Adam Gowdiak made a name for himself in the J2ME community in 2004, by publishing at the Hack-In-The-Box conference a paper about a nice attack on a Nokia device, based on a flaw he found in the bytecode verifier used at the time. He is back in the news this summer, with an undisclosed hack that allows him to take control of Nokia phones of the S40 series, and to run applications with all possible privileges. Nokia has acknowledged the problem, as well as Sun, who are preparing a fix.
I cannot tell you much more about this hack, because Gowdiak asks for 20,000€ to get detailed information. However, based on the little information available, my personal guess is that the main problem is situated somewhere in the application manager. There are several reasons for that:
- First, the virtual machine is starting to be quite robust (Gowdiak has actually participated to that effort), and there have been significant reviews of the latest bytecode verifier. So, I would not say that the basic Java security features are broken.
- Then, the flaw appears to be in the management of permissions, allowing an untrusted application to run and/or be recognized as a manufacturer application (the most privileged kind of applications). This is typically part of the Application Manager.
- Finally, Adam Gowdiak claims that his attack is likely to work on other devices based on Sun’s RI of Java ME. It therefore means that part of the exploitation is in the portable part, and also that part of the attack is in the device-specific part.
There are many ways to achieve such a feast, depending on the kind of attack that one is ready to perform:
- The device’s security policy may be stored in a file. In that case, the security of Java relies on the security of the underlying file system.
- Application descriptors have to be stored somewhere. If the application manager does not check their consistency regularly, they could be modified.
- Application code is also stored somewhere. They are not supposed to be modified, but consistency checks are expensive.
- There are usually plenty of debugging features in a platform, that could be activated and used maliciously.
Exploitation of such vulnerabilities usually is surprisingly easy. One you have access to all privileges, it is quite easy to write applications that do bad things. The last thing that an attacker would need is a way to push applications without warning the user, and this could be feasible with manufacturer privileges (after all, it is practical for a manufacturer to do that). Once again, I can’t say if it is the case with this particular attack.
About Nokia, I am a bit sad that they get busted here, because they are among the good guys in terms of mobile security. I guess that this kind of publicity is the price to pay for being the world leader. The S40 platform is a bit like the Windows of mobile phones, and breaking it is more interesting than breaking any other phone platform. Also, the reaction from Nokia, as mentioned by the Register, “we do not currently believe these issues represent a significant risk to customers’ devices”, is a bit surprising, especially if we consider the definition of the issue by the same Register, “a miscreant exploiting them could do whatever they like to a Series 40 phone just by knowing the phone number”.
Finally, a note about Adam Gowdiak’s job. He did very good work in finding these flaws, and he is in trouble getting paid for it. I hope that Nokia, Sun, and others have paid the fee he asks for (which is not that big), but this remains an issue.I don’t know how much time Adam Gowdiak has spent on preparing this attack, but I am not sure that such work would be feasible in a consultancy mode. I have been involved in many security evaluations, and you don’t go very far for 20,000€. A complete security review of the S40 platform would cost may times that, and it is not that easy to find experts of Adam’s caliber. Nevertheless, the good old consultancy scheme presents some advantages for manufacturers. For instance, we at Trusted Labs have found many vulnerabilities on devices ranging from smart cards to payment terminals and mobile phones (including Java ME), but you have not heard about them, and you won’t hear about them any time soon, because all our work is performed under strong non-disclosure agreements.
Adam Gowdiak has acted responsibly by not posting any details and/or exploit code publicly. I am sure that most S40 phone owners never update their platform, so any flaw identified on such a platform is likely to stay around for years on millions of devices. Nevertheless, it is only a question of time before some bad guy gets the details of this attack: either through Adam directly (20,000€ is not that much, and some bad guys are very good at social engineering, for instance for posing as a manufacturer); or through an accomplice at a manufacturer; or even by rebuilding the attack as more and more information gets leaked.
When that happens, it will be interesting to see if it triggers a wave of malicious Java applications and other attacks on S40 devices. Only time will tell.