Researcher reveals critical Java bugs in Nokia phones
Adam Gowdiak hopes Sun, Nokia will fork over nearly $30,000 for all the details
Computerworld - A pair of critical vulnerabilities in Sun Microsystems Inc.'s Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations and access information on Nokia Series 40 cell phones, a Polish researcher said today.
Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday and notified Nokia the same day of the security issues in its handsets.
However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he has uncovered — approximately one to two pages' worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to pony up €20,000 ($29,826 U.S. at Monday's exchange rate).
The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read-and-write access to its contact list, access its SIM card and more, added Gowdiak.
"This can completely wipe out any security within J2ME," said Gowdiak in an interview Monday. "It allows [attackers] to do anything malicious on any mobile device."
All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world's most widely used mobile platform, according to Nokia. Gowdiak estimated that about 140 different Nokia handsets use the Series 40 platform.
All an attacker needs in order to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously crafted series of messages to a given phone. "By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user," he said.
Gowdiak tested seven different Nokia Series 40 handsets — "at least one from each major family in the series," he said — but he suspects that other manufacturers' phones that use J2ME may also be vulnerable.
He said that the most current version of Sun's Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer's kit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia's.
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to... All Cybercrime and Hacking White Papers | Webcasts