Hate to say We Told You So

The “discovery” of the issue is credited to hacker Adam Gordiak who is using his website to publish the existence of the flaw and demands, in true-and-tried movie-villain fashion, TWENTY THOUSAND EUROS for revealing the flaw to the first taker. Apparently his company succeeded in exploiting Nokia smartphones running the Symbian Series 40 OS – the issues mentioned range from the aforementioned WAP-Push design flaw to “a reliable MIDP 2.0 privilege elevation technique for Nokia Series 40 devices”.

This is a big thing indeed if true, as it means that the complicated (and so far effective) application signing infrastructure that has kept the phones secure until now can in fact be bypassed. Up until now, only signed applications could be run on Symbian Series40 phones, which meant that only someone with a valid developer license from Symbian could install software on the devices.

Mr Gordiak also claims to have found a couple of vulnerabilities in Sun’s Java Virtual Machine, a software environment
that is in use with other types of smartphones as well. All in all, he’s trying to sell a remote exploitation toolkit for Nokia smartphones, complete with documentation.

Speaking of types, it will be interesting to find out if the hack is in someway related to a hardware bug and thus Nokia-specific, as the website seems to suggest, or if Mr Gordiak is simply trying to hold just one phone manufacturing company at a time up for ransom.