Unprotected Nokia mobiles

By exploiting some critical security vulnerabilities, attackers can do almost anything with some Nokia mobiles.

Security researcher Adam Gowdiak has highlighted a number of vulnerabilities that could cause issues when using Java 2 Micro Edition (J2ME). He has already notified Sun and Nokia employees of the vulnerabilities he has discovered. However, it did not provide a full description of the vulnerabilities, as it set the price at EUR 20 000 for a detailed description of the vulnerabilities and a code to exploit the vulnerabilities. Gowdiak justified the rather high price on the grounds that the material available for purchase was the result of six months of research.

According to Gowdiak, the vulnerabilities he discovered primarily affect mobile phones based on the Nokia Series 40 platform, but it is easy to imagine that they can be exploited in the case of other J2ME compatible devices as well. With the possibilities inherent in security holes, attackers can actually take full "control" over the affected phones. For example, they can make calls, send messages, record sound or video, read or modify the phonebook, and access data stored on SIM cards. Gowdiak said that any security feature of J2ME could be bypassed through the vulnerabilities. According to the news, to exploit the bugs, all you have to do is send specially edited messages to selected phones.

Gowdiak says there are 40 vulnerabilities in the Nokia Series 14. In addition, the Sun Java Wireless Toolkit hides additional security vulnerabilities that could also contribute to attacks on affected mobile phones.

Nokia and Sun have not yet officially responded to the security issues uncovered by Gowdiak. According to Gowdiak, he has received confirmation from both companies about the arrival of the vulnerability report, so presumably the experts from the two companies are still investigating the vulnerabilities.