We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Nokia admits security threat to Series 40 phones

Phone-maker silent on researcher's €20k demand

Nokia has admitted that its Series 40 operating system has security vulnerabilities, and has refused to rule out paying €20,000 to the researcher who exposed the flaws.

Adam Gowdiak of Security Explorations said earlier this month that he wanted payment for effort spent finding the flaws, which could allow stealth installation and activation of applications.

"For obvious reasons of security, we will not comment further on the detail of our activities with Security Explorations," said Nokia spokeswoman Kaisa Hirvensalo.

Gowdiak, a researcher in Poland, found problems with Java 2 Micro Edition, (J2ME) an application framework for mobile devices, as well as the Series 40 OS. Nokia claims Series 40 is the mostly widely used mobile device platform.

Gowdiak has done research on the Java Virtual Machine and wrote on his website that he worked at one time for its developer, Sun Microsystems.

Vendors typically steer clear of paying researchers for vulnerability information and alternatively encourage what they term is "responsible disclosure", or a discrete notification before vulnerability information is made public. Otherwise, users of a particular software are at risk while a vendor tries to develop a patch.

Nokia said some of its Series 40 products are vulnerable to an attack that could result in the secret installation of applications. The company said it has also found earlier versions of J2ME could allow privilege escalation or access to phone functions that should be restricted.

"Our testing has been concentrating on products that might have both of the claims present," according to a Nokia statement.

Nokia said it isn't aware of attacks against Series 40 devices, and the problems do not represent a "significant risk".

While details on the vulnerabilities are limited, Gowdiak has said an attack could be mounted by sending maliciously crafted messages to a particular phone number.

Gowdiak could not be immediately reached for comment.


IDG UK Sites

Where to buy iPhone 6 and iPhone 6 Plus in the UK: Launch day price, deals and contracts

IDG UK Sites

Is Apple losing confidence in itself?

IDG UK Sites

Professional photo and video techniques for perfect colours

IDG UK Sites

How (and where) to buy an iPhone 6 or iPhone 6 Plus in the UK. Plus: What to do if you pre-ordered...