Hacker claims millions of Nokia phones at risk from Java bug

A Polish hacker and self professed security expert claims to have discovered vulnerabilities in the mobile Java technology implemented by Nokia in its mid-range S40 devices, potentially putting millions of handsets at risk.

Adam Gowdiak, who is in the process of setting up a security research firm, Security Explorations, claims the bugs affect around 140 different models of Nokia phone. But given the proliferation of the latest version of Sun’s Java ME, the number of vulnerable devices could run to 1.5 billion including other makes of handset.

He also claims the mobile Java vulnerabilities allow hackers to completely bypass security restrictions and install malicious applications on a victim’s device, without their knowledge.

However, Gowdiak has drawn fire over his method of raising awareness over the bugs. He has not made the information publicly available, at least not for free. Instead he is offering a 178 page technical report, including proof of concept code, for the sum of Eur20,000.

Gowdiak says he is reluctant to give months of research away for free, and intends to raise something in the region of Eur1m in order to set up Security Explorations.

It’s not clear whether Nokia has bought the research, but Gowdiak believes the end users should be aware of a potential vulnerability as soon as the vendors’ are, even if the finer details are not made public.

The hacker claims to be able to achieve a list of feats on vulnerable devices without the owner’s knowledge or consent, including SMS, MMS, WAP and PUSH message sending; establishing arbitrary phone calls and internet connections; full read and write access to the files stored on a device; audio and video stream recording; full access to the contacts database; access to the SIM card; and backdoor application installation on the phone with network operator or manufacturers privileges.

Gowdiak hints that the hack is achieved by sending a specially crafted sequence of messages to a given Nokia phone and likens the attack to one on a PC. All malicious applications can be executed in the background, which means they are invisible on the phone screen and to the user, Gowdiak said.

S40 is not a multitasking OS, which means apps cannot be executed in the background, but speaking to telecoms.com, Gowdiak pointed out that multitasking is a feature of the Java Virtual Machine used on selected Nokia S40 devices. “We verified that it is possible to run Java applications in parallel on certain Nokia Series 40 phones,” he said.

The hacker also revealed he had taken a look at the security of the Android platform, but hinted that as the operating system is still in development, developers would be given proper time to fix any issues prior to the official product release.

Neither Gowdiak nor Nokia would not comment on whether Nokia has bought his research.

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


There are no upcoming events.


What is your name?

Loading ... Loading ...