He said that the most current version of Sun's Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer's toolkit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia's.
Nokia did not respond to a request for comment yesterday (11 August), and a Sun spokeswoman did not have any immediate information about the vulnerabilities reported by Gowdiak.
For his part, Gowdiak said security teams at both companies had confirmed receiving his reports last week. "They seem to be working on these issues," he added.
But the vulnerabilities may not be what many focus on, Gowdiak admitted.
To fund his start-up - a Polish-based company called Security Explorations - Gowdiak is selling copies of his research for 20,000 euros each. "There are six long months of work in this research," he said in justifying the price. "It was an enormous amount of research."
But Gowdiak is savvy enough to know that the move will be controversial. "Of course. The whole security arena is divided," he argued. "Some will be against this and some will be for it."
He said that the amount of information he had turned over to Sun and Nokia was "similar" to what he had disclosed to vendors previously. "We're not blackmailers, we're not black hats," he said. "They have a choice whether they want to sign up for our security research or whether they want to [devote] research engineers of their own to investigate the vulnerabilities.
"But in our opinion, they have full vulnerability information."
He also stressed the special nature of the vulnerabilities he had discovered. "This is the first time that such a widespread and critical attack has been demonstrated against Nokia's Series 40 devices," he said. "We have proved that these devices can be hacked and infected with malware in a very similar way PC computers are."
Still, he was on the defensive. "Some people will attack us, and hate us," he said, for selling research in this fashion. "But in time, people will be able to judge on their own whether we got it right."
He stopped short, however, of promising to release more information once Sun and/or Nokia had patched their software. "We're considering it," was as far as he would go.