A Polish security researcher has claimed to have found multiple flaws in mobile Java, but is demanding €20,000 (£15,700) in return for full details of the vulnerabilities.
Adam Gowdiak, founder and chief executive of Security Explorations, has written on his website that he has created two proof-of-concept codes — stretching to over 14,000 lines — to attack vulnerabilities "affecting the implementation of mobile Java [J2ME] used by Sun and Nokia in their products". He has published the first few pages of his 178-page report, but will only reveal the rest if Nokia or Sun pay him €20,000.
On his website, Gowdiak stated he is taking this approach "to gather funds for creating a cutting-edge security research centre in Poland", adding: "It's [a] better approach than to beg a [venture capital] company for money." His overall funding target is €1m.
Gowdiak also appears to be a former employee of Sun, according to the biography on his site.
The research paper appears to include information on how to hack into a Nokia Series 40 handset and maliciously target functions such as phone information, SMS sending, audio and video recording, phone-book access and SIM-card access. According to Gowdiak, attackers could initiate phone calls or internet connections, or read and write to files stored on the device.
"Security Explorations successfully verified that Sun's implementation of mobile Java technology used in its latest version of Java Wireless Toolkit software is vulnerable to the discovered flaws," Gowdiak said in a statement, adding that an attacker needed only "a cell-phone number of a target device" in order to gain unauthorised access to "selected Nokia devices".
Gowdiak suggested that his unusual method of obtaining compensation for his research helps maintain "freedom with regard to the research we conduct". In the FAQ section of the Security Explorations website, the company claims not to be afraid of lawsuits because "if a given vendor prefers to throw money for lawyers instead of spending them to improve the security of their products, we can't do anything about it".
Sun was not able to provide comment on Gowdiak's claims at the time of writing on Tuesday, but Nokia issued a statement in which it confirmed it had received a vulnerability notice from Security Explorations.
"Nokia takes security very seriously at all phases of the mobile communications development process, and is investigating the allegations made using our normal processes and comprehensive testing," the statement read. "Nokia is committed to continuously develop its products and services offerings to ensure a positive user experience."
Security researchers who find vulnerabilities already have two outlets for selling them. Through its Zero Day Initiative, TippingPoint offers a bounty and awards programme to researchers who report bugs to the company, while VeriSign's iDefense Vulnerability Contributor Program offers up to $15,000 (£7,900) for "well-researched, high-impact" vulnerabilities.
