Researcher reveals critical Java bugs in Nokia phones
Adam Gowdiak hopes Sun, Nokia will fork over nearly $30,000 for all the details
Computerworld - A pair of critical vulnerabilities in Sun Microsystems Inc.'s Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations and access information on Nokia Series 40 cell phones, a Polish researcher said today.
Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday and notified Nokia the same day of the security issues in its handsets.
However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he has uncovered — approximately one to two pages' worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to pony up €20,000 ($29,826 U.S. at Monday's exchange rate).
The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read-and-write access to its contact list, access its SIM card and more, added Gowdiak.
"This can completely wipe out any security within J2ME," said Gowdiak in an interview Monday. "It allows [attackers] to do anything malicious on any mobile device."
All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world's most widely used mobile platform, according to Nokia. Gowdiak estimated that about 140 different Nokia handsets use the Series 40 platform.
All an attacker needs in order to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously crafted series of messages to a given phone. "By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user," he said.
Gowdiak tested seven different Nokia Series 40 handsets — "at least one from each major family in the series," he said — but he suspects that other manufacturers' phones that use J2ME may also be vulnerable.
He said that the most current version of Sun's Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer's kit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia's.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts