Vulnerability hits Java for cell phones

A Polish researcher has found two vulnerabilities in the cell phone version of Sun Microsystems' Java software that under unusual circumstances could let a malicious program read private information or render a phone unusable.

The flaws are difficult to exploit because malicious programs must be tailored to a specific model of cell phone, said Adam Gowdiak, a 29-year-old security researcher with the Poznan Supercomputing and Networking Center who discovered the vulnerabilities. He figured out how to attack a Nokia 6310i mobile phone, but the effort took four months, he said in a Friday posting to the BugTraq vulnerability mailing list.

Before the vulnerabilities could be exploited, a phone user would have to download and run a malicious Java program, called a midlet, Gowdiak said in an e-mail interview. He's not aware of a way to automate an attack.

He notified Sun of the vulnerabilities in August, and the company said it sent Java licensees a patched version of the vulnerable component, called the Java bytecode verifier, within two weeks.

"We have not seen any attempts to exploit this vulnerability, but if there is one, the user can simply delete...the applications they downloaded from an untrusted source," said Eric Chu, Sun's director of marketing for the Java 2 Micro Edition, or J2ME, software.

But in an October talk at the Hack in the Box conference in Malaysia, Gowdiak said the situation should be taken seriously. "Vendors and (the) antivirus industry are not prepared for this kind of threat," he said in his presentation. "It should be expected that remote vulnerabilities for mobile devices will be published within the next six months."

Sun didn't publish the vulnerabilities, instead choosing to let the cell phone makers notify their customers. "We don't have a relationship with the end consumer," Chu said.

Java, which lets programs such as video games run on many different cell phones, has grown common. Sun estimates that more than 570 million Java-enabled handsets will have been sold by the end of 2004, and one in three handsets is equipped with Java. Hundreds of cell phone service providers rely on J2ME to sell ring tones, games and other downloads.

Sophisticated mobile devices are growing more important. According to the Meta Group, roughly two-thirds of all businesses and organizations will deploy mobile data services by 2007. Mobile e-mail will top the application list, with half of organizations launching a wireless e-mail system within three years and 75 percent in four years.

The vulnerability disclosure comes on the eve of CTIA Wireless I.T. & Entertainment 2004, a cell phone trade show in San Francisco, where Java will support many new services to be unveiled.

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.