Security holes in the
Java
software used in the
Nokia S40
handset could let hackers take control of the phone, a security
researcher has claimed.
Adam Gowdiak, founder and chief executive officer of
Polish security
start-up, Security Explorations, said hackers could exploit the
weakness to make calls and tap into telephone conversations.
Sun's Mobile Java technology is used by many mobile
manufacturers to enable users to download and run applications like
mobile Java games and productivity tools.
In a posting on the
Bugtraq
security website, Adam Gowdiak said he had discovered two
serious security vulnerabilities in
Sun's mobile Java
technology.
Adam Gowdiak said: "The vulnerabilities allow [hackers] to
completely bypass Java security restrictions and conduct certain
malicious actions on a vulnerable device."
Gowdiak said the security hole could be exploited to force the
phone to send SMS, MMS and WAP messages, make phone calls and
establish internet connections.
The security vulnerability also gives an intruder full access to
files stored on a device, including video and audio recording, full
phonebook access and SIM card access.
He warned that a hacker could use the security hole to install
backdoor code on the device without the user's knowledge, which
would run code at operator or manufacturers privileges.
Security Explorations estimates that 1.5 billion devices could
be affected, as the vulnerability could affect other devices using
the reference implementation of Sun's mobile Java technology (Sun
Wireless Toolkit v. 2.5.2).
On the company's website Gowdiak is charging 20,000 euros to see
his research. The fee provides access to proof-of-concept code -
which can give an intruder full access to the phone's functions -
and examples of a backdoor attack.
A self-confessed "experienced Java Virtual Machine hacker,"
Gowdiak said he had catalogued over 50 security issues uncovered in
the Java technology over the last few years. Highlights of his
career include being the first person to present successful and
widespread
attacks against mobile Java platform in 2004.
Nokia did not comment.