14 DAY TRIAL // Nokia has confirmed that the major vulnerabilities reported by Polish security researcher Adam Gowdiak are valid. The Java Micro Edition vulnerabilities affect the very popular Nokia Series 40 phones and can result in vital phone functions being compromised.
Earlier this month, Security Explorations, a Polish security research company, announced through its founder and CEO, Adam Gowdiak, that following 6 months' worth of research, several highly critical vulnerabilities in J2ME's implementation in Nokia Series 40 phones had been discovered.
At that time, Mr. Gowdiak stated that they had provided both Sun and Nokia with the vulnerability information, but without disclosing the full research and proof-of-concept code, and that the companies had confirmed receiving his report. A spokesman for Sun later announced that the vulnerabilities affected only Nokia's implementation and not J2ME in general, the latest implementation of J2ME, CLDC-HI, not suffering from these flaws. "Sun can confirm that there are a couple of potential vulnerabilities outlined that are specific to J2ME but those are limited to older versions of J2ME," he added.
Nokia took its time to investigate the claims before making any statement. On Thursday, Nokia announced that it had been "investigating the allegations made, using [its] normal processes and comprehensive testing," and that it could "confirm that both claims are valid in some of [its] products." The announcement also noted that the testing "[had] been concentrating on products that might have both of the claims present."
While working on a fix for these issues, Nokia does not feel they pose a serious risk. "We do not currently believe these issues represent a significant risk to customers' devices," said Communications Director for Nokia's Corporate Development Office, Mike Durrant. Gowdiak felt the vulnerabilities were very serious and easy to exploit, previously stating that "by combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed." Nevertheless, Mr. Durrant explains that "this requires deep technical skill" and it "isn't something someone in a garage is going to be able to sort out in an afternoon." Durrant adds that "[Gowdiak's] clearly a smart guy."
Mr. Gowdiak and his company chose a controversial approach to vulnerability disclosure, by claiming a payment of almost $30,000 from Nokia and Sun in exchange for their full research, which contains around 180 pages and 14,000 lines of proof-of-concept code. Mr. Durrant pointed out that Nokia had a complete copy of the research, but evaded to say if the research had been paid for or not. He did comment, however, on the approach, saying that "it would be very easy for there to be an idea that you can hold companies to ransom," but "the reality is he [Gowdiak] has done a significant amount of research, and clearly it's understandable he wants to find a way to monetize that." Kaisa Hirvensalo, a spokeswoman for Nokia also noted that "for obvious reasons of security, we will not comment further on the detail of our activities with Security Explorations."