Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 12th, 2008

New J2ME Security Vulnerabilities Affect Nokia S40 Phones

An independent security research firm has announced several new mobile Java(J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine(JVM) on mobile phones and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and only run J2ME MIDlets.

The security research company has produced a 170+ page report on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when a researcher develops PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000(about $30,000) for early access to the research and malware. Generally after the release of vulnerability information, attackers will attempt to write exploits.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level

running a malicious MIDlet when the phone is first turned on

accessing files

sending SMS/MMS

making phone calls

reading your contacts

accessing the SIM card

eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesber which just cause premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

Share this item with others:

More on CyberInsecure:
  • Hackers Have Cracked N-Gage Application, Alowing It To Run Pirated Games On Other Devices
  • Malware In Online Game For Mobile Phones Launders Money
  • Hackers Might Exploit Apple’s iCal Memory Corruption Vulnerability
  • Adobe Fixes Clickjacking Vulnerability In Flash Player 10
  • Inexpensive Equipment Tricks GSM Mobile Phones And Intercepts Calls

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New J2ME Security Vulnerabilities Affect Nokia S40 Phones

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.