News

Polish researcher breaks Nokia and mobile Java security

Cliff Saran

Security holes in the Java software used in the Nokia S40 handset could let hackers take control of the phone, a security researcher has claimed.

Adam Gowdiak, founder and chief executive officer of Polish security start-up, Security Explorations, said hackers could exploit the weakness to make calls and tap into telephone conversations.

Sun's Mobile Java technology is used by many mobile manufacturers to enable users to download and run applications like mobile Java games and productivity tools.

In a posting on the Bugtraq security website, Adam Gowdiak said he had discovered two serious security vulnerabilities in Sun's mobile Java technology.

Adam Gowdiak said: "The vulnerabilities allow [hackers] to completely bypass Java security restrictions and conduct certain malicious actions on a vulnerable device."

Gowdiak said the security hole could be exploited to force the phone to send SMS, MMS and WAP messages, make phone calls and establish internet connections.

The security vulnerability also gives an intruder full access to files stored on a device, including video and audio recording, full phonebook access and SIM card access.

He warned that a hacker could use the security hole to install backdoor code on the device without the user's knowledge, which would run code at operator or manufacturers privileges.

Security Explorations estimates that 1.5 billion devices could be affected, as the vulnerability could affect other devices using the reference implementation of Sun's mobile Java technology (Sun Wireless Toolkit v. 2.5.2).

On the company's website Gowdiak is charging 20,000 euros to see his research. The fee provides access to proof-of-concept code - which can give an intruder full access to the phone's functions - and examples of a backdoor attack.

A self-confessed "experienced Java Virtual Machine hacker," Gowdiak said he had catalogued over 50 security issues uncovered in the Java technology over the last few years. Highlights of his career include being the first person to present successful and widespread attacks against mobile Java platform in 2004.

Nokia did not comment.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy