Hackers could use critical Java flaws to surreptitiously make calls, record conversations and access information on Nokia Series 40 cell phones, according to a Polish researcher.
Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he has reported the two vulnerabilities to Sun, and notified Nokia the same day of the security issues in its handsets.
However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he's uncovered, approximately one-to-two pages worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to cough up 20,000 euros (£15,650).
The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read and write access to the phone's contact list, access the phone's SIM card, and more, added Gowdiak.
"This can completely wipe out any security within J2ME," said Gowdiak. "It allows [attackers] to do anything malicious on any mobile device."
All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world's most widely-used mobile platform, according to Nokia. Gowdiak estimated that approximately 140 different Nokia handsets use the Series 40 platform.
All an attacker needs to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously-crafted series of messages to a given phone. "By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user," he said.
Gowdiak tested seven different Nokia Series 40 handsets - "At least one from each major family in the series," he said - but he suspects that other manufacturers' phones that use J2ME may also be vulnerable.