peak of its prowess and selling more cellular phones than any other firm in the industry, with all-time high profits, market share and turnover. At the same time the company had become a target of software security extortion.

Part of the story came to light after Finnish news outlet MTV reported about it in 2014.

Finland's National Bureau of Investigation closed the case at the beginning of 2018, and has since released some details about the mysterious matter.

Details about some of those documents were published in a new report by MTV on Thursday.

Threat prompts "panic" at Nokia

According to MTV, the extortionist had apparently chosen to email a random employee to inform the company that a crucial digital encryption key for many of its devices had been stolen. The digital key file was only a couple of kilobytes and could have been distributed to countless hackers who could have taken control of millions of Nokia mobile devices.

The employee showed the message to company security officials but it took some time for the firm to react. Once the reaction did come, it was in the form of "panic," MTV quoted an anonymous source.

According to a article (siirryt toiseen palveluun) posted in June 2014, attackers with the digital key could have access to sign and install their own applications and bypass security mechanisms.

The vulnerability posed a huge risk to many of Nokia's phones running the third edition of Series 60 (a "hardened" version of its proprietary Symbian OS 9.1), including their popular lines of E- and N-series phones, according to PCWorld.

Had the extortionist followed through with threats, Nokia phones using that version of the operating system could have been taken over entirely.

To avoid a public relations crisis, MTV reports, the company decided to pay the ransom, and did.

Million-euro dropoff at Tampere marina

Most of the ransom money was dropped off in cash by company security officials at a marina in Tampere, central Finland. At this point, the ransom notes were no longer arriving by email, but rather by SMS text message.

The ransom money — some 1.6 million euros weighing about 30kg — was packed in a large bag and left at the designated pickup spot. The bag was collected, but police lost track of the suspect and the money disappeared, MTV reports.

The remaining fifth of the money -- some 400,000 euros -- was donated to two charitable foundations at the blackmailer's request, MTV writes.

Those foundations were the Arvo and Lea Ylppö Foundation (a group supporting efforts in pediatric neurology) and the Lasentautien Tutkimussäätiö (a foundation researching childhood diseases).

But Nokia, making no mention of the contributions' origin, made the donation as if the company had come up with the idea.

"The well-being and learning projects for children and young adults around the world are an important part of Nokia's values and our work as corporate citizens," Veli Sundbäck, Nokia's SVP of corporate relations stated in a press release at the time.

Investigation launched later

The company had informed law enforcement about the threats very quietly because Nokia wanted to avoid the matter going public. As a result, investigators' hands were effectively tied for years.

Nokia had reportedly requested that no active investigation should be carried out about the case, but the NBI tracked down the email addresses as well as identified a cell phone and pinpointed an IP address used in the crime.

Documents also showed that by March of 2011 -- four years it was approached for money -- Nokia had decided that an investigation could go ahead, after the Symbian operating system had been adequately updated.

Despite their leads, investigators were never able to find the perpetrator or perpetrators of the crime, according to MTV.