A pair of critical vulnerabilities in Sun Microsystems's Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations and access information on Nokia Series 40 cell phones, a Polish researcher said Monday.
Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday, and notified Nokia the same day of the security issues in its handsets.
However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he's uncovered, approximately one-to-two pages worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to pony up 20,000 euros (US$29,826 at Monday's exchange rate).
The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read and write access to the phone's contact list, access the phone's SIM card, and more, added Gowdiak.
"This can completely wipe out any security within J2ME," said Gowdiak in an interview Monday. "It allows [attackers] to do anything malicious on any mobile device."
All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world's most widely-used mobile platform, according to Nokia. Gowdiak estimated that approximately 140 different Nokia handsets use the Series 40 platform.
All an attacker needs to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously-crafted series of messages to a given phone. "By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user," he said.
Gowdiak tested seven different Nokia Series 40 handsets -- "At least one from each major family in the series," he said -- but he suspects that other manufacturers' phones that use J2ME may also be vulnerable.
He said that the most current version of Sun's Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer's toolkit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia's.
Nokia did not respond to a request for comment Monday, and although Sun did return a call, its spokeswoman did not have any immediate information about the vulnerabilities reported by Gowdiak.
For his part, Gowdiak said security teams at both companies had confirmed receiving his reports last week. "They seem to be working on these issues," he added.
But the vulnerabilities may not be what many focus on, Gowdiak admitted.
To fund his start-up -- a Polish-based company called Security Explorations -- Gowdiak is selling copies of his research for 20,000 euros each. "There are six long months of work in this research," he said in justifying the price. "It was an enormous amount of research."
But Gowdiak is savvy enough to know that the move will be controversial. "Of course. The whole security arena is divided," he argued. "Some will be against this and some will be for it."
He said that the amount of information he had turned over to Sun and Nokia was "similar" to what he had disclosed to vendors previously. "We're not blackmailers, we're not black hats," he said. "They have a choice whether they want to sign up for our security research or whether they want to [devote] research engineers of their own to investigate the vulnerabilities.
"But in our opinion, they have full vulnerability information."
He also stressed the special nature of the vulnerabilities he had discovered. "This is the first time that such a widespread and critical attack has been demonstrated against Nokia's Series 40 devices," he said. "We have proved that these devices can be hacked and infected with malware in a very similar way PC computers are."
Still, he was on the defensive. "Some people will attack us, and hate us," he said, for selling research in this fashion. "But in time, people will be able to judge on their own whether we got it right."
He stopped short, however, of promising to release more information once Sun and/or Nokia had patched their software. "We're considering it," was as far as he would go.