back to article 'I've cracked Nokia S40 security', claims researcher

A lone researcher claims to have discovered a raft of security issues with Nokia's mid-range handsets, allowing him to remotely install malicious applications with unprecedented capabilities - but he's asking for €20,000 for the details. The issues are apparently with Nokia's Series 40 platform - the proprietary OS and …

COMMENTS

This topic is closed for new posts.
  1. James Bassett

    Shot himself in the foot

    I can't help but feel that the guy has shot himself in the foot here. If we assume that he has ucovered a serious floor in several hundreds of millions of handsets, €20,000 seems a pittance. Lets face it, if Nokia does stump up the cash they will just share the costs with Sun and/or other interested parties and it's a drop in the ocean to such companies.

    On the other hand, he's now marked his card as an unethical hacker/blackmailer and €20k isn't going to get him very far. It's barely six months average wages!

    I can't help but think he would have been much better off setting up a company and "hiring" himself to Sun/Nokia as a "consultant" at some rediculously high rate. That way he gets a foot in the door, some decent cash AND maintains/improves his reputation.

    Unless, of course, he tried that, they told him to get lost and now he's getting desperate to make some money from his discovery.

  2. amanfromMars Silver badge
    Pirate

    Bear Traps and Honey Monsters?

    ‘'I've cracked Nokia S40 security', claims researcher’

    Hmmm. Maybe he's only cracked his own security and cannot really use what he claims ... at least not legally anyway.

  3. Mark

    Bad People...

    What if I were a bad person, would he accept 20,001 Euros from me for the info? I reckon if I can infect a couple of million handsets that dialed a premium rate number, just once, that would be a very sound investment...

  4. Webster Phreaky
    Jobs Halo

    Hmmm....

    So... remind me again why everyone thought Apple were crazy for NOT including Java support in the iPhone?

  5. Anonymous Coward
    Happy

    WEBSTER SUPPORTS APPLE?

    :-O

    ....unless it's an imposter, of course ;)

  6. amanfromMars Silver badge

    Russian Roulette if it's Vapourware, though.

    "He's not exactly pimping it to russian mobsters (that we know of) is he? He'd get more that way and no mistake...." ....By Andy Watt Posted Monday 11th August 2008 16:05 GMT

    Always a Plan B if it is worth anything, Andy.

  7. pctechxp

    The goose that laid the golden egg

    Nokia will be in no hurry to patch this as the operators wont want them to.

    Customer gets a 3 grand bill in the post and rings customer service.

    Customer: Why have I received a 3 grand bill?

    CS: because you voted in the [insert crap reality show name here] poll 2000 times at £1.50 each

    Customer: That's impossible, I don't even watch that show.

    CS: Our records show you did

    Customer: It must be a virus or this exploit I was reading about the other day.

    CS: What handset do you have?

    Customer: A Nokia 3510i

    CS: Oh yeah, we heard about that and Nokia told us it was impossible so you'll have to pay.

    Customer: But I didn't send those texts.

    CS: They came from YOUR handset so you must have.

    Customer: but I didn't

    CS: we'll be debiting the whole amount by direct debit in 14 days

    Customer: but you'll take me several times over my overdraft.

    CS: should have thought about that before voting

    Customer: but I didn't....

    CS: look pay up or we'll send the debt collectors round.

    Customer is so petrified that they take a loan out with a dodgy loan shark to pay their bill

    The same thing happens again the next month and the customer commits suicide.

    And all because Nokia and the operators were so greedy.

  8. Anonymous Coward
    Pirate

    Right of first refusal

    He's offered Nokia the opportunity to purchase the details of the security flaw first. This is "right of first refusal". They declined to purchase and at this point he should auction the information off to anyone who wishes to purchase it.

    What's the conversion rate between rubles and pounds anyway?

  9. Lance

    @Webster Phreaky

    And the iPhone is so secure. It is hacked as quickly as they release new firmware updates.

  10. Edwin

    WAP Push

    Hmmm - if it uses WAP Push, and if that requires an active WAP connection, then I'm not overly worried. Shame though - I've seen some great low-bandwidth WAP apps (such as british rail's trip planner)

  11. dervheid

    @ pctechxp

    Small flaw in your otherwise humorous scenario;

    "CS: we'll be debiting the whole amount by direct debit in 14 days"

    Should be followed by;

    "Intelligent customer contacts bank immediately to cancel D.D. arrangement"

  12. Anonymous Coward
    Black Helicopters

    @ dervheid

    While you can cancel a standing order @ any time, a direct debit can only be cancelled by the company to whom you signed over pillaging rights.

    Personally I refuse to allow this form of access to my (limited) funds and encourage others to avid them also.

    Icon, 'cos I'm a suspicious individual

  13. Duncan

    @AC

    Do some research before claiming things that are simply not true....

    "A direct debit can be cancelled at any time by the customer informing their bank or building society, usually in writing. It is also advisable to inform the supplier as well, but this is not obligatory as the bank or building society will also do it. "

    From http://www.bacs.co.uk/BACS/Consumers/Direct+Debit/Your+rights/

    "You can cancel a Direct Debit at any time by contacting your bank or building society. We also recommend you notify the organisation concerned."

    I have cancelled several direct debits in the past.

  14. John Hughes
    Dead Vulture

    @dervheid

    "Intelligent customer contacts bank immediately to cancel D.D. arrangement"

    followed by

    "Idiot bank forgets to do it, denies ever receiving the request to cancel and slaps you with massive penalty charges".

    Like banks are any more trustworthy than phone companies.

  15. Anonymous Coward
    Anonymous Coward

    Cancelling DD

    As part of the direct debit agreement, you can cancel any DD by writing to your bank. Or, in the case of HSBC, by doing it via your online banking.

    The contract you have with the company is likely still valid though, so you're still liable to pay.

  16. dervheid

    @ Duncan

    Spot on.

    Going back to my point, the truly intelligent customer will actually already have cancelled the direct debit upon receipt of the "3 Grand Bill" and prior to the "rings customer service".

    I'd rather run the risk of being cut-off by the phone company whilst we argue over the bill, with the 3K still in MY account than let be in the position of trying to get it back from THEM.

  17. Anonymous Coward
    Dead Vulture

    Nnnnoooooo

    and to think I gave up details to M$ of how to gain Administrator access to Vista systems for free.

    Somebody shoot me...

  18. JC
    IT Angle

    am I missing something?

    Sorry if I sound stoopid, not a phone expert, but isn't this kind of like Blooover?

    I've used it before and managed to obtain the contents of colleagues/friends mobiles (obviously with their knowledge) via bluetooth (which they need to have active on their phone at the time), without them being prompted for authorisation etc, and i'm sure that Blooover II supports object transfer using obex... So is this guys claims based on a similar app????

  19. pctechxp

    cancelling DD

    most banks allow you to do it via online banking but remember this could knacker your credit rating which would affect chances of getting a mortgage, another phone contract, whatever.

This topic is closed for new posts.

Other stories you might like