Java Card - Press Info no. 2
AUG 2008

Mobile Java and Nokia phones - Press Info

Security Explorations, a security research start-up company from Poland discovered two very serious security vulnerabilities in mobile Java technology coming from Sun Microsystems (NASDAQ: JAVA) and used by Nokia (NASDAQ: NOK) in its Series 40 devices. This family of Nokia devices is the world's most widely used mobile device platform. It includes over 140 models of different phones ranging from mass-market devices to handsets for specific market segments, such as music or fashion. The total number of Series 40 devices is estimated to be in the range of several hundreds of millions.

Mobile Java vulnerabilites discovered by Security Explorations allow to completely bypass security restrictions of a Java environment and silently conduct certain malicious actions on a vulnerable phone without the user's consent.

Research arm of Security Explorations proved that the following malicious actions could be successfully conducted in a reliable manner on vulnerable Nokia phones:

  • arbitrary SMS / MMS / WAP PUSH message sending
  • establishing of arbitrary phone calls
  • establishing of arbitrary Internet connections
  • full read and write access to the files stored on a device
  • silent audio and video streams recording
  • read and write access to the contacts database
  • access to the phone's SIM card
  • persistent and stealth backdoor application installation on the phone with network operator or manufacturers privileges

The total number of vulnerable Java enabled handsets could reach the 1.5 billion mark due to the high possibility that a reference implementation of Sun's mobile Java technology is affected. This reference implementation is used by most of the mobile handsets manufacturers today. Security Explorations successfully verified that Sun's implementation of mobile Java technology used in its latest version of Java Wireless Toolkit software is vulnerable to the discovered flaws.

Security Explorations was also able to discover multiple (14 in total) security issues in Nokia Series 40 devices that among other things allow for the remote attack against Nokia handsets. Remote attackers can obtain unathorised access to selected Nokia devices by just sending a properly crafted sequence of messages to a given Nokia phone. All that an attacker needs to furnish a remote attack is a cell phone number of a target device. In a result of the attack, remote attackers can deploy and run malicious Java applications (like backdoor, malware or virus) on the attacked handset. Again, all of that can happen automatically and without the user's consent. This is the first time, such a widespread and critical attack is demonstrated against Nokia's Series 40 devices. Security Explorations proved that these devices can be hacked in a very similar way PC computers are hacked these days.

Remote attack and backdoor application installation on selected Nokia Series 40 devices was successfully verifed in the environment of a real GSM network in Poland.

On selected Nokia devices, malicious application deployed by attackers can be executed in the background, which means that it will be not visible on the phone screen at all during its operation. Such a feature of a mobile Java implementation used in Nokia devices can be exploited by the attacker to silently control the vulnerable device. Security Explorations implemented command shell application that could be used to run arbitrary commands on a hacked Nokia Series 40 phone. Silent control over the attacked Nokia devices was also demonstrated by the research arm of the company.

Security Explorations offers early access to its research report SE-2008-01 J2ME Security Vulnerabilities 2008) presenting detailed analysis of the discovered vulnerabilities. This comprehensive technical report is 178 pages long and it discusses in a detail the impact and exploitation techniques of discovered vulnerabilities. This report is also accompanied by 14 000 lines of proof of concept codes demonstrating successfull attack against mobile Java technology and Nokia Series 40 devices.