Did Nokia pay for vulnerability information?

Company evasive on whether it paid Euro 20,000 to security researcher.

Nokia confirmed Thursday its widely used Series 40 operating system has security vulnerabilities that could allow stealth installation and activation of applications.

But the company is evasive on whether it paid Euro 20,000 (US$29,500) to researcher Adam Gowdiak of Security Explorations, who wanted payment for the six-month effort spent finding the flaws.

Gowdiak would not disclose if he was paid, but said that only reputable, vetted companies that pay would get the full research, which amounted to 180 pages and 14,000 lines of proof-of-concept code.

Nokia has a complete copy of Gowdiak's research, said Mark Durrant of Nokia's corporate communications.

The mobile giant's position could rekindle the debate among security professionals on whether voluntary research should be rewarded by vendors whose products are affected.

Vendors typically steer clear of paying researchers for vulnerability information and alternatively encourage what they term is "responsible disclosure," or a discrete notification before vulnerability information is made public. Vendors also don't want to be at the mercy of vulnerability hunters, who could threaten to turn information on a flaw over to hackers.

"It would be very easy for there to be an idea that you can hold companies to ransom," Durrant said. "The reality is he [Gowdiak] has done a significant amount of research, and clearly it's understandable he wants to find a way to monetize that."

Gowdiak, a researcher in Poland, said earlier this month he had found problems with Java 2 Micro Edition, (J2ME) an application framework for mobile devices, as well as the Series 40 OS. Nokia claims Series 40 is the mostly widely used mobile device platform.

Gowdiak has done research on the Java Virtual Machine and wrote on his Web site that he worked at one time for its developer, Sun Microsystems.

While details on the vulnerabilities are limited, Gowdiak has said an attack could be mounted by sending maliciously crafted messages to a particular phone number.

Nokia said some of its Series 40 products are vulnerable to an attack that could result in the secret installation of applications. The company said it has also found earlier versions of J2ME could allow privilege escalation or access to phone functions that should be restricted.

"Our testing has been concentrating on products that might have both of the claims present," according to a Nokia statement.

Nokia said it isn't aware of attacks against Series 40 devices, and the problems do not represent a "significant risk." Durrant said that conclusion is based on the fact the vulnerabilities are not yet public and it is difficult to execute an attack using the flaws.

"This requires deep technical skill," Durrant said. "This isn't something someone in a garage is going to be able to sort out in an afternoon. He's [Gowdiak's] clearly a smart guy."

Gowdiak said he provided Sun and Nokia on Aug. 7 with one- to two-page summaries of the vulnerabilities he found. Sun has indicated it will soon issue patches.

Gowdiak won't say if Sun paid for the full research. But Sun's intent to patch shows the company was able use the information that "we gave to them for free," he said.

"It wasn't that we tried to demand money from Sun and Nokia," Gowdiak said. "We didn't try to blackmail them."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags series 40

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?