Skip the navigation

Researcher reveals critical Java bugs in Nokia phones

Adam Gowdiak hopes Sun, Nokia will fork over nearly $30,000 for all the details

August 11, 2008 12:00 PM ET

Computerworld - A pair of critical vulnerabilities in Sun Microsystems Inc.'s Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations and access information on Nokia Series 40 cell phones, a Polish researcher said today.

Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday and notified Nokia the same day of the security issues in its handsets.

However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he has uncovered — approximately one to two pages' worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to pony up €20,000 ($29,826 U.S. at Monday's exchange rate).

The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read-and-write access to its contact list, access its SIM card and more, added Gowdiak.

"This can completely wipe out any security within J2ME," said Gowdiak in an interview Monday. "It allows [attackers] to do anything malicious on any mobile device."

All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world's most widely used mobile platform, according to Nokia. Gowdiak estimated that about 140 different Nokia handsets use the Series 40 platform.

All an attacker needs in order to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously crafted series of messages to a given phone. "By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user," he said.

Gowdiak tested seven different Nokia Series 40 handsets — "at least one from each major family in the series," he said — but he suspects that other manufacturers' phones that use J2ME may also be vulnerable.

He said that the most current version of Sun's Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer's kit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia's.



Our Commenting Policies