MISCELLANEOUS

Hate to say We Told You So

Our favorite IT rag reports that -shock horror- the WAP-Push mechanism used by mobile network operators to push software updates to phones does indeed leave phones vulnerable to remote exploitation, as BitDefender security researchers (and others) have suggested for years.
The “discovery” of the issue is credited to hacker Adam Gordiak who is using his website to publish the existence of the flaw and demands, in true-and-tried movie-villain fashion, TWENTY THOUSAND EUROS for revealing the flaw to the first taker. Apparently his company succeeded in exploiting Nokia smartphones running the Symbian Series 40 OS – the issues mentioned range from the aforementioned WAP-Push design flaw to “a reliable MIDP 2.0 privilege elevation technique for Nokia Series 40 devices”.

This is a big thing indeed if true, as it means that the complicated (and so far effective) application signing infrastructure that has kept the phones secure until now can in fact be bypassed. Up until now, only signed applications could be run on Symbian Series40 phones, which meant that only someone with a valid developer license from Symbian could install software on the devices.

Mr Gordiak also claims to have found a couple of vulnerabilities in Sun’s Java Virtual Machine, a software environment
that is in use with other types of smartphones as well. All in all, he’s trying to sell a remote exploitation toolkit for Nokia smartphones, complete with documentation.

Speaking of types, it will be interesting to find out if the hack is in someway related to a hardware bug and thus Nokia-specific, as the website seems to suggest, or if Mr Gordiak is simply trying to hold just one phone manufacturing company at a time up for ransom.

About the author

Răzvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.