J2ME Security Vulnerabilities Discovered
Monday August 11, 2008 at 8:14 am CST
Posted by Jimmy Shah
An independent security research firm has announced several new mobile Java (J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine (JVM) on mobile phones, and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and run only J2ME MIDlets.
The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.
According to the researchers the vulnerabilities allow:
- gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level
- running a malicious MIDlet when the phone is first turned on
- accessing files
- sending SMS/MMS
- making phone calls
- reading your contacts
- accessing the SIM card
- eavesdropping using the camera and microphone
Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesbe,r which cause just premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.
The security research company has produced a report of more than 170 pages on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when researchers develop PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000 (about $30,000) for early access to the research and malware. After the release of vulnerability information, attackers will generally attempt to write exploits.