[ISN] Researcher Wants To Charge Nokia, Sun For Phone Vulnerability

From: InfoSec News <alerts_at_private>
Date: Wed, 13 Aug 2008 01:22:30 -0500 (CDT)
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=210002897

By Marin Perez
InformationWeek
August 12, 2008

A security researcher said he has discovered serious vulnerabilities in 
the mobile Java technology on some Nokia (NYSE: NOK) handsets, but his 
method of raising awareness of this bug is potentially controversial.

Security researcher Adam Gowdiak, who is setting up the security company 
Security Explorations, said he's found 14 vulnerabilities in Java 2 
Micro Edition (J2ME) that could allow hackers to attack Nokia's Series 
40 handsets.

Gowdiak told InformationWeek he provided Sun Microsystems (NSDQ: JAVA) 
and Nokia with a briefing of the vulnerabilities he's uncovered. But 
he's charging the companies 20,000 euros, or about $29,870, to get the 
rest of the 178-page report detailing the security flaws, including two 
proof-of-concept tests.

The Nokia Series 40 is a proprietary platform that operates the majority 
of the company's midrange handsets. This means that potentially hundreds 
of millions of devices are at risk, Gowdiak said.

With only the phone number, an attacker could send a series of messages 
that could exploit the flaw by putting malicious Java applications on 
the handset. This could allow the hacker to make calls, access the SIM 
card, record conversations, and install applications on the handset 
without the owner's knowledge, Gowdiak said.

[...]


__________________________________________________      
Visit Defcon Pics - Defcon Memory Repository 
http://www.defconpics.org
Received on Tue Aug 12 2008 - 23:22:30 PDT

This archive was generated by hypermail 2.2.0 : Tue Aug 12 2008 - 23:33:53 PDT