Researcher reveals critical Java bugs in Nokia phones
Adam Gowdiak hopes Sun, Nokia will fork over nearly $30,000 for all the details
Computerworld - A pair of critical vulnerabilities in Sun Microsystems Inc.'s Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations and access information on Nokia Series 40 cell phones, a Polish researcher said today.
Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday and notified Nokia the same day of the security issues in its handsets.
However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he has uncovered — approximately one to two pages' worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to pony up €20,000 ($29,826 U.S. at Monday's exchange rate).
The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read-and-write access to its contact list, access its SIM card and more, added Gowdiak.
"This can completely wipe out any security within J2ME," said Gowdiak in an interview Monday. "It allows [attackers] to do anything malicious on any mobile device."
All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world's most widely used mobile platform, according to Nokia. Gowdiak estimated that about 140 different Nokia handsets use the Series 40 platform.
All an attacker needs in order to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously crafted series of messages to a given phone. "By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user," he said.
Gowdiak tested seven different Nokia Series 40 handsets — "at least one from each major family in the series," he said — but he suspects that other manufacturers' phones that use J2ME may also be vulnerable.
He said that the most current version of Sun's Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer's kit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia's.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts