A lone researcher claims to have discovered a raft of security issues with Nokia's mid-range handsets, allowing him to remotely install malicious applications with unprecedented capabilities - but he's asking for €20,000 for the details. The issues are apparently with Nokia's Series 40 platform - the proprietary OS and …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Monday 11th August 2008 15:19 GMT James Bassett

Shot himself in the foot

I can't help but feel that the guy has shot himself in the foot here. If we assume that he has ucovered a serious floor in several hundreds of millions of handsets, €20,000 seems a pittance. Lets face it, if Nokia does stump up the cash they will just share the costs with Sun and/or other interested parties and it's a drop in the ocean to such companies.

On the other hand, he's now marked his card as an unethical hacker/blackmailer and €20k isn't going to get him very far. It's barely six months average wages!

I can't help but think he would have been much better off setting up a company and "hiring" himself to Sun/Nokia as a "consultant" at some rediculously high rate. That way he gets a foot in the door, some decent cash AND maintains/improves his reputation.

Unless, of course, he tried that, they told him to get lost and now he's getting desperate to make some money from his discovery.

0 0
Monday 11th August 2008 15:32 GMT amanfromMars

Bear Traps and Honey Monsters?

‘'I've cracked Nokia S40 security', claims researcher’

Hmmm. Maybe he's only cracked his own security and cannot really use what he claims ... at least not legally anyway.

0 0
Monday 11th August 2008 15:32 GMT Mark

Bad People...

What if I were a bad person, would he accept 20,001 Euros from me for the info? I reckon if I can infect a couple of million handsets that dialed a premium rate number, just once, that would be a very sound investment...

0 0
Monday 11th August 2008 15:56 GMT Webster Phreaky

Hmmm....

So... remind me again why everyone thought Apple were crazy for NOT including Java support in the iPhone?

0 0
Monday 11th August 2008 16:17 GMT Anonymous Coward

WEBSTER SUPPORTS APPLE?

:-O

....unless it's an imposter, of course ;)

0 0
Monday 11th August 2008 17:05 GMT amanfromMars

Russian Roulette if it's Vapourware, though.

"He's not exactly pimping it to russian mobsters (that we know of) is he? He'd get more that way and no mistake...." ....By Andy Watt Posted Monday 11th August 2008 16:05 GMT

Always a Plan B if it is worth anything, Andy.

0 0
Monday 11th August 2008 20:07 GMT pctechxp

The goose that laid the golden egg

Nokia will be in no hurry to patch this as the operators wont want them to.

Customer gets a 3 grand bill in the post and rings customer service.

Customer: Why have I received a 3 grand bill?

CS: because you voted in the [insert crap reality show name here] poll 2000 times at £1.50 each

Customer: That's impossible, I don't even watch that show.

CS: Our records show you did

Customer: It must be a virus or this exploit I was reading about the other day.

CS: What handset do you have?

Customer: A Nokia 3510i

CS: Oh yeah, we heard about that and Nokia told us it was impossible so you'll have to pay.

Customer: But I didn't send those texts.

CS: They came from YOUR handset so you must have.

Customer: but I didn't

CS: we'll be debiting the whole amount by direct debit in 14 days

Customer: but you'll take me several times over my overdraft.

CS: should have thought about that before voting

Customer: but I didn't....

CS: look pay up or we'll send the debt collectors round.

Customer is so petrified that they take a loan out with a dodgy loan shark to pay their bill

The same thing happens again the next month and the customer commits suicide.

And all because Nokia and the operators were so greedy.

0 0
Monday 11th August 2008 22:48 GMT Anonymous Coward

Right of first refusal

He's offered Nokia the opportunity to purchase the details of the security flaw first. This is "right of first refusal". They declined to purchase and at this point he should auction the information off to anyone who wishes to purchase it.

What's the conversion rate between rubles and pounds anyway?

0 0
Tuesday 12th August 2008 09:03 GMT Lance

@Webster Phreaky

And the iPhone is so secure. It is hacked as quickly as they release new firmware updates.

0 0
Tuesday 12th August 2008 09:03 GMT Edwin

WAP Push

Hmmm - if it uses WAP Push, and if that requires an active WAP connection, then I'm not overly worried. Shame though - I've seen some great low-bandwidth WAP apps (such as british rail's trip planner)

0 0
Tuesday 12th August 2008 09:09 GMT dervheid

@ pctechxp

Small flaw in your otherwise humorous scenario;

"CS: we'll be debiting the whole amount by direct debit in 14 days"

Should be followed by;

"Intelligent customer contacts bank immediately to cancel D.D. arrangement"

0 0
Tuesday 12th August 2008 12:41 GMT Anonymous Coward

@ dervheid

While you can cancel a standing order @ any time, a direct debit can only be cancelled by the company to whom you signed over pillaging rights.

Personally I refuse to allow this form of access to my (limited) funds and encourage others to avid them also.

Icon, 'cos I'm a suspicious individual

0 0
Tuesday 12th August 2008 13:19 GMT Duncan

@AC

Do some research before claiming things that are simply not true....

"A direct debit can be cancelled at any time by the customer informing their bank or building society, usually in writing. It is also advisable to inform the supplier as well, but this is not obligatory as the bank or building society will also do it. "

From http://www.bacs.co.uk/BACS/Consumers/Direct+Debit/Your+rights/

"You can cancel a Direct Debit at any time by contacting your bank or building society. We also recommend you notify the organisation concerned."

I have cancelled several direct debits in the past.

0 0
Tuesday 12th August 2008 13:28 GMT John Hughes

@dervheid

"Intelligent customer contacts bank immediately to cancel D.D. arrangement"

followed by

"Idiot bank forgets to do it, denies ever receiving the request to cancel and slaps you with massive penalty charges".

Like banks are any more trustworthy than phone companies.

0 0
Tuesday 12th August 2008 13:32 GMT Anonymous Coward

Cancelling DD

As part of the direct debit agreement, you can cancel any DD by writing to your bank. Or, in the case of HSBC, by doing it via your online banking.

The contract you have with the company is likely still valid though, so you're still liable to pay.

0 0
Tuesday 12th August 2008 13:48 GMT dervheid

@ Duncan

Spot on.

Going back to my point, the truly intelligent customer will actually already have cancelled the direct debit upon receipt of the "3 Grand Bill" and prior to the "rings customer service".

I'd rather run the risk of being cut-off by the phone company whilst we argue over the bill, with the 3K still in MY account than let be in the position of trying to get it back from THEM.

0 0
Tuesday 12th August 2008 16:06 GMT Anonymous Coward

Nnnnoooooo

and to think I gave up details to M$ of how to gain Administrator access to Vista systems for free.

Somebody shoot me...

0 0
Wednesday 13th August 2008 12:26 GMT JC

am I missing something?

Sorry if I sound stoopid, not a phone expert, but isn't this kind of like Blooover?

I've used it before and managed to obtain the contents of colleagues/friends mobiles (obviously with their knowledge) via bluetooth (which they need to have active on their phone at the time), without them being prompted for authorisation etc, and i'm sure that Blooover II supports object transfer using obex... So is this guys claims based on a similar app????

0 0
Wednesday 13th August 2008 19:05 GMT pctechxp

cancelling DD

most banks allow you to do it via online banking but remember this could knacker your credit rating which would affect chances of getting a mortgage, another phone contract, whatever.

0 0