A Polish hacker and self professed security expert claims to have discovered vulnerabilities in the mobile Java technology implemented by Nokia in its mid-range S40 devices, potentially putting millions of handsets at risk.
Adam Gowdiak, who is in the process of setting up a security research firm, Security Explorations, claims the bugs affect around 140 different models of Nokia phone. But given the proliferation of the latest version of Sun’s Java ME, the number of vulnerable devices could run to 1.5 billion including other makes of handset.
He also claims the mobile Java vulnerabilities allow hackers to completely bypass security restrictions and install malicious applications on a victim’s device, without their knowledge.
However, Gowdiak has drawn fire over his method of raising awareness over the bugs. He has not made the information publicly available, at least not for free. Instead he is offering a 178 page technical report, including proof of concept code, for the sum of Eur20,000.
Gowdiak says he is reluctant to give months of research away for free, and intends to raise something in the region of Eur1m in order to set up Security Explorations.
It’s not clear whether Nokia has bought the research, but Gowdiak believes the end users should be aware of a potential vulnerability as soon as the vendors’ are, even if the finer details are not made public.
The hacker claims to be able to achieve a list of feats on vulnerable devices without the owner’s knowledge or consent, including SMS, MMS, WAP and PUSH message sending; establishing arbitrary phone calls and internet connections; full read and write access to the files stored on a device; audio and video stream recording; full access to the contacts database; access to the SIM card; and backdoor application installation on the phone with network operator or manufacturers privileges.
Gowdiak hints that the hack is achieved by sending a specially crafted sequence of messages to a given Nokia phone and likens the attack to one on a PC. All malicious applications can be executed in the background, which means they are invisible on the phone screen and to the user, Gowdiak said.
The problem here, as one of our analysts at Informa points out, is that S40 is not a multitasking OS, which presumably means apps cannot be executed in the background.
“As far as I know S40 does not do multitasking, which means nothing else can be executed if the user uses the phone. When the phone is not used, anything executed will surely be transparent and exposed to the UI,” said Informa principal analyst Malik Saadi.
The hacker also revealed he had taken a look at the security of the Android platform, but hinted that as the operating system is still in development, developers would be given proper time to fix any issues prior to the official product release.
Update: Gowdiak has responded to our questions about multitasking on S40 and points out it’s a feature of the Java Virtual Machine used on selected Nokia S40 devices. “We verified that it is possible to run Java applications in parallel on certain Nokia Series 40 phones,” he said.