14 DAY TRIAL // Adam Gowdiak, a Polish researcher, announced that he discovered highly critical bugs in the J2ME (Java 2 Micro Edition) that can be easily exploited by a remote attacker to take control of all vital phone functions and make calls, send text messages, record video and audio, access any file, read contacts list, etc. His research - and successful exploit - was performed on Nokia Series 40 phones, "at least one from each major family in the series," as he points out, but he thinks this could work on any phone that runs the J2ME platform.
Mr. Gowdiak submitted multiple vulnerabilities regarding the J2ME during the past few years, but with his latest discovery, he is taking a rather controversial approach. According to him, the research based on these findings is impressive and took over six months of hard work. While he notified both Sun and Nokia about the vulnerabilities and gave them the basic information they would need to start looking into it, he requested 20.000 euro ($29.800) for a full copy of this research with proof-of-concept code included.
The money is supposed to fund his own security company, called Security Explorations. He knows this will attract both positive and negative reactions from the security industry and the community but feels that "they have a choice whether they want to sign up for our security research or whether they want to [devote] research engineers of their own to investigate the vulnerabilities". He also feels that he offered the companies what they need to get started. "In our opinion, they have full vulnerability information," he pointed out.
The vulnerabilities can be exploited much like most malware do with computers. All an attacker has to do is send a series of messages to the phone's number to deploy the malicious application. This puts a massive amount of phones at risk considering that, according to Nokia, the Series 40 phones are the most widely spread devices in the world and over 140 of Nokia models are using this platform. Gowdiak mentioned that "by combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won't be visible to the user".
The seriousness of these findings does not stop here, as the Java Wireless Kit, the popular software development kit for building wireless J2ME applications, also suffers from the same bugs, which makes any application developed using the SDK vulnerable to attacks even if they are not intended for Nokia Series 40 phones. Gowdiak stressed that "this is the first time that such a widespread and critical attack has been demonstrated against Nokia's Series 40 devices".
Nokia and Sun have not released an official statement regarding this situation yet, but Gowdiak said they confirmed receiving his report. Whether they will choose to buy the full research or not remains to be seen. Whether more information will be available for free after the companies release patches is also not certain, as Gowdiak mentioned only that they'll consider it.