Serious security flaws found in J2ME and Nokia Series 40 phones

The Series 40 of Nokia is one of the most widely used mobile phone operating system. Bugs in the Java Virtual Machine and Nokia Series 40 OS have been found which can result in security breaches in Nokia’s Series 40 cell phones and allow access to sensitive data on the phone.

Gowdiak, a security expert on J2ME, has found two serious vulnerabilities in J2ME coming from Sun and used by Nokia in its Series 40 devices (use of such devices range in several hundred millions world-wide).

Gowdiak’s company, Security Explorations, has already informed Sun and Nokia about the vulnerabilities.

The security flaw results in complete bypass of security restrictions in J2ME allowing the cracker to silently conduct mischief on the mobile phone. Proof of concept code has been created to successfully perform the following:

• arbitrary SMS / MMS / WAP PUSH message sending
• establishing of arbitrary phone calls
• establishing of arbitrary internet connections
• full read and write access to the files stored on the device
• silent audio and video streams recording
• read and write access to the contacts database
• access to the phone’s SIM card
• persistent and stealth backdoor application installation on the phone with network operator or manufacturer privileges

Security Explorations say that only a phone number is needed to take advantage of the flaw by sending specially crafted SMS messages to the mobile phone. The security company also noted that since the Sun J2ME implementation is also referenced by other phone manufacturers, the total of vulnerable mobile phones can reach more than 1 billion. In Nokia alone, the total number of vulnerable models is more than 140.

As of this writing, not even mobile phone antivirus software can protect the affected cell phones which leaves them open to attack.

For more information you can visit the Security Explorations web site.