Did Nokia pay for vulnerability information?

Company evasive on whether it paid Euro 20,000 to security researcher.

Nokia confirmed Thursday its widely used Series 40 operating system has security vulnerabilities that could allow stealth installation and activation of applications.

But the company is evasive on whether it paid Euro 20,000 (US$29,500) to researcher Adam Gowdiak of Security Explorations, who wanted payment for the six-month effort spent finding the flaws.

Gowdiak would not disclose if he was paid, but said that only reputable, vetted companies that pay would get the full research, which amounted to 180 pages and 14,000 lines of proof-of-concept code.

Nokia has a complete copy of Gowdiak's research, said Mark Durrant of Nokia's corporate communications.

The mobile giant's position could rekindle the debate among security professionals on whether voluntary research should be rewarded by vendors whose products are affected.

Vendors typically steer clear of paying researchers for vulnerability information and alternatively encourage what they term is "responsible disclosure," or a discrete notification before vulnerability information is made public. Vendors also don't want to be at the mercy of vulnerability hunters, who could threaten to turn information on a flaw over to hackers.

"It would be very easy for there to be an idea that you can hold companies to ransom," Durrant said. "The reality is he [Gowdiak] has done a significant amount of research, and clearly it's understandable he wants to find a way to monetize that."

Gowdiak, a researcher in Poland, said earlier this month he had found problems with Java 2 Micro Edition, (J2ME) an application framework for mobile devices, as well as the Series 40 OS. Nokia claims Series 40 is the mostly widely used mobile device platform.

Gowdiak has done research on the Java Virtual Machine and wrote on his Web site that he worked at one time for its developer, Sun Microsystems.

While details on the vulnerabilities are limited, Gowdiak has said an attack could be mounted by sending maliciously crafted messages to a particular phone number.

Nokia said some of its Series 40 products are vulnerable to an attack that could result in the secret installation of applications. The company said it has also found earlier versions of J2ME could allow privilege escalation or access to phone functions that should be restricted.

"Our testing has been concentrating on products that might have both of the claims present," according to a Nokia statement.

Nokia said it isn't aware of attacks against Series 40 devices, and the problems do not represent a "significant risk." Durrant said that conclusion is based on the fact the vulnerabilities are not yet public and it is difficult to execute an attack using the flaws.

"This requires deep technical skill," Durrant said. "This isn't something someone in a garage is going to be able to sort out in an afternoon. He's [Gowdiak's] clearly a smart guy."

Gowdiak said he provided Sun and Nokia on Aug. 7 with one- to two-page summaries of the vulnerabilities he found. Sun has indicated it will soon issue patches.

Gowdiak won't say if Sun paid for the full research. But Sun's intent to patch shows the company was able use the information that "we gave to them for free," he said.

"It wasn't that we tried to demand money from Sun and Nokia," Gowdiak said. "We didn't try to blackmail them."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags series 40

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?